top of page

Chinese Cyber Espionage

Hubert Zhang, CICYBER

January 18, 2021

The Counterterrorism Group continues to monitor and analyze the Chinese espionage threat, which remains one of the most active and concerning counterintelligence domains for the United States and its allies. Chinese espionage covers a vast and expanding international network of agents infiltrating several industries and organizations including academia, various tech sectors, the military, and local law enforcement. Of particular concern is China’s growing cyber espionage operations involving intelligence gathering, intellectual property theft, and ransomware attacks.

Espionage operations of the People's Republic of China (PRC) are driven by its goal of surpassing the United States as the dominant global power in terms of social, political, military, and economic influence. To meet this comprehensive goal, China regularly engages in cyber espionage operations to gather intelligence, raise funds, and steal intellectual property to give them a technological edge. Intellectual property theft remains the most prevalent activity of Chinese cyberespionage against the U.S., with at least 27 universities in the U.S., Canada, and Southeast Asia targeted by Chinese state intelligence.[1] The stolen research provides the PRC with counterfeit goods, pirated software, and theft of trade secrets, which overall account for 225 to 600 billion USD taken from the US economy.[2] Recently, Chinese state-sponsored hackers have launched financially-motivated ransomware operations. This tactic will likely increase in prevalence due to the spread of ransomware tools and ransomware-as-a-service (RAAS). The Chinese cyberespionage portfolio consists of several advanced persistent threat (APT) groups, most prominently APT27, APT40, and APT41.

China aims to take the leading position in blockchain technology.[3]

APT27, known to security researchers as LuckyMouse, primarily focuses on espionage and intellectual property theft in various competitive industries such as aerospace technology and energy. Recently, security researchers discovered that Chinese cyber espionage was expanding into ransomware attacks. APT27 launched financially-motivated ransomware attacks in 2020 against several online gambling companies.[4]

APT40, which has been active since 2013 and is reportedly operating from Hainan Province, is primarily utilized to support China’s naval modernization. It often targets the defence industry and various sectors that overlap with maritime technologies.[5] In one case, APT40 disguised itself as an unmanned underwater vehicle manufacturer and infiltrated networks of universities engaged in naval research.[6] Chinese cyberattacks often maintain their presence in the targeted network after gaining initial access, conducting continual surveillance and intelligence gathering; in some cases, it may take years before the malicious presence is discovered.[7] This is highly concerning, as the government and private sector may remain oblivious to their information and data being taken by state intelligence. This also opens the possibility for planned supply chain attacks, as was the case in the recent massive Russian cyberattack against the U.S.[8]

APT41, also known as Winnti Group, is perhaps the most prolific hacking group utilized by Chinese cyber intelligence. The PRC primarily utilizes APT41 to carry out financially motivated hacking operations. The group has targeted hundreds of companies worldwide, often deploying financially motivated attacks against the video game industry.[9] APT41 often infiltrates a video game production environment and generates millions of dollars of in-game currency, sold in underground markets.[10] The group also utilizes ransomware on occasion, usually procuring ransomware-as-a-service (RAAS) tools from the online black market.[11] State-sponsored ransomware is a fairly new phenomenon and a trend that will likely increase in the future given the prevalence and widespread use of RAAS tools. Recently, the Iranian-backed hacking group Fox Kitten engaged in Pay2Key ransomware operations against Israeli and Brazilian businesses. Ransomware will likely be an increasingly prevalent tactic in the near future as state-sponsored cyber warfare continues to evolve.

Cyber Warfare between the U.S. and China[12]

To defend against cyber espionage, the Counterterrorism Group recommends that organizations and individuals routinely monitor networks and devices and regularly update cybersecurity hygiene. Employees and students at academic institutions must be aware of social engineering cyber attacks such as phishing emails, which can request passwords and sensitive data. VPN use should also be considered and thoroughly investigated, as Chinese state intelligence exploits VPN vulnerabilities, and Chinese companies own several well-known VPN providers.[13]

__________________________________________________________________ The Counterterrorism Group (CTG)

[1] Chinese Hackers Target Universities in Pursuit of Maritime Military Secrets, The Wall Street Journal, March 2019,

[2] 2017 Special 301 Report, Office of the United States Trade Representative, 2017

[4] China’s APT hackers move to ransomware attacks, Bleeping Computer, January 2021

[6] Ibid.

[7] College of Engineering network disabled in response to sophisticated cyberattack, Penn State News, May 2015

[8] Russian Cyberattack on U.S. Government Networks and the Private Sector, The Counterterrorism Group, January 2021

[9] US charges five hackers from Chinese state-sponsored group APT41, Zdnet, September 2020

[10] Double Dragon: APT41, a Dual Espionage and Cyber Crime Operation

[11] Ibid.

[13] “Chinese Firms Secretly Own Leading VPNs”, Homeland Security News Wire, December 2019



bottom of page