For more than two years, the Chinese government has attempted to portray the United States as indulging in the same type of cyber espionage and intrusion activities that the latter has accused of carrying out in recent years.
A recent examination of Beijing’s claims by SentinelOne researchers found that most of them are unfounded, often based on previously leaked US intelligence information and lacking any technical evidence. However, that hasn’t stopped the Chinese government from carrying out its disinformation campaign in an attempt to divert attention from its own hacking activities, SentinelOne said.
“China hopes to change global public opinion on Chinese hacking,” says Dakota Cary, strategic advisory consultant at SentinelOne. “China aims to portray itself as a victim of US hacking operations and demonstrate how the US is the perpetrator of the hacking operations.”
To date, the campaign has had limited success, as China’s claims have made their way into Western media like Reuters, he says. Meanwhile, the SentinelOne report comes amid growing alarm in the United States about China insidious and persistent intrusion campaigns in Critical infrastructure of the United States from Chinese threat groups such as Volt Typhoon.
Reporting of hacking operations in China
The immediate impetus for China’s efforts to promote the US hacking narrative appears to be somewhat tenuous extraordinary joint statement by the governments of the United States, United Kingdom, and European Union in July 2021, accusing the government of indulging in harmful “irresponsible and destabilizing behavior in cyberspace.” The statement, among other things, accused the Chinese government of assuming “criminal contract hacker conduct unauthorized cyber operations globally, including for their own personal profit.”
The White House statement contained a reference to unsealed charging documents in 2018 and 2020 that accused hackers working with China’s Ministry of State Security (MSS) of participating in ransomware attacks, crypto-jacking, cyber extortion and “rank theft”. It also announced criminal charges against four MSS individuals for engaging in cyber campaigns to steal intellectual property and trade secrets from aviation, defense, maritime and other industry organizations in the United States and other countries.
The US charges came shortly after an incident in which attackers – later identified as MSS employees – exploited four zero-day bugs in Microsoft Exchange TO compromising tens of thousands of computers around the world. What proved particularly troublesome was the Chinese hacking team’s apparent decision to automate the attack and share details of the vulnerability with others when it became apparent that Microsoft was ready to release a patch for the flaws, he said SentinelOne.
“The joint statement so annoyed the PRC government that it launched a media campaign to spread the narrative about US hacking operations in global media,” the security vendor said.
China launches coordinated disinformation campaign
China’s attempts to retaliate against the United States include having some cybersecurity firms in the country coordinate the release of reports on U.S. hacking activity, then use government agencies and state media to amplify their impact.
Since early 2022, state media in China have begun publishing English-language versions of cyber threat intelligence reports from Chinese security companies. The English-language Global Times, a publication that generally reflects the official views of the Chinese Communist Party, mentioned NSA-linked hacking tools and operations 24 times in 2022, compared to just twice the previous year, SentinelOne found .
In 2023, the publication released a series of articles about US intelligence agencies hacking seismic sensors at the Wuhan Earthquake Monitoring Center. The articles were apparently based on a report by Chinese cybersecurity firm Qihoo360 and another Chinese government body. And last April, the China Cybersecurity Industry Alliance released a relationship who chronicled more than a decade of research into U.S. cyberattacks such as the Stuxnet campaign on Iran’s Natanz nuclear facility.
US attacks on China: lack of evidence
According to SentinelOne, most Chinese reports are not supported by any technical evidence of the kind that cybersecurity firms in the United States and some other countries provide when disclosing nation-state campaigns. THE Global Times article on attacks on the Wuhan earthquake monitoring facility, for example, cites a Qihoo360 report that is not publicly available anywhere. Even so, the report has garnered some attention in the United States different media following the story, SentinelOne said.
Reports that present some form of attribution or evidence are often based on leaked US intelligence documents such as Edward Snowden’s leaksTHE Vault 7 losesand the The agents of the shadow losses, Cary says. In fact, of the approximately 150 citations in the Chinese Cybersecurity Alliance report, less than a third come from Chinese vendors.
“We don’t know whether Chinese cybersecurity companies have the data to support US hacking claims,” Cary says. It is likely that such data exists somewhere in the PRC, but it is unclear whether it would prove their claims, she notes, adding: “What we can say is that the Chinese legal regime and political system have decided against the publication of such data .”