China: cyber espionage or cyber warfare?

The US believes Chinese cyberoperations are shifting from information gathering to critical systems disruption. Neil Thompson reports.

Caption: The cyber is increasingly contested with China apparently embarking on extensive campaigns to infiltrate US military networks. Credit: Shutterstock/metamorworks

The US and China are engaged in an escalating struggle over global influence, and cyberoperations have emerged as a key front in the two sides’ competition. In one example, global technology company Microsoft flagged in the summer of 2023 two separate cybersecurity risks originating from China-based threat groups, dubbed Volt Typhoon and Storm-0558, which had targeted the US, among others.  

Storm-0558 appeared to have compromised key software architecture used by Microsoft including its Azure cloud computing service and gained access to 25 different organizations including US Government agencies and western European governments. The breach occurred in May and lasted for around a month before being detected.  

During this time Storm-0558 focused on data theft, credential access and espionage and is thought to have compromised the email systems of the US State and Commerce departments, as well as the US ambassador to China’s official email account.

Whatever agency spoke, it does not change the fact that the US is the world’s biggest hacking empire and global cyber thief.

- Chinese Foreign Ministry spokesperson Wang Wenbin

In conducting this attack, Storm-0558 appeared to be searching for clues on US intentions towards it on matters like the tensions over Taiwan or the two countries’ trade and technology wars, ahead of a series of trips to China by US officials this year. The security breach caused US Secretary of State Antony Blinken in July to warn China’s senior diplomat, Foreign Minister Wang Yi, that Washington would “take appropriate action to hold those responsible accountable”.

However, last month at the Aspen Security Forum the National Security Agency’s head of cybersecurity Rob Joyce described the operation as traditional espionage. The Volt Typhoon threat group meanwhile has been active since at least mid-2021 and Microsoft classified it in May as typically focused on espionage and information gathering, like Storm-0558. However, the group’s latest campaign alarmed security researchers and US intelligence officials when it was first uncovered earlier this summer, revealing an apparent shift in Chinese strategy from surveillance to critical systems disruption.

China’s eye on US ties with Taiwan 

Microsoft’s initial report in late May found Volt Typhoon was targeting telecommunications systems in Guam and other parts of the US with the aim of infecting them with malware designed to disrupt communications functions. The surface aim appeared to be to an attempt by China to deploy malware which would disrupt communications between Asia and the US to slow any US response to a Chinese invasion of the self-ruled island Taiwan in future.  

However, at the same time the US and international cybersecurity authorities released a Cybersecurity Advisory warning that Volt Typhoon’s campaign could target critical systems indiscriminately across the US and beyond. The group was exploiting a technique known as ‘living off the land’ to spread malicious code; that is disguising the intrusion by blending in with normal computer activity, conducted by authorised users.  

Microsoft and other cybersecurity actors quickly realised that the Chinese state-backed hackers had infiltrated malware into other critical systems beyond military-related telecommunications in Guam. The Volt Typhoon operation highlights how Chinese hackers are increasingly sophisticated as well as the apparent shift by Beijing towards a more aggressive cyberwarfare strategy. 

Zhou Fengsuo, executive director of the New York-based Human Rights in China (HRIC) nongovernmental organisation, was unsurprised at reports this summer of escalating and increasingly sophisticated Chinese cyberoperations against US and allied governments, claiming overseas Chinese dissidents were among the first targets of Chinese cyberespionage and digitalized intimidation campaigns, adding their warnings about the malign online activities of the Chinese Communist Party (CCP) were largely ignored for many years.  

He said: “Communist China has engaged in cyberwarfare against democratic countries for many decades, since the beginning of the internet age. Unfortunately, the US has been intentionally blind to this, maybe because of their business interests. The CCP have the ability to hack [many] US websites, sometimes through the backdoor, sometimes using people on the ground, and sometimes attacking it with malicious code. So far there hasn’t been any coherent strategy [to deal with this].” 

The CCP can bring disaster to anyone in the world with the click of a finger, that’s really what’s happening now.

- Zhou Fengsuo, executive director of the New York-based Human Rights in China

A two-month review following the discovery of Volt Typhoon’s activities in May revealed that the group had been infiltrating malware into critical systems in the US and elsewhere and the Chinese operation had been carrying on for at least a year before the malicious code was uncovered.  

One potential aim offered by intelligence officials for the group’s actions was to cut off water, power and telecommunications at US military bases in the event China attacked Taiwan, granting Beijing days or even weeks of extra time to subdue the island. However, the full results of the malware if it were used is not actually known.  

Cyberattacks could target multiple sectors of US critical infrastructure during a future crisis, such as US water systems, pipelines or rail and aviation systems, in addition to telecommunications. Moreover, because civilian areas use some of the same systems as US bases, the impact of cyberattacks would not be confined to US bases.  

A satellite image of Taiwan’s capital Taipei. China could seek to disrupt US bases in the Asia-Pacific region should Beijing seek to militarily seize what it considers part of its territory. Credit: NASA

This may be a deliberate effect if China believes that the US public would focus more on crippled infrastructure at home than a crisis overseas in the event it activated its malware in US critical infrastructure ahead of an attack on Taiwan. China monitors global cyberspace heavily, allowing it to build up a detailed picture of both US infrastructure and public sentiments there. 

Zhou said: “The Ministry of State Security can monitor a lot of what is going on [online]… With drones and the Internet of Things there is now the capability to monitor what is happening all over the world, and what is clear is that anything made by a Chinese company is vulnerable to the CCP control and to information gathering from China. They are selling this type of equipment [smart devices] all over the world. As a result, they have access to the data [collected].  

“For example, [with the apps] WeChat and TikTok and all this software [made in China], you can imagine the data collected is quite a lot. There’s no way you can avoid revealing all this information to the Chinese Government if they want [it]. The companies are [legally] bound to do so. And people using these apps are becoming unwitting agents of information gathering [for China], even if you are just taking pictures as a tourist for example.” 

Beijing denies, but what is the cyber threat?

Beijing has responded angrily to the claims by Microsoft, US intelligence officials and other international cybersecurity actors about the alleged activities of both Volt Typhoon and Storm-0558. Regarding Storm-0558’s alleged breach of senior US officials’ email systems, Chinese Foreign Ministry spokesperson Wang Wenbin said on 12 July that China had noted reports from the White House National Security Council regarding alleged Chinese responsibility for the security breach of Microsoft’s services which compromised the US State and Commerce department’s emails.

However, Chinese officials frequently cite instances of US cyberattacks or hacking while ignoring questions about their own country’s activities or denying them outright, and Wang followed this line when responding to questions about Beijing’s recent cyberoperations.

He told the assembled journalists: “I would like to say that in the past, it was usually the world’s number one hacking group—the US National Security Agency, which also serves as the US Cyber Force Command, that released such kind of disinformation. This time, it was the US National Security Council that made a public statement. Whatever agency spoke, it does not change the fact that the US is the world’s biggest hacking empire and global cyber thief.

“Since last year, cyber security institutions from China and elsewhere in the world have issued reports to reveal US Government’s cyber-attacks against China over the years, but the US has yet to make a response. It is high time that the US explained its cyber-attack activities and stopped spreading disinformation to deflect public attention.”

In turn, Zhou believes the cyberthreat from China is higher than most ordinary people currently realise. “The CCP can bring disaster to anyone in the world with the click of a finger, that’s really what’s happening now. This has never happened before in the past, that there has been so much power connected to one regime which has no regard for human dignity or human lives.”