Mustang Panda is a Chinese hacking group that is suspected of attempting to infiltrate the Indonesian government last month.
The reported breach, which the Indonesians denied, fits the pattern of China’s recent cyberespionage campaigns. These attacks have been increasing over the past year, experts say, in search of social, economic and political intelligence from Asian countries and other nations across the globe.
“There’s been an upswing,” said Ben Read, director of cyberespionage analysis at Mandiant, a cybersecurity firm, in an interview with VOA. Cyber operations stemming from China are “pretty extensive campaigns that haven’t seemed to be restrained at all,” he said.
‘Large-scale and indiscriminate’
For years, China was considered the United States’ main cyber adversary, having coordinated teams both inside and outside the government conducting cyberespionage campaigns that were “large-scale and indiscriminate,” Josephine Wolff, an associate professor of cybersecurity policy at Tufts University, told VOA.
The 2014-15 hack on the U.S. Office of Personnel Management, in which the personnel records of 22 million federal workers were compromised, was a case in point — a “big grab,” she said.
After a 2015 cybersecurity agreement between then-U.S. President Barack Obama and Chinese President Xi Jinping, attacks from China declined, at least against the West, experts say.
Hacking rising with rhetoric
But as tensions rose between Beijing and Washington during the Trump presidency, Chinese cyberespionage also increased. Over the past year, experts have attributed notable hacks in the U.S., Europe and Asia to China’s Ministry of State Security, the nation’s civilian intelligence agency, which has taken the lead in Beijing’s cyberespionage, consolidating efforts by the People’s Liberation Army.
TAG-28, a Chinese state-sponsored hacking team focused on the Indian subcontinent, reportedly infiltrated targets that included the Indian government agency in charge of a database of biometric and digital identity information for more than 1 billion people, according to The Record, a media site focused on cybersecurity.
A Microsoft report released in October accuses the Chinese hacking group Chromium of targeting universities in Hong Kong and Taiwan and going after other countries’ governments and telecommunication providers.
Hafnium, the name Microsoft gave to a Chinese hacking group, was behind the Microsoft Exchange hack earlier this year, according to the company and the Biden administration. Chinese hacking teams, Microsoft reported, took advantage of a weakness in the software to grab what they could before an emergency patch could be issued.
Scooping up data
A National Public Radio investigation asserted that the Microsoft Exchange hack may have been, in part, an information scoop aimed at acquiring large amounts of data to train China’s artificial intelligence assets.
Hafnium also targets higher education, defense industry firms, think tanks, law firms and nongovernmental organizations, the Microsoft report said. Another group from China, Nickel — also known as APT15 and Vixen Panda — targets governments in Central and South America and Europe, Microsoft said.
“What you are seeing now is this realization that Chinese espionage never disappeared and has become more technologically sophisticated,” Wolff said.
White House response
The Biden administration has stepped up its response to Chinese hacking. Over the summer, the U.S. and its allies, including the European Union, NATO and the United Kingdom, accused China of being behind the Microsoft hack and called on Beijing to cease the activity.
The Biden administration has not indicted anyone related to the Microsoft Exchange hack, nor has it instituted economic or other sanctions against China.
However, the U.S. unsealed in July an indictment against four members of China’s Ministry of State Security in a separate attack conducted by a group that security researchers call Advanced Persistent Threat (APT) 40, Bronze, Mohawk and other names.
A Chinese government spokesman demanded that the U.S. drop the charges and denied the nation was behind the Microsoft Exchange hack.
“The United States ganged up with its allies to make unwarranted accusations against Chinese cybersecurity,” said Zhao Lijian, a Chinese Foreign Ministry spokesperson, in a July statement. “This was made up out of thin air and confused right and wrong. It is purely a smear and suppression with political motives.”
While China has stepped up its use of hacking, it has not crossed what some cyber experts say is a bright line in cyberespionage: public, overt hacks, such as the Russian disinformation campaign to influence the 2016 U.S. presidential election and, in May, the Colonial Pipeline ransomware hack, which was attributed to Russian-based cybercriminals.
China’s aims appear to be long term and both economic and strategic, such as shoring up its capabilities “so they are not only well defended but surpass capacities,” Philip Reiner, the CEO of the Institute for Security and Technology, told VOA.
A collective push from world leaders that cyberespionage is unacceptable might resonate with Chinese leaders in Beijing, who want to be accepted on the world stage, he said. Detailing clear consequences for state-sponsored hacks is also critical, he said.
Without a strong push from the U.S. and its allies, experts say, China’s state-sponsored cyberattacks will continue.