View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Policy
October 7, 2022updated 16 Aug 2023 9:40am

What is the NSA actually doing in China?

Some fear that accusations the NSA is undermining Chinese cybersecurity might, in fact, be clever propaganda.

By Afiq Fitri

The breach was deft, even artful. It began, according to China’s National Computer Virus Emergency Response Centre (NCVERC), with a man-in-the-middle attack earlier this year on the networks of Northwestern Polytechnical University (NWPU) in Xi’an. A type of breach that allows hackers to intercept electronic communications mid-transit, the attackers then used a total of 40 zero-day exploits and viruses to strengthen and advance their position within the institution’s network. By the time they were discovered, the group’s access to the university’s systems was near-total – and even extended to a national telecommunications firm. 

This attack was one of five that NCVERC has attributed in recent months to the US National Security Agency (NSA). “I want to stress that what the US has done has… seriously jeopardized the security of China’s critical infrastructure, and institutional and personal information,” said Mao Ning, a spokesperson from the country’s foreign ministry, who went on to urge the relevant US authorities to stop organising such breaches. Even so, it’s the kind of conduct that the Chinese government has publicly stated it has come to expect from the world’s leading superpower, with another government spokesperson excoriating the US as “truly the ‘hacking empire’ of the world”. 

Such highly charged accusations made against the US are nothing new – and, indeed, there is a rich seam of claims dating back to the Snowden revelations of the NSA making a mockery of Chinese cybersecurity by hacking civilian computers while maintaining a sophisticated network of informants. There is also, admittedly, a whiff of plausibility in some of the new claims: NWPU has, in the past, been described by the US Justice Department as an institution that’s ‘heavily involved in military research and works closely with the People’s Liberation Army.’ Even so, the new reports have been viewed with suspicion by cybersecurity experts. Indeed, a common thread between all of these reports is the use of threat intelligence and technical details designed to mimic the ways in which Western cybersecurity companies produce evidence and attribution of state-sponsored cyberattacks.

According to government spokespersons, Chinese cybersecurity is being undermined by the NSA and other foreign SIGINT agencies. Experts suggest that recent threat intelligence reports, however, are little more than tradecraft. (Photo by Thomas Peter-Pool/Getty Images)

In April for example, another spokesperson for China’s Foreign Affairs Ministry responded to a question from Global Times – a state-funded media outlet – about a report from NCVERC on alleged US cyberattacks on allied countries. “The report… points out that if existing international internet backbone network(s) and critical information infrastructure contain software or hardware provided by US companies, it is highly likely that various types of backdoor(s) could be installed, making them targets of US government cyberattacks,” said Wang Wenbin. 

His statement was strikingly similar to the way in which the US has previously warned about the risks in allowing Chinese telecommunications giant Huawei to work on critical national infrastructure around the world. There’s likely a cynical motive behind such attributions, argues Robert Spalding, CEO of Sempre and a former US Air Force Brigadier General. “The CCP wants to lay the foundation for saying that the US is guilty of what they blame China for,” he says.

Undermining Chinese cybersecurity

The timing of these reports’ release is also crucial to understanding China’s intentions, argues Chih-yun Huang, a cyber threat intelligence analyst at Team T5, a Taiwanese cybersecurity firm. On 30 August, the American cybersecurity company Proofpoint released a study on recent cyberattacks on the Australian government and wind turbine fleets in the South China Sea, with the trail leading to a group called TA423/Red Ladon. According to Proofpoint researchers and the US Department of Justice, the group is a ‘China-based, espionage-motivated threat actor… targeting a variety of organisations in response to political events in the Asia-Pacific region, with a focus on the South China Sea’.

Several weeks later, Global Times published an exclusive detailing how the NSA allegedly conducted its cyberattack on NWPU, which ‘aimed at infiltrating and controlling core equipment in China’s infrastructure and stealing private data of Chinese people with sensitive identities.’ Huang believes the timing of the story is suspicious, and likely a tit-for-tat accusation. Indeed, other industry experts have pointed out a pattern where Chinese cybersecurity companies publish reports on US cyberattacks, followed by exclusive stories run by Global Times, indicating a coordinated campaign between the state, private sector and the media.

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

Other cybersecurity experts have also argued that these reports are a patchwork effort at best, mentioning malware that has existed in the public domain for over five years. For her part, Huang notes that many of the reports issued by NCVERC omit crucial information like IP addresses and other indicators of compromise. “In that sense, these reports are not credible because we can’t confirm whether it’s true or not,” she says.

However, focusing on the technical credibility of these reports misses the broader point about China’s efforts to push out detailed threat intelligence on alleged American offensive hacking operations. “The interesting thing is that you won’t be able to find an English version of these reports,” says Huang. “It’s probably part of wider anti-US propaganda efforts intended to stir the emotions of the domestic population of China, or even the wider Chinese diaspora.” 

But Huang also believes that what she has seen in the last few months is just the beginning, and that propaganda efforts to portray Chinese cybersecurity as vulnerable to attack from Western powers will likely become more sophisticated in the future as US-China relations continue to deteriorate. “They will find new ways to make it more persuasive,” she says – the best lies, after all, contain elements of truth. “China might find ways to make these reports more legitimate by providing more technical details, for example.”

While publishing cyber threat intelligence reports about American hacking adventures represents a new front in US-China relations, such methods fall squarely within the long-held tradition of accusing the West of double standards. 

“There have been multiple times when the US accuses China of human rights violations of Uyghurs and you would see China retaliating with the US’s poor human rights record, for example,” says Huang. “As long as the Western cybersecurity industry continues to keep a close eye on China’s activities, I think China will continue to fight back through propaganda whenever they feel attacked.”

Read more: How to sell a chip to China

Topics in this article : , ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.