How China’s growing cyber-hacking capabilities have raised alarm around the world
Sign up now: Get ST's newsletters delivered to your inbox
On July 18, Singapore’s Coordinating Minister for National Security K. Shanmugam said that the country’s cyber authorities are dealing with an ongoing attack on the Republic’s critical information infrastructure by UNC3886.
PHOTO: LIANHE ZAOBAO
Follow topic:
- China's hacking operations, some dating back to 2022, aimed to access private communications of US political candidates.
- Multiple countries, including the US, Australia, and Czech Republic, have publicly attributed cyber attacks to China-linked APT groups.
- China denies sponsoring cyber attacks, stating that they are also victims. Experts suggest public attribution aims to deter and educate about the growing threat, despite limited impact.
AI generated
BEIJING - In October 2024, the US authorities said that a China-linked cyber group called Salt Typhoon was targeting critical American infrastructure, including major telecommunications operators.
The aim was to obtain private communications of then presidential candidate Donald Trump and his running mate J.D. Vance, as well as communications made by the presidential campaign staff of then US Vice-President Kamala Harris in 2024.
While suspected Chinese operations against the US are not new, this was one of the most extensive, dating back to at least 2022.
Mr Mark Warner, a top US senator who was then chairman of the Senate Intelligence Committee, called it the “worst telecom hack in our nation’s history”.
It is not only Washington that has raised the alarm about Beijing’s advanced persistent threat (APT) capabilities. APT actors are sophisticated hackers – usually state-sponsored – who seek to achieve long-term political goals, rather than being driven by profits or specific causes.
On July 18, Singapore’s Coordinating Minister for National Security K. Shanmugam said that the country’s cyber authorities are dealing with an ongoing attack APT group UNC3886.
He did not disclose who sponsors the group, but experts have said that it is linked to China.
As China-linked hacking groups have become more adept over the past decade, serving Beijing’s goals such as by monitoring dissidents abroad to gaining access to sensitive communication of foreign leaders, countries have become increasingly willing to go public with their suspicions.
While each government will have its own considerations behind whether, and how, to name China as backing or directing these efforts, possible reasons to do so include increasing deterrence and convincing their population of the severity of the threat, which some experts say has grown in scale and sophistication.
Mr Mark Kelly, a staff threat researcher focused on China APT groups at California-based cyber-security firm Proofpoint, said that China APT groups have been active for at least 15 years but, up until a few years ago, it was mainly the US that was doing this type of public attribution.
“(The US) started doing a lot of indictments of individuals, and oftentimes private companies, that were allegedly working on behalf of Chinese intelligence.
“But over the last few years, you see more and more countries in Europe and increasingly within Asia as well conducting similar attribution,” he told The Straits Times.
Not all detected cases would have been flagged publicly.
“It’s likely that over the past few years, there have been many instances where governments were aware of Chinese state-sponsored activities targeting their countries and organisations, and they chose not to disclose these,” Mr Kelly said.
The US has been leading the charge against alleged Chinese cyber intrusions.
Former Federal Bureau of Investigation director Christopher Wray warned in a January 2024 hearing that Chinese hackers have targeted key US infrastructure – from water treatment plants to gas pipelines – and could one day take action to “destroy or degrade” such facilities.
Other countries that have recently flagged China’s offensive cyber capabilities, or specific China-linked attacks, include India, the Philippines, Australia and the Czech Republic.
In a rare move in July 2024, Australia led an effort with the US and six other allies to publicly warn about the threat of a hacking group
The countries said the group conducts “malicious cyber operations” for China’s Ministry of State Security (MSS) and has been based in the southern island province of Hainan.
In February, the government of the Pacific island nation of Samoa issued a public advisory attributing cyber espionage to the same group, calling it a threat to the region’s networks.
In May, the Czech Republic government called out APT31, another hacking group, and said it was associated with China’s MSS. The group had been attacking the Czech Ministry of Foreign Affairs’ unclassified networks since at least 2022, it added.
Philippine government agencies in February 2024 flagged a cyber attack from hackers suspected to be based in China
Mr Dakota Cary, a senior security advisory consultant at SentinelOne, another cyber-security firm, said that more governments are now capable of detecting and defending against more attacks, and the number of China-related hacking teams has also grown significantly.
“China made significant investments in their talent pipeline for cyber security between 2015 and 2021, and those investments are paying off, with more hackers graduating from college every year. In large part, more victims are being hacked, thus causing more public attribution, because the state has more capabilities than ever before,” he told ST.
China has consistently denied that it has sponsored such attacks. But, according to US cyber-security firm Mandiant, there are more than 40 APT groups, and more than 20 are suspected to be operated by China, with the rest linked to North Korea, Iran, Russia, Pakistan and Vietnam.
Other APT groups have been linked to the US and Israel.
Beijing has made no secret of its desire to be a “cyber powerhouse”. This was proposed by Chinese President Xi Jinping in 2014 and, since then, the country has ramped up cyber-security training in schools and held regular government-sponsored hacking competitions to drive recruitment.
China has also increasingly boosted its cyber capabilities with domestic private contractors – a trend that was highlighted in a rare data leak of one such Shanghai-headquartered company, iSoon, in February 2024.
Among other things, the more than 500 leaked documents showed that the firm was surveilling and harassing overseas-based dissidents who had publicly criticised the Chinese government, including on social media platforms such as X.
But, historically, Chinese hacking aims relate more to intelligence collection than conducting disruptive attacks, said Proofpoint’s Mr Kelly.
China’s cyber espionage covers the more traditional objective of gathering military and political intelligence, but also helping to advance economic objectives, such as in countries with technologies China is interested in developing domestically, as well as keeping tabs on dissidents abroad, he said.
“Generally, China has been a lot more restrained than, say, Russia or Iran, when we talk about disruptive or destructive attacks (in their cyber operations).
“The vast majority of activity we see from them is intelligence collection, so they will gain access to a network or a device, and they will maintain that access over a long period of time to gather intelligence, and not necessarily use that to overtly disrupt that particular network,” he said.
In a statement on July 19 responding to media reports about UNC3886 being linked to Beijing, a spokesperson for the Chinese Embassy in Singapore said: “China expresses strong dissatisfaction with this, and we resolutely oppose any unwarranted smearing against China.
“In fact, China is one of the main victims of cyber attacks. We reiterate that China resolutely opposes and combats any form of cyber attacks in accordance with the law, and will not encourage, support or condone hacker attacks.”
Mr Muhammad Faizal Abdul Rahman, a research fellow at the S. Rajaratnam School of International Studies in Singapore, said that some Asian governments have shown more willingness to directly attribute cyber attacks to China. These are usually countries that are closely aligned with the US and share similar geopolitical threat perceptions about China.
“But Singapore is different as the authorities focus on attributing cyber attacks to a threat group instead of pointing to any country… The link to a particular country, in this case China, was made by Western cyber-security companies for past incidents,” he said.
Mr Faizal said the persistence of cyber attacks suggests that public attribution may have limited impact on changing the behaviour of threat actors.
“But attribution can be useful to demonstrate to the domestic audience that the government has the capabilities to respond and is doing what it should do to respond to threats. It also educates the public that the threat is real and not imagined, and that they should do their part for their country’s digital defence.”
