Small Wars Journal

Evolution of China’s Cyber Threat

Thu, 09/23/2021 - 5:21am

Evolution of China’s Cyber Threat


By Alex Richards




In 1989, a team of American analysts presented an argument that the next generation of war would have blurred lines between war and politics, and civilians and combatants.[1] This has become increasingly true as corporations now have major stakes in global conflict and are able to influence outcomes of global politics and war. The Russo-Georgian War further blurred those lines when the Georgian government transferred Internet capabilities that were under attack to TSHost servers in the United States. Private cybersecurity firms and non-state sponsored hackers can influence diplomacy on a global scale due to the deep penetration of the internet into the military, critical infrastructure, and everyday society. This penetration has increased the effectiveness of information warfare and cyber espionage.

China’s interest in information warfare really began in 1995 shortly after the United States had a swift victory in the Gulf War. The United States was able to use information technology to gain dominance in the war. Major General Wang Pufeng, who is considered to be the father of Chinse information warfare, wrote “Information war is a crucial stage of high-tech war... At its heart are information technologies, fusing intelligence war, strategic war, electronic war, guided missile war, a war of ‘motorization’ [jidong zhan], a war of firepower [huoli]—a total war. It is a new type of warfare.” [2] They went on to list the five key elements which are Electronic warfare, Military Deception, Operational Secrecy, Substantive Destruction, and Psychological Warfare.  The internet has allowed electronic warfare to evolve into the modern-day cyber warfare we see in the 21st century. Prior to a restructuring in 2015, China had three departments that dealt with Cyber operations: The People’s Liberation Army (PLA), Technical Reconnaissance Bureaus, and The Ministry of State Security (MSS). The PLA consisted of twelve operation bureaus with distinct missions, and under PLA leadership, each military region had its own Technical Reconnaissance Bureaus responsible for cyber espionage and military intelligence. The MSS was responsible for domestic and political security, non-military intelligence, and domestic counterintelligence.

Mandiant released a report on Advanced Persistent Threat 1 (APT1) which attributed APT1’s actions to Unit 61398 which is housed in the second bureau of the PLA. The report detailed the extensive list of twenty industries targeted by APT1 and observed 141 companies that were compromised by APT1. Some of the sectors targeted are government, high-tech electronics, aerospace, defense, and military. This group stole a broad range of information and was able to stay in a victim network for a lengthy amount of time. The longest period that APT1 had access to a network was four years and ten months and in a ten-month period they were able to steal more than six terabytes of compressed data.[3] This report lays out China’s multi-year espionage campaign designed to steal intellectual property from leading companies and competing nations and in turn use the stolen property to gain a competitive edge for China. Later reports by FireEye confirm the lengthy amount of time spent in victim networks and China’s use for the intellectual property that was stolen. Another FireEye case study on two China advanced persistent threat (APT) groups explains that the two groups compromised high-tech electronics companies. These groups worked almost daily and that they remained in the network for three years or more. FireEye suspected that these groups were “seeking to steal economic and technical information to support the development of domestic companies through reducing research and development costs, or otherwise providing a competitive edge.”[4]Although the Mandiant APT1 report is not able to pinpoint exactly what was stolen or what China choses to do with the information, they can look at dates of breaches and cross analyze the news cycle during that time. The APT1 report pointed out that during a two-year breach they were able to negotiate a double-digit decrease in prices with the victim company, but it cannot be proven that the breach directly resulted in price drop.

The activity of APT1 and other APT’s threaten China’s economic neighbors such as the USA, UK, and Europe as China’s domestic companies are gaining privileged information of new, high-end technology from competitors. The loss of this intellectual property enables China’s domestic companies to steal the market share, negotiate better terms of trade, and obtain more favorable contracts.[5] In extreme cases China can use their massive population and global trade infrastructure to gain a near monopoly on certain products. State sponsored groups also targeted aerospace and defense firms stealing intellectual property that has a dual use to China. They are able to use the data stolen to gain a similar economic advantage as well as use the stolen data to support the modernization of the Chinese military.


Reorganization of Chinese Military


            The exponential technology curve put the Chinese military organization at risk of being outdated. In 2014, talks to reform the PLA were underway, and by February 2016 the military region system was replaced by the Central Military Commission. The newly established Strategic Support Forces (SSF) housed underneath the commission took over the operations of the former PLA and it is believed that Technical Reconnaissance Bureaus were also incorporated into SSF command. The Ministry of State Security (MSS) was reorganized in 2018 and reportedly took on a more robust role in diplomatic and political security. This shift coincides with China’s decrease in espionage activity and their pivot to its geographical neighbors. Chinese cyber activity preorganization was in high volumes and mainly focused on intellectual property theft in the United States. Although the goal stealing sensitive data remained the same, the number of attacks and their motives behind them are changing. There are more political motives behind their actions along with the motive of supporting the Chinese military and domestic business. The more political motives are demonstrated by the change in targets by Chinese espionage activity. The Asia Pacific region has become the majority of Chinese APT’s targets, with East Asia accounting for more than fifty percent of the Asia Pacific activity. The total number of network compromises is down more than eighty percent from 2015 and the targeting of western countries is down nearly seventy five percent. The United States is still the most targeted country, next to South Korea, and internal political dissidents like Hong Kong and Xinjiang.[6] The targeting of regions close to home is likely correlated with their goal of maintaining regional supremacy. The sectors targeted by Chinese APT’s also shifted during and after the restructuring. The time spent in victim networks of the telecommunication sector has taken the number one spot of Chinese activity which previously belonged to Government. The versatility offered by telecommunications targeting combined with the more efficient and stealthier methods used is believed to indicate a higher level of maturity among active Chinese APTs. While High-Tech targeting is down by half, the Media and Entertainment sector is sneaking its way into the top five sectors targeted. More than seventy five percent of media outlets that are targeted are in the Asia Pacific region and it is believed that the Chinese are monitoring public reactions to political movements such as protests and elections.


Technology Prevalence in China’s Culture


             One important factor to not leave out when discussing a foreign nation’s actions is to take look at their actions through their lens and take the culture of the nation into consideration. Sarah P. White points out in Understanding Cyberwarfare, “In cyberspace as in physical space, it is crucial to avoid interpreting the actions of an adversary from the lens of one’s own doctrine.” This holds true with many aspects as if you leave out a piece of the puzzle you will get an incorrect interpretation of the picture. The penetration of the internet into Chinese society has happened rapidly and has to be considered when looking at China through the scope of cyberspace. In 2010, China housed the largest internet population with over 450 million Chinese users, but their population at that time was over 1.36 billion people. This means that the internet penetration rate was less than fifty percent in 2010, but it is important to note the people who had access to the internet were obsessed with it. People in the China’s largest cities spend a majority of their leisure time on the internet. Another important factor to note is the near 100% penetration rate of university students and young professionals.[7] From 2010 to today, China’s population has grown to 1.44 billion. This increase of 76 million people across ten years is dwarfed by the growth of internet users which was almost 539 million.[8] Another important factor to consider is the business climate in China. The utilization of online payment has increased to 85% percent, which is a massive difference from the common usage of the physical credit or debit cards in the United States.[9] Along with this increase in internet users over the years, China’s business climate has been improving. With the COVID-19 pandemic on a decline, businesses everywhere are looking to recover from the damages dealt by the pandemic. According to a 2021 interview with Greg Gilligan, Chairman of AmCham China, the people are “decidedly optimistic” as their charts indicate a twenty-point drop in pessimism and a fifteen-point increase in optimism.[10]

Another key culture point is the strong government that is present in China. According to Professor Nir Kshetri from the University of North Carolina, China “emphasizes the importance of creating and promoting a healthy and harmonious internet environment.” He elaborates that a cyberspace is healthy if it is free of crime and porn and the government sees that it “does not threaten to destabilize the state's social and political order.” The prevention of other nations destabilizing China’s social and political order is something that is mainly done through information war. China controls information that does not align with their ideals and use the political slogan of the Three evils: terrorism, extremism, and separatism. The strong sense of nationalism present combined with the homogeneous penetration of the internet into Chinese society plays a role into why Chinese hackers are willing to devote their skills and time into cyber espionage for China. Chinese hackers take personal responsibly to fight against what they view as imperialism, and their culture and strong government enforce this. Chinese hackers are seen as positive role models strive to be like them. Professor Nir Kshetri states “When Chinese hackers see the honor of their motherland is compromised, they consider it important to take necessary actions to restore China's honor, glory, and integrity.”[11] The patriotic reasons combined with the China’s goals of cyber espionage cultivate the perfect situation for Chinese hackers. China’s state-backed hackers can fight off imperialism and help their country and local business without causing any physical damage to property or people, but it is important to point out that the weak civil society and strict censorship by the strong government has been increasingly criticized in recent years.


Future of Chinese Cyber Espionage and Information Warfare


            The plans that China has for the future are very ambitious and mostly focus on improving their trade and military power along with maintaining superiority over the region. The plans on record that highlight the benefit cyber espionage are the Belt and Road Initiative (BRI) and Made in China 2025. The BRI is China’s ambitious plan to revitalize the silk road and add infrastructure in the form of ports, roads, and pipelines that stretch as far west as Germany. China is giving out arguably predatory loans to countries and in exchange would bolster their critical infrastructure and provide new trade routes for all involved. China does expect this money back, and there are harsh interest rates and huge penalties attached with these loans and failure to pay them; however, a Rhodium group found that there were many instances of debt relief and renegotiations around these loans.[12] Made in China 2025 on the other hand is not as ambitious and focuses on bringing more of the production supply chain to China resulting in an increase of the value added to their economy by production. The expected cyber espionage activity in the next five years should remain consistent with the goals that were observed after the reorganization of their military. The targeting of government and military sectors in the United States is something that can be expected to continue as the information obtained will help China in diplomatic matters and allow their military technology to remain up to date with the United States. China’s activity in Europe is targets Chemicals and Materials the most, which is expected to continue due to the plans to build up countries critical infrastructure along with Made in China 2025 goals of more domestic upmarket production. China’s pivot to its backyard, focus on the telecommunications sector, and the lateral movement through victim’s environment, seem to be the new normal and is where most of their information warfare and cyber espionage is focused. FireEye’s reports on China’s two most active advanced persistent threat groups (APT40 & APT41) support these claims with APT40[13] “masquerading as a UUV manufacturer, and targeting universities engaged in naval research,” and “APT41[14] targeting [that] is consistent with China's national strategies to move production capabilities upmarket.”

The United States War College Quarterly Parameters published an article in 2019 on China’s anti-access strategies in the pacific. The article highlights that anti-access strategies are adopted by nations who believe their enemies to be strategically superior, and because of this we can expect a shift towards power projection in the future as this perception of inferior military capabilities fade.[15] Anti-access strategies also correspond with China’s shift “from ‘winning local wars under the conditions of informationization’ to ‘winning informationized local wars.’”[16] This strategy shift shows the gradual shift towards power projection as the Chinese military become more competitive on a global scale. This shift indicates that China will start to take a more aggressive effort to see its goals through in a few years, and a lot of attention is on Taiwan, a United States ally. As this happens nations will have to decide if they want to be an ally or potential enemy to China. The leading force opposing China has been the United States, and tensions have been rising between the two superpowers resulting in tariffs and diplomacy responses from both sides. The strongest allies of China are Russia, Iran, and North Korea, but Russia can still swing either way if conflict breaks out. Russian relations have been improving with China, and relations with the United States have not always been beneficial for Russia.[17]




The nature of the internet poses many complications when it comes to attribution and regulation. It is difficult to attribute cyber espionage and crime beyond a reasonable doubt and the international boundaries are non-existent in cyberspace resulting in a lack of centralized regulation of the environment. The most important thing that can be done to prevent Chinese cyber espionage is making sure that emails come from an official source and avoid clicking on links in emails. China mainly initiates infection by targeting specific individuals or groups attempting to get them to click a link which will then download malicious code onto their computer to gain access to personal information. This technique is called spear phishing and this technique is used more than 90% of attacks.[18] The United States should also use its influence to gain international support for the Budapest Convention on Cybercrime and other cybersecurity arrangements, along with this, the United States should help developing nations form laws and infrastructure around cyberspace and give them training in cyber investigation and policing. This would provide somewhat of a counter to China’s BRI and would allow nations to have the proper failsafe when cyberwarfare breaks out. During the Russia-Georgia War, Estonia had its own internet exchange point which allowed Russian traffic to be cut of without hindering internal communications.[19] Lastly, the United States should offer more cloud computing infrastructure that guarantees privacy. As China invests in cloud computing, there is fear that China would not respect information security and possibly use cloud computing to set up a global system of monitoring and rating individuals similar to what they use domestically. Information security should be taken seriously, and powerful nations need to stand up and make sure that the privacy and intellectual property of companies and nations are protected.


[1] Lind, W., Nightengale, K., Schmitt, J., Sutton, J. and Wilson, G. (1989, October). The Changing Face of War: Into the Fourth Generation. Retrieved April 05 2021, from

[2] Ventre, D. (2010, May 18). China's strategy for INFORMATION Warfare: A focus on energy. Retrieved April 05, 2021, from

[3] FireEye. (2013). APT1: Exposing One of China’s Cyber Espionage Units. Retrieved April 05, 2021, from

[4] FireEye. (2016). CYBER THREATS TO THE AEROSPACE AND DEFENSE INDUSTRIES. Retrieved April 05, 2021, from

[5] Boland, B. (2015, April 12). APT30 and lessons for ASEAN. Retrieved April 05, 2021, from

[6] Fraser, N., & Vanderlee, K. (2019). Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions. Retrieved April 05, 2021, from

[7] China-mike. (2020, October 23). Facts about CHINA: Technology, internet & media. Retrieved April 05, 2021, from

[8] Zhong, T. (2021, February 3). The 47th "Statistical Report on Internet Development in China". Retrieved April 05, 2021, from

[9] Amster-Burton, M. (2014, March 04). Debit, credit, cash, or check: How do you pay for things? Retrieved April 05, 2021, from

[10] Shieh, J., Shieh, A., & Author:. (2021, March 11). Bloomberg interviews AmCham CHINA chairman on business CLIMATE SURVEY. Retrieved April 05, 2021, from

[11] Kassner, M. (2013, April 22). Understanding what motivates Chinese hackers. Retrieved April 05, 2021, from

[12] Stone, R. (2019, December 23). China's 'debt-trap' diplomacy is little more than a fantasy. Retrieved April 05, 2021, from

[13] Plan, F., Cannon, V., Read, B., Fraser, N., & O’Leary, J. (2019, March 04). Apt40: Examining a china-nexus espionage actor. Retrieved April 05, 2021, from

[14] FireEye. (2019). [Report] double Dragon: APT41, a dual espionage and cyber Crime Operation. Retrieved April 05, 2021, from

[15] Tangredi, S. J. (2019). Anti-Access Strategies in the Pacific: The United States and China. In Parameters, U.S. Army War College Quarterly (Vol. 49, 1-2, pp. 5-20). Carlisle, PA: Us Army War College.

[16] Fravel, M. (2015, July 06). China's new Military Strategy: 'Winning informationized Local Wars'. Retrieved April 05, 2021, from

[17] Chopra, A. (2020, September 07). China and Russia the unequal, Unreal, complex relationship. Retrieved April 05, 2021, from

[18] Microsoft 365 Team. (2019, March 28). What is spear phishing? Keep you and your data safe. Retrieved April 05, 2021, from

[19] White, S. P. (2018, March). Understanding Cyberwarfare. Retrieved April 05, 2021, from

Categories: China - cyber - intelligence

About the Author(s)

Alex Richards studies cybersecurity at Michigan State University and is earning a dual degree in Computer Science and Criminal Justice.