Why global warnings about China’s cyber-espionage matter to CISOs

Scarcely a week goes by in which one security service or another reveals they have discovered that the People’s Republic of China has been engaged in some sort of skullduggery, be it cyber or human operations targeting individuals, intellectual property, or infrastructure.

Chief information security officers (CISO) do not have the luxury of self-selecting out and declaring that this is of no importance to them or that attacks by these advanced persistent threats (APT) are above their pay grade.

The reality of nation-state espionage activities is that we don’t choose if we, our infrastructure, trade secrets, intellectual property, or personnel are the targets of a hostile nation intent on achieving its goals. The nation-state — in this case China — makes that determination, and we have the option of choosing to be either willfully ignorant or prepared.

Granted, I’ve been digesting and analyzing nation-state shenanigans for more than 50 years, and many have said that I am like a man with a hammer to whom everything looks like a nail. There may be some truth to that and yet, in keeping with the metaphor, recent actions of the security services of the United States, the United Kingdom, and many others continue to demonstrate that there are many nails requiring attention.

It is important to remember and not be blinded by assumptions, China’s modus operandi takes various forms and does not always involve Chinese nationals. That being said, members of the Chinese diaspora who may have immediate family in China have found themselves subjected to extreme personal pressure by Chinese authorities to cooperate or see their parent’s medical care turned off, housing adjusted, or their family members arrested on a charge that which would only hold water in China.

Let’s break down the latest activities and provide the “why” as to what China’s goals are and how they may affect the CISO’s area of responsibility.

Chinese cyber-activity has targeted many governments

In late March 2024, the U.S. Department of Justice (DoJ) unsealed an indictment which should serve as a shining example of what we may call China’s long game when it comes to engaging in compromising the infrastructure of individuals, companies/organizations, or governments.

The United States has charged seven Chinese individuals, all associated with the Ministry of State Security who, via their Hubei State Security Service department located in Wuhan, are behind what is known to the cybersecurity community as advanced persistent threat 31 (APT31).

The indicted individuals, all associated with APT31, began their efforts in 2010, with the creation of a commercial cover for action, the Wuhan Xiaoruizhi Science and Technology Company, ostensibly to conduct research, experimental development, technology development, consultation, and technology transfer.

And that they did. They engaged in major-league phishing campaigns, and despite near global awareness of how phishing is used, they were successful. Analysts found that merely opening an email was sufficient to provide telemetry to the APT31 team to be used for the next stage of their effort to compromise machines and accounts.

They targeted members of Parliament in the UK, a plethora of individuals throughout Europe, US government officials — including those in the White House; departments of Justice, Treasury, Commerce, State; and elected officials (senators and representatives, regardless of party). In other words, they had an all-inclusive global targeting matrix.

Governments are not the only targets of Chinese cyber espionage

That bad actors target governments should come as no surprise, but nation-state-backed groups also target private enterprises, many of which have CISOs whose remit is to prevent information from exiting the entity without appropriate approvals.

Chinese APTs have penetrated networks of companies providing goods and services to the defense sector, a leading equipment provider of 5G network equipment, and entities involved in wireless technology. Those compromised not only permit the pilfering of intellectual property, but China is also able to leverage their acquired knowledge or capability to continue to engage in both internal and external efforts to silence those in dissent of the current government. We have learned of the external effort largely through the various arrests and prosecutions of individuals, both Chinese nationals and those whom they have suborned to do their bidding.

This effort has a moniker — Operation Fox Hunt. This operation was ordered created by President Xi Jinping in 2014. China has had varying degrees of success in its intimidation and coercion methodologies. FBI Director Christopher Wray described this operation as “a sweeping bid by Xi to target Chinese nationals who he sees are threats and who live outside of China, across the world. We’re talking about political rivals, dissidents, and critics seeking to expose China’s extensive human rights violations.”

China denies its involvement in cyber espionage

Internally, according to Radio Free Asia, China has arrested 726,000 people for crimes linked to “hostile foreign powers,” a euphemism for dissenting opinion.  Furthermore, “more than 2.4 million people were “arrested or prosecuted” last year for offenses related to “national security.”

Governments around the world are demonstrating their umbrage with the Chinese actions by imposing sanctions on individuals and companies and filing diplomatic missives in which they use stern words to highlight Chinese activities.

China for its part denies everything and can occasionally be found to make counter-accusations. Indeed, following the recent sanctioning and protest of a Chinese attempt to purloin the data of approximately 40 million United Kingdom voters, China responded with protests that such allegations were nothing more than “malicious slander.”

Why should CISOs care about expat Chinese nationals?

Those who China has determined are of interest live where we live, they work in the cubicle down the hall, they are a part of our societies. Individuals targeted by China may be active in dissent or they may have family members who are active dissenters. None raises their hand and asks to be targeted, yet so many are bribed, recruited or coerced to engage in the stealing of important data or secrets useful to Chinese intelligence services.

And while there is ample evidence that China is targeting those of Chinese ethnicity, one would be foolish to assume that is an inclusive targeting parameter. The parameters used are “access” — does the individual have access to that which is desired (information, technology, or another individual)?

It would be equally foolish to take a xenophobic perspective, that anyone of a given ethnicity, such as Chinese, is a significant risk. To reiterate, those who are being targeted by China are being targeted for their access to information of interest to China be it intellectual property, insider capabilities, or proximity to those whom the government may wish to silence.

What is true is that it is appropriate to have conversations involving all employees surrounding the threat posed by Chinese intelligence services. To help protect sensitive corporate information, it is vital to be aware of how infiltrators – willing or coerced — spot, assess, engage, recruit, and handle clandestine sources and how these organizations use surrogates to make the initial outreach to a potential source. 

Public-private partnerships can help protect against nation-state attacks

While government noise and sanctions make great press, what is really needed are more public-private partnerships that can provide actionable information to non-governmental CISOs that they can use to protect their infrastructure, intellectual property, and personnel.

The Cybersecurity Infrastructure Security Agency (CISA) is well on its way to doing just that with its advisories and warnings, complete with “what you need to do” sections. The unfortunate side is that large enterprises are generally the ones who have the wherewithal to take the recommended action and the tools/infrastructure of the small-medium businesses may not be sufficient.

Nevertheless, knowledge is power and CISOs will be well served to pick up what CISA is laying down when it comes to threat warnings. Similarly, the power to educate your workforce, the human target, is within arm’s reach of every CISO.