Chinese hacking tools made public in recent days show how Beijing has expanded the reach of its computer infiltration campaigns through the use of a network of contractors, as well as the vulnerabilities of its emerging system.
The new revelations highlight the extent to which China has ignored or evaded US efforts for more than a decade to curb widespread hacking operations. Instead, China has built up its intelligence cyber operations and developed a web of independent companies to do the job.
Last weekend in Munich, Christopher A. Wray, the director of the FBI, said that hacking operations from China were now directed against the United States on “a scale greater than we have seen before.” And in a recent congressional hearing, Mr Wray said China’s hacking program was bigger than that of “every major country combined”.
“In fact, if you took every single one of the FBI’s cyber agents and intelligence analysts and focused them solely on the China threat, China’s hackers would still outnumber the FBI’s cyber staff by at least 50 to one,” he said. .
U.S. officials said China quickly gained that numerical advantage through contracts with companies like I-Soon, whose documents and hacking tools were stolen and posted online in the past week.
The documents showed that I-Soon’s extensive activities involved targets in South Korea, Taiwan, Hong Kong, Malaysia, India and elsewhere.
But the documents also showed that I-Soon was facing financial difficulties and that it used ransomware attacks to bring in money when the Chinese government cut funding.
US officials say this shows a critical weakness in the Chinese system. Economic problems in China and rampant corruption there often mean that money meant for contractors is rejected. Strapped for cash, contractors have ramped up their illegal activity, hacking-for-hire and ransomware, which has made them targets for retaliation and exposes other issues.
The US government and private cybersecurity firms have long monitored Chinese espionage and malware threats aimed at stealing information, which have become almost routine, experts say. Far more troubling, however, have been Chinese cyberhacking efforts that threaten critical infrastructure.
The intrusions, dubbed Volt Typhoon after a Chinese hacker network that has infiltrated critical infrastructure, set off alarm bells across the US government. Unlike the I-Soon hacks, these operations have avoided the use of malware and instead use stolen credentials to surreptitiously access critical networks.
Intelligence officials believe the incursions were intended to send a message: that at any moment China could cut off electricity and water supplies or communications. Some of the operations have been located near US military bases that rely on civilian infrastructure — especially bases that would be involved in any rapid response to an attack on Taiwan.
However, even as China put resources into the Volt Typhoon effort, its work on more mundane malware efforts continued. China has used its intelligence agencies and contractors linked to them to expand its espionage activity.
I-Soon is directly linked to China’s Ministry of Public Security, which has traditionally focused on domestic political threats rather than international espionage. But the documents also show he has ties to the Ministry of State Security, which collects intelligence both inside and outside China.
Jon Condra, a threat intelligence analyst at Recorded Future, a security firm, said I-Soon had also been linked to Chinese state-sponsored cyber threats.
“This represents the most significant data breach linked to a company suspected of providing cyberespionage and targeted intrusion services for Chinese security services,” Mr Contra said. “Leaked material indicates that I-Soon is likely a private contractor operating on behalf of Chinese intelligence.”
The US effort to curb Chinese hacking dates back to the Obama administration, when Unit 61398 of the People’s Liberation Army, the Chinese military, was revealed to be behind hacks into a wide range of US industry, trying to steal secrets for Chinese competitors. To China’s fury, PLA officers were indicted in the United States, with their photos placed on Justice Department “wanted” posters. None have ever been tried.
Then China was caught in some of the most daring data thefts by the US government: it stole more than 22 million security clearance records from the Office of Personnel Management. Its hackers had gone undetected for more than a year, and the information they gathered gave them a deep understanding of who worked on what within the US government — and what financial or health or relationship problems they faced. In the end, the CIA had to withdraw officers scheduled to enter China.
The result was a 2015 agreement between President Xi Jinping and President Barack Obama aimed at curbing hacking, announced with fanfare in the White House Rose Garden.
But within two years, China had begun to develop a network of hacking contractors, a tactic that gave its security services some deniability.
In an interview last year, Mr. Wray said China had grown its spying resources so large that it no longer needed to do much “picking and choosing” about its targets.
“They’ll go after everything,” he said.