Cyberwarfare and China

Cyberwarfare is the strategic use of computer technology to disrupt the functions of a state or organization, specifically through the deliberate targeting of information systems for military or tactical purposes. In the People's Republic of China, it is related to the aggregate of cyberattacks attributed to state organs and various related advanced persistent threat (APT) groups.

Academic Fiona Cunningham writes that while it has targeted U.S. critical infrastructure with Volt Typhoon, as of mid-2024, there have been no public reports of a Chinese cyberattack with a scope similar to the United States-Israel Stuxnet cyberattack on Iran, or the Russian cyberattacks on Ukraine's power grid).

In 1992, the People's Liberation Army stated that the United States was developing computer virus weapons. According to the PLA journal Foreign Military Arts, US computer virus weapons would have the potential to attack civilian targets and military targets. The PLA observed that cyberattacks could have strategic impacts.

During the 1999 NATO bombing of Yugoslavia, the United States bombed the Chinese embassy in Belgrade. The US stated that the bombing was accidental. Chinese leadership believed that the US had intentionally bombed the embassy and viewed China has significantly lacking in leverage against the United States. Among other efforts to reduce its gap in leverage, China sought to begin developing cyberwarfare capabilities. In 2000, Jiang Zemin approved the development of cyber coercive capabilities.

In a December 2000 speech to the Central Military Commission (CMC), Jiang stated, "[I]nformation warfare is in the ascendant on the stage of warfare, with electronic network warfare and computer network warfare as the principle means."

At the December 2002 CMC meeting, Jiang instructed the PLA to invest heavily in information warfare development and the PLA therefore established the All-Military Informatization Leading Small Group to coordinate this development.

When he became Chairman of the CMC in 2004, Hu Jintao instructed the PLA to engage in a "new historic mission" to defend China's interests in the electromagnetic (and space) domains.

Chinese leadership perceived that China was at an increasing risk of cyber threats from abroad. This perception was shaped from 2000 to 2010 by the early 2000s color revolutions, the Russian cyberattacks during the 2008 Russo-Georgian war, and the US-Israel Stuxnet cyberattack on Iran. The 2010s surveillance disclosures by Edward Snowden about the extent of US global surveillance programs also highlighted to Chinese leadership the risks the country faced through its reliance on foreign hardware, software, and internet infrastructure.

The PLA's first cyber blue team was established in Guangzhou Military Region in May 2011 to test regular PLA unit's cyber defenses.

At the 18th National Congress of the Chinese Communist Party, Hu Jintao stated China should "implement the military strategy of active defense for the new period, and enhance military strategic guidance as the times so require. We should attach great importance to maritime, space, and cybersecurity."

As part of its response to the United States intelligence activities in China demonstrated through the Snowden disclosures, the CCP in 2014 formed the Cybersecurity and Information Leading Group and the National People's Congress passed the 2017 Cyber Security Law.

During the New Gutian Conference, Xi Jinping stated that cyber conflict was one of the main areas of military competition for the PLA and described the PLA as needing to overcome its "ostrich" attitude and rigid ways of thinking in this area. According to Xi's remarks, "Currently some work is not at all suitable for the requirements of the cyber era, and it is already increasingly clear that ideas and concepts and work methods are lacking in this age".

In a 2016 cybersecurity speech, Xi stated that government, the PLA, and private enterprise should acquire cyber technology at the level of its rivals and that China needed to develop a "situational awareness posture at all times and in all locations". Xi stated that "if others use air strikes and we are still using swords and spears, that is unacceptable; offensive and defensive capabilities must be symmetrical." In 2019, he stated that China "continues to advance in the direction of balancing offensive and defensive cyber power" and that the country's "cyber-security deterrence capability to strike back continues to grow."

In 2020, a Chinese cybersecurity firm, Qihoo 360, publicly claimed that a cyber espionage campaign was attributed to the Central Intelligence Agency. In a December 2024 meeting, a Chinese Ministry of Foreign Affairs official stated that Chinese cyberattacks against U.S. infrastructure are a response to American policies toward Taiwan.

While some details remain unconfirmed, it is understood that China organizes its resources as follows:

• “Specialized military network warfare forces” (Chinese: 军队专业网络战力量) - Military units specialized in network attack and defense.
• "PLA-authorized forces” (授权力量) - network warfare specialists in the Ministry of State Security (MSS) and the Ministry of Public Security (MPS).
• “Non-governmental forces” (民间力量) - civilian and semi-civilian^{[definition needed]} groups that spontaneously engage in network attack and defense.

In response to claims that Chinese universities, businesses, and politicians have been subject to cyber espionage by the United States National Security Agency since 2009, the PLA announced a cyber security squad in May 2011 to defend their own networks.

Since Xi became General Secretary of the Chinese Communist Party in 2012, the Ministry of State Security (MSS) gained more responsibility over cyberespionage compared with the PLA, and currently oversees various advanced persistent threats. According to security researcher Timo Steffens, advanced persistent threat (APT) groups in China leverage skills from private as well as public institutions and individuals, including smaller companies and hackers that take on government contracts.

On 31 December 2015, the PLA established the Strategic Support Force (PLASSF). The PLASSF combined PLA cyber units from various PLA bodies into the Network Systems Department which included cyber intelligence, defense, and attack capabilities. In April 2024, the PLASSF was dissolved and its cyberwarfare capabilities and personnel were transferred to the newly created People's Liberation Army Cyberspace Force.

In 2017, Foreign Policy estimated China's "hacker army" personnel at between 50,000 and 100,000 individuals.

In May 2013, ABC News claimed that the Chinese government stole blueprints to the headquarters of the Australian Security Intelligence Organisation (ASIO). In May 2023, Australia, alongside other Five Eyes member states, identified the Chinese government behind the "Volt Typhoon" advanced persistent threat targeting critical infrastructure. In July 2024, government agencies from eight nations, including the Australian Signals Directorate, released a joint advisory on APT40.

Officials in the Canadian government claimed that Chinese hackers compromised several departments within the federal government in early 2011, though the Chinese government has denied involvement. In 2014, Canada's Chief Information Officer claimed that Chinese hackers compromised computer systems within the National Research Council. In May 2023, Canada's Communications Security Establishment identified the Chinese government as being behind the "Volt Typhoon" advanced persistent threat targeting critical infrastructure. In July 2024, government agencies from eight nations, including the Canadian Centre for Cyber Security, released a joint advisory on APT40.

In July 2024, government agencies from eight nations, including Germany's Federal Intelligence Service and Federal Office for the Protection of the Constitution, released a joint advisory on APT40.

Officials in the Indian government believe that attacks on Indian government networks, such as the attack on the Indian National Security Council, have originated from China. According to the Indian government, Chinese hackers are experts in operating botnets, which were used in these attacks. Additionally, other instances of Chinese cyberattacks against India's cyberspace have been reported in multitude.

In April 2021, Japan claimed that the Chinese military ordered cyberattacks on about 200 Japanese companies and research institutes, including JAXA. In July 2024, government agencies from eight nations, including Japan's National Police Agency, released a joint advisory on APT40.

In 2024, the Dutch Military Intelligence and Security Service and the General Intelligence and Security Service stated that Chinese state hackers penetrated a Dutch military network the prior year.

In May 2023, New Zealand, alongside other Five Eyes member states, named the Chinese government as being behind the "Volt Typhoon" advanced persistent threat targeting critical infrastructure. In March 2024, the Government Communications Security Bureau and New Zealand Government accused the Chinese government via APT40 of breaching its parliamentary network in 2021. In July 2024, government agencies from eight nations, including the New Zealand National Cyber Security Centre, released a joint advisory on APT40.

In July 2024, government agencies from eight nations, including South Korea's National Intelligence Service, released a joint advisory on APT40.

The United States has accused China of cyberwarfare attacks that targeted the networks of important American military, commercial, research, and industrial organizations. A Congressional advisory group has declared China "the single greatest risk to the security of American technologies" and "there has been a marked increase in cyber intrusions originating in China and targeting U.S. government and defense-related computer systems". China's cyberwarfare has expanded from cyber-espionage to "pre-positioning" activity for the sabotage and crippling of critical infrastructure.

In January 2010, Google reported targeted attacks on its corporate infrastructure originating from China "that resulted in the theft of intellectual property from Google." Gmail accounts belonging to two human rights activists were compromised in an attack on Google's password system. Chinese hackers also gained access to a database containing classified information about suspected spies, agents, and terrorists under surveillance by the US government. American security experts connected the Google attack to various other political and corporate espionage efforts originating from China, which included spying against military, commercial, research, and industrial corporations. Obama administration officials called the cyberattacks "an increasingly serious cyber threat to US critical industries."

In addition to Google, at least 34 other companies have been attacked. Reported cases include Northrop Grumman, Symantec, Yahoo, Dow Chemical, and Adobe Systems. Cyber-espionage has been aimed at both commercial and military interests.

Diplomatic cables highlight US concerns that China is exploiting its access to Microsoft source code to boost its offensive and defensive capabilities.

A number of private computer security firms have stated that they have growing evidence of cyber-espionage efforts originating from China, including the "Comment Group".

China has denied accusations of cyberwarfare, and has accused the United States of engaging in cyber-warfare against it, accusations which the United States denies.

During 18 minutes on April 8, 2010, state-owned China Telecom advertised erroneous network routes that instructed "massive volumes" of U.S. and other foreign Internet traffic to go through Chinese servers. A US Defense Department spokesman told reporters that he did not know if "we've determined whether that particular incident ... was done with some malicious intent or not" and China Telecom denied the charge that it "hijacked" U.S. Internet traffic.

In 2011, a Chinese state TV program displayed outdated screenshots of a Chinese military institute performing cyber attacks on a US-based dissident entity. The direct visual evidence from an official Chinese source challenges China's claims that it never engages in overseas hacking for government purposes.

During March 2013, high-level discussions continued.

In May 2014, a federal grand jury in the United States indicted five PLA Unit 61398 officers on charges of theft of confidential business information from U.S. commercial firms and planting malware on their computers. To Chinese experts, the charges demonstrated the sophistication of the United States ability to attribute cyberattacks.

In September 2014, a Senate Armed Services Committee probe revealed hackers associated with the Chinese government committing various intrusions of computer systems belonging to U.S. airlines, technology companies and other contractors involved with the movement of U.S. troops and military equipment, and in October 2014, The FBI added that hackers, who they believe to be backed by the Chinese government, have recently launched attacks on U.S. companies.

In 2015, the U.S. Office of Personnel Management (OPM) announced that it had been the target of a data breach targeting the records of as many as 21.5 million people. The Washington Post reported that the attack came from China, citing unnamed government officials. FBI director James Comey explained "it is a very big deal from a national security perspective and a counterintelligence perspective. It's a treasure trove of information about everybody who has worked for, tried to work for, or works for the United States government."

In October 2018, Bloomberg Businessweek published a report, citing unnamed corporate and governmental sources, which claimed that the PLA had forced Supermicro's Chinese sub-contractors to add microchips with hardware backdoors to its servers. The report claimed that the compromised servers had been sold to U.S. government agencies (including the CIA and Department of Defense) and contractors and at least 30 commercial clients.

In 2019, a study showed continued attacks on the US Navy and its industrial partners.

In February 2020, a US federal grand jury charged four members of the PLA with the 2017 Equifax hack. The official account of FBI stated on Twitter that they played a role in "one of the largest thefts of personally identifiable information by state-sponsored hackers ever recorded".

The Voice of America reported in April 2020 that "U.S. intelligence agencies concluded the Chinese hackers meddled in both the 2016 and 2018 elections" and said "there have already been signs that China-allied hackers have engaged in so-called "spear-phishing" attacks on American political targets" ahead of the 2020 United States elections.

In March 2021, United States intelligence community released analysis in finding that China had considered interfering with the election but decided against it on concerns it would fail or backfire.

In April 2021, FireEye said that suspected Chinese hackers used a zero-day attack against Pulse Connect Secure devices, a VPN device, in order to spy on dozens of government, defense industry and financial targets in the U.S. and Europe.

In May 2023, Microsoft and Western intelligence agencies reported that a Chinese state-sponsored hacking group affiliated with the PLA called "Volt Typhoon" had targeted critical infrastructure and military installations in Guam, Hawaii, Texas and elsewhere. In January 2024, US authorities stated that they disrupted an operation by Volt Typhoon that had access to critical infrastructure in the US for at least five years.

In February 2024, OpenAI announced that it had shut down accounts used by the Charcoal Typhoon and Salmon Typhoon hacking groups. The groups had been using their services to research companies, intelligence agencies, cybersecurity tools and evasion techniques, translate technical papers, write and refactor code, and create phishing campaign content. The same month, leaked documents from an MSS, PLA, and MPS contractor based in Shanghai called I-Soon, also known as Auxun, provided details into a campaign to harass dissidents, activists, critical academics, and Uyghurs overseas.

In July 2024, government agencies from eight nations, including the United States National Security Agency and Cybersecurity and Infrastructure Security Agency, released a joint advisory on APT40. In September 2024, FBI director Christopher A. Wray announced that Chinese state hacking campaign known as Flax Typhoon, which targeted critical infrastructure, had been disrupted.

In October 2024, backdoors mandated by the 1994 Communications Assistance for Law Enforcement Act, which forces internet providers to provide backdoors for government authorities, were found to have been employed by China to tap communications in the U.S. using that infrastructure for months, or perhaps longer; China recorded presidential candidate campaign office phone calls —including employees of the then-vice president of the nation– and of the candidates themselves.

In November 2024, Texas governor Greg Abbott ordered state agencies to harden critical infrastructure from cyberattacks from threats emanating from the PRC. In December 2024, the U.S. moved to crack down on China Telecom's cloud operations in the U.S. in response to the 2024 United States telecommunications hack. The same month, Chinese state-backed hackers were accused of obtaining a security key and accessing unclassified documents of the United States Department of the Treasury. In December 2024, the Office of Foreign Assets Control (OFAC) sanctioned the Integrity Technology Group, an organization believed to be behind the Flax Typhoon APT.

In January 2025, the computers of the US Secretary of the Treasury and several of her lieutenants were accessed by Chinese hackers. In March 2025, the U.S. Department of Justice indicted 10 Chinese nationals who worked for MPS or its contractor I-Soon, also known as Auxun Information Technology.

Comparing the semiconductor industry in China mainland and Taiwan today, Taiwan is the leader in terms of overall competitiveness. On 6 August 2020, Wired published a report, stating that "Taiwan has faced existential conflict with China for its entire existence and has been targeted by China's state-sponsored hackers for years. But an investigation by one Taiwanese security firm has revealed just how deeply a single group of Chinese hackers was able to penetrate an industry at the core of the Taiwanese economy, pillaging practically its entire semiconductor industry."

In April 2022, The Times reported that days prior to the start of the 2022 Russian invasion of Ukraine, a cyberwarfare unit of the PLA launched cyberattacks against hundreds of Ukrainian government sites, according to officials of the Security Service of Ukraine.

In May 2023, the UK's National Cyber Security Centre, alongside other Five Eyes member states, identified the Chinese government behind the "Volt Typhoon" advanced persistent threat targeting critical infrastructure.

In March 2024, the UK government and the United States Department of the Treasury's Office of Foreign Assets Control (OFAC) jointly sanctioned a Chinese MSS front company called Wuhan Xiaoruizhi Science and Technology and affiliated individuals for breaching the Electoral Commission and placing malware in critical infrastructure.

In July 2024, government agencies from eight nations, including the UK's National Cyber Security Centre, released a joint advisory on APT40.

In July 2020, it was reported that Chinese state-sponsored hackers operating under the named RedDelta hacked the Vatican's computer network ahead of negotiations between China and the Vatican.

• Chinese intelligence activity abroad
• Chinese information operations and information warfare
• Cyberwarfare by Russia
• Cyberwarfare and the United States
• GhostNet
• Great Cannon
• Honker Union
• List of cyber warfare forces#China
• Operation Shady RAT
• Red Apollo
• 2021 Microsoft Exchange Cyberattack
• 2024 United States Department of the Treasury hack