China’s spies for rent: hackers who mix espionage and entrepreneurship


China’s bustling high-tech companies don’t typically recruit Cambodian speakers, so job advertisements for three high-paying jobs with those language skills caught the eye. The ad, which seeks research authors, was placed by an internet security start-up in China’s tropical island province of Hainan.

This start-up was more than it seemed, according to American law enforcement agencies. Hainan Xiandun Technology was part of a network of bogus companies controlled by China’s secret state security ministry, according to a federal indictment in May. They hacked computers from the United States to Cambodia to Saudi Arabia and searched for sensitive government information as well as less obvious espionage witnesses, such as details of a company’s fire fighting system in New Jersey, prosecutors said.

The allegations seem to reflect an increasingly aggressive campaign by Chinese government hackers and a marked change in their tactics: China’s leading intelligence agency is increasingly reaching beyond its own ranks to recruit from a vast pool of private-sector talent.

This new group of hackers has made China’s state cyber espionage machine stronger, more sophisticated, and – to the growing number of government and private sector targets – more dangerously unpredictable. Sponsored but not necessarily managed by Beijing, these new breed of hackers attack government targets and private corporations alike, mixing traditional espionage with open fraud and other for-profit crimes.

ALSO READ: China Will Achieve Economic Goals With Virus Restrictions: President Xi Jinping

China’s new approach ties in with the tactics of Russia and Iran that have plagued public and commercial targets for years. According to a US Justice Department indictment last year, Chinese hackers with national security ties demanded ransom in exchange for failing to reveal a company’s computer source code. Another group of hackers in southwest China mixed cyber attacks on democracy activists in Hong Kong with fraud on gaming websites, according to another indictment. One member of the group bragged about having official protection provided they avoid targets in China.

“The advantage is that they can cover more goals and stimulate competition. The downside is the level of control, ”said Robert Potter, head of Internet 2.0, an Australian cybersecurity firm. “I’ve seen them do some really stupid things like try to steal $ 70,000 during an espionage operation.”

A shopper sits in front of floor markings in an upscale retail area in Beijing. China’s hackers attack computers from the United States to Cambodia to Saudi Arabia. (Bloomberg file photo.)

Investigators believe these groups have been responsible for some major data breaches lately, including hacks targeting the personal information of 500 million guests at the Marriott hotel chain, information on approximately 20 million U.S. government employees, and this year one Microsoft email system used by many of the world’s largest corporations and governments.

The Microsoft violation is unlike China’s previously disciplined strategy, said Dmitri Alperovitch, chairman of the Silverado Policy Accelerator, a nonprofit geopolitical think tank.

“They tracked organizations they had no interest in and used those organizations with ransomware and other attacks,” Alperovitch said.

China’s tactics changed after the country’s top leader Xi Jinping transferred more responsibility for cyberhacking from the People’s Liberation Army to the Ministry of State Security after a series of sloppy attacks and a military reorganization. The ministry, a hybrid of the Communist Party spy agency and inquisitor, has used more sophisticated hacking tools, such as vulnerabilities known as zero days, to target businesses, activists and governments.

While the Beijing ministry projects an image of ruthless loyalty to the Communist Party, its hacking operations can seem like local franchises. Groups often act on their own agenda and sometimes include outside employment in commercial cybercrime, experts said.

The message: “We’ll pay you to work 9-5 for China’s national security,” Alperovitch said. “What you do with the rest of your time and with the tools and access that you have is really your business.”

A grand jury indictment published last year accused two former classmates of an electrical engineering college in Chengdu, southwest China, of raiding foreign computer servers and stealing dissident information and technical diagrams from an Australian defense company. In addition, according to the indictment, the two attempted blackmail: They demand payment in return for not disclosing the source code of an unknown company on the Internet.

Under this system, Chinese hackers have become increasingly aggressive. According to Recorded Future, a Somerville, Massachusetts company that studies the use of the Internet by state actors, the rate of global attacks involving the Chinese government has nearly tripled since last year compared to the four previous years. That number now averages more than 1,000 per three month period, it said.

“Given the amount going on, how many times has the FBI got it? Few, ”said Nicholas Eftimiades, a retired American senior intelligence officer who writes about China’s espionage operations. “There is no way to build up staff to deal with this kind of onslaught.”

Although their numbers make them hard to stop, the hackers don’t always try to cover their tracks. Sometimes they post clues on the Internet, including wedding photos of agents in state security uniforms, treasonous job advertisements, and boasting of their accomplishments.

ALSO READ: China’s two-week port closure has mixed effects on India’s trade

Hainan Xiandun was founded to recruit young talent and create a semblance of denial, prosectors said. It posted job advertisements on the message boards of Chinese universities and sponsored a cybersecurity competition.

Operations on Hainan – an island jutting out into the South China Sea – sometimes reflected local priorities, such as stealing marine research from a university in California and hacking governments in nearby Southeast Asian countries, the May indictment said. The job advertisement for Cambodian speakers was published three months before the elections in Cambodia.

While some targets had clear espionage objectives, others appeared less focused. The hackers tried to steal Ebola vaccine data from one institution, prosecutors said and secrets about self-driving cars from another.

In January 2020, a mysterious blog tracked down with a track record of exposing Chinese State Security hackers. The Intrusion Truth blog was well known in Washington cybersecurity circles for naming Chinese intelligence officials long before they appeared in US charges.

Intrusion Truth operators searched job boards for Hainan companies looking for “penetration test engineers” who secure networks by examining how they can be hacked.

A post from Hainan Xiandun stood out. The ad, which appeared on a Sichuan University computer science staff committee in 2018, boasted that Xiandun had “received a significant number of government secrecy-related deals.”

Based in Hainan’s capital, Haikou, the company paid monthly salaries of $ 1,200 to $ 3,000 – solid middle-class wages for Chinese technicians fresh out of college – with bonuses of up to $ 15,000. Xiandun’s ads included an email address used by other companies searching for cybersecurity experts and linguists, suggesting they were part of a network.

Chinese hacker groups “are increasingly sharing malware, exploits and coordinating their efforts,” write the operators of “Intrusion Truth” in an email. The operators have not disclosed their identity as they cite the sensitivity of their work.

Xiandun’s registered address was Hainan University Library. His phone number matched that of a computer science professor and veteran of the People’s Liberation Army who ran a website that offered payments to students with novel ideas for cracking passwords. The professor was not charged.

Other records and phone numbers led the blog authors to an email address and frequent flyer account belonging to Ding Xiaoyang, one of the company’s managers.

The indictment alleged that Mr. Ding was a state security officer who ran the Hainan Xiandun hackers. It contained details the blog couldn’t find, such as an award Mr. Ding received from the Ministry of State Security for young leaders in the organization.

Mr. Ding and others named in the indictment could not be reached.

Although currently understandable, China’s state security apparatus could learn to hide its footprints better, said Matthew Brazil, a former China specialist with the Department of Commerce’s Office of Export Enforcement who co-wrote a study on Chinese espionage.

“The capabilities of the Chinese services are uneven,” he said. “Your game is getting better and in five or ten years it will be a different story.”

(Nicole Perlroth contributed to the reporting.)