Last month, the U.S. Department of Defense released its annual report on China’s military and its role in China’s broader foreign policy. The 212-page report details developments in the past year, such as rapid advances in Beijing’s plan to build a nuclear weapons arsenal. But, as The Washington Post noted, the report “also gives significant attention to China’s cyber capabilities” and what this could mean for a potential invasion of Taiwan.
The Defense Department said the People’s Republic of China (PRC) “has publicly identified cyberspace as a critical domain for national security and declared its intent to expedite the development of its cyber forces.”
The department went on to stress that China’s armed forces, the People’s Liberation Army (PLA) “could also conduct a range of cyberspace, blockade, and kinetic campaigns designed to force Taiwan to capitulate to unification or compel Taiwan’s leadership to the negotiation table on the PRC’s terms.”
Sadly, neither the Defense Department’s report nor The Post’s newsletter said much about how these developments may impact civil society abroad.
A lot has been written about China’s high-tech oppression of its own people, including constant monitoring and control of digital communications, persistent crackdown of ethnic minorities with sophisticated exploits and suffocating surveillance, and mass arrests of those who use social media to criticize Chinese leader Xi Jinping and his government.
But what do we know about China’s tactics beyond its borders? As it turns out, quite a bit.
The Chinese government demonstrated sophistication, skill, and appetite for revenge when its hackers persistently attacked The New York Times in 2012, following an investigation into the financial wherewithal of the Chinese prime minister’s family. In the days following The Times’s article about the hack, Bloomberg News, The Wall Street Journal, and The Washington Post all said they too had been attacked by China. (Less than two months later, Mandiant published its now infamous report on APT1, a cyber espionage group linked to the PLA.)
In the years since, the threats against civil society have increased in both severity and scope. Attacks which were once reserved for China’s long-term, strategic goals may now be launched against anyone criticizing Beijing from anywhere in the world – impacting their physical, digital, emotional, and legal safety. In the past three years alone, China has targeted people outside of the country with impersonation, intimidation, mis- and disinformation, and attacks using DDoS, phishing, and malware.
Earlier this year, Reuters reported that someone was impersonating two of its journalists on social media to engage with Chinese activists. The accounts, which first appeared on Instagram and Telegram in November, posed as Shanghai bureau chief Brenda Goh and Hong Kong-based correspondent Jessie Pang. In at least one instance, the impersonator attempted to build trust by sharing a photo of Pang’s expired press ID. While Reuters said it “could not ascertain who was behind the fake journalist personas,” an administrator of Citizens Daily, a pro-democracy social media account, said they “suspected Chinese state involvement in the impersonations.”
Not long after, three journalists working for The New York Times and The Wall Street Journal reported that someone had registered Telegram accounts with their Chinese phone numbers. While it’s not clear who created accounts for Li Yuan, Lingling Wei and Wenxin Fan, or what they did next, it shows that journalists reporting from and on China should keep an eye out for accounts posing as them on social media.
Last summer, London's Metropolitan Police briefly detained Drew Pavlou, an Australian student and human rights activist, for “communicating false information to make a bomb hoax.” Pavlou told TIME “the bomb hoax email came from the drewpavlou99@protonmail.me email address.” That email prefix “is identical to an account he has with gmail, which he says was hacked in January 2021 by someone using a Chinese IP address.”
In January, police officers in Melbourne arrested Andrew Phelan, a high-profile China watcher and commentator, after a woman said that she’d received an email from him threatening to rape and kill her. He hadn’t, but someone clearly wanted to send a message.
Jemimah Steinfeld, the editor-in-chief of Index on Censorship, wrote that “Phelan is part of a new and growing club of people whose names and identities are being hijacked and used for nefarious purposes. It’s a disparate group stretching across the globe and contains activists, journalists, academics and lawyers. All are tied together by one common thread — they criticize China.”
In April, Volkskrant journalist Marije Vlaskamp shared an even more elaborate impersonation plot. Bomb scares at Chinese embassies were made in her name in multiple European cities, including Oslo and The Hague. The areas were cordoned off and traffic diverted to keep cars, buses, and trams away. The newspaper said this may be “the first time that unknown persons are intimidating a Dutch journalist outside China on behalf of the Chinese state.”
Vlaskamp reported that someone attempted to use her phone number “to create various new accounts on Telegram and WhatsApp.” Threatening messages were sent to her source too, demanding that he shut down his social media and stop giving interviews.
Vlaskamp, a correspondent in Beijing for 18 years, said that she’s “learned enough to know how the Chinese operate if they want someone to shut up.”
There have been reports of Chinese actors impersonating organizations as well. Recorded Future spent three years tracking a long-running phishing campaign targeting humanitarian, think tank, and government organizations. The 11-page report, published last year, said the actor had been “registering and weaponizing hundreds of domains spoofing organizations,” including Amnesty International and Radio Free Asia.
Recorded Future also highlighted that the actor has “displayed a particular interest in spoofing political, government, and think tank organizations in Taiwan,” such as the American Institute in Taiwan–the de facto U.S. embassy in Taipei.
In August 2020, authorities arrested Jimmy Lai, founder of the now shut pro-democracy paper Apple Daily, for alleged collusion with foreign powers under the new national security law, as well as fraud. While preparing for his trial, Lai’s lawyers from British Doughty Street Chambers said they “received anonymous e-mails warning them against travelling to the city to defend him.” The messages, which were sent “from a generic Gmail address,” warned that the lawyers “could be extradited…from other jurisdictions” if they refused “to abide by the laws of the Hong Kong Special Administrative Region (HKSAR).”
"Threatening journalists, campaigners and lawyers within Hong Kong has been happening for some time," the lawyers told Reuters in an email.
A Hong Kong court sentenced Lai to 69 months in prison for fraud last December. His trial on national security charges is still pending.
In September, Doughty Street Chambers shared that while representing Jimmy Lai and his son Sebastian, its staff has been subjected to: “attempted online surveillance,” “repeated attempts to hack their e-mail accounts, devices and bank accounts, as well as impersonation e-mails … and emails threatening prosecution and extradition to HKSAR,” and “death threats, rape threats and threats to family members.”
A sarcastic post on X about President Biden’s supposed “plan for the destruction of Taiwan” sparked a wave of misinformation in February when it was amplified by Chinese authorities and supporters of unification with China. The Wire said that “a surprising number of people in Taiwan became utterly convinced that America is planning to destroy their island home.” The Ministry of Foreign Affairs even commented, saying “people should beware of false information designed to erode confidence in US commitments to defend Taiwan and damage Taiwan-US ties.”
Vincent Chao, a Taiwanese politician and former diplomat, told Dmitri Alperovitch on Geopolitics Decanted that “it just became this whole layered approach to disinformation that allowed this whole thing to proliferate in Taiwanese society for days if not weeks.”
“These are things that happen all the time here in Taiwan,” Chao said, adding that “they exploit the free press, they exploit free speech, they exploit this idea of attaching nonsensical claims to people with purported legitimacy.”
Last year, Meta said it had removed coordinated inauthentic behavior from China. The operation “targeted primarily the US and the Czech Republic.” The company said that this was the first network it disrupted “that focused on US domestic politics ahead of the midterm elections and Czechia’s foreign policy toward China and Ukraine.”
In January, Google said it “disrupted over 50,000 instances” of “a spammy influence network linked to China that has a presence across multiple platforms.” Microsoft later reported seeing an increase in “effective audience engagement” from Chinese influence operations.
While big tech companies focus on shutting down accounts used for influence operations, the task of fact-checking and calling out mis- and disinformation often falls to journalists.
Marianna Spring, the BBC’s first disinformation correspondent, has openly shared that in return for her work, she’s been “abused, slandered, threatened” (and, to be clear, she’s not alone.) In some cases, the online abuse hurled at her “contain physical threats,” which the BBC flag for further assessment. (Spring’s forthcoming book, Among the Trolls: Notes from the Disinformation War, elaborates on the risks that come with investigating mis- and disinformation.)
Ahead of House Speaker Nancy Pelosi’s visit to Taiwan in August last year, a series of DDoS attacks were launched at four key websites in the country, attempting to knock them offline: those of President Tsai Ing-wen, the National Defense Ministry, the Foreign Affairs Ministry and the country’s largest airport, Taiwan Taoyuan International. Doug Madory, director of internet analysis at Kentik, told NBC News the attacks were “big enough to be effective but not record-breaking.” Researchers said the attacks were likely launched by Chinese activists rather than the Chinese government.
In July 2022, Proofpoint reported on how different state actors – including multiple Chinese actors – use phishing emails to target U.S. journalists. The researchers found that some of the emails contain web beacons designed to gather information about a journalist’s web browser and IP address, while others contain file attachments with malware. The report noted that one of the actors kicked off 2021 with targeting those covering U.S. politics, then – in the second half of the year – switched to targeting those “working cybersecurity, surveillance, and privacy issues with a focus on China.”
When China hacked The New York Times in 2012, it leveraged malware “that enabled them to gain entry to any computer on The Times’s network,” “stole the corporate passwords for every Times employee and used those to gain access to the personal computers of 53 employees.” China’s penchant for malware has only increased since then, aided by a law – passed two years ago – that requires discovered vulnerabilities to be reported to the federal government within 48 hours.
More recently, Volexity identified several long-running campaigns by a Chinese actor targeting Taiwanese individuals and organizations with fake Android applications containing malware. In August, ESET disclosed that a Chinese actor had distributed “espionage code through the Google Play store, Samsung Galaxy Store, and dedicated websites representing the malicious apps Signal Plus Messenger and FlyGram.” ESET researcher Lukas Stefanko told Forbes that the fake Signal app was designed to “spy on communications of the real app.”
“The PRC is sitting on a stockpile of zero-day vulnerabilities,” Morgan Adamski, the director of the NSA’s Cybersecurity Collaboration Center, told the audience at CYBERWARCON last week.
“We know, through operations the last couple of years, that we are seeing an uptick in the amount of Chinese use of zero-day vulnerabilities to get into U.S. infrastructure, software and capabilities that we care about,” Adamski said.
In my keynote at ATT&CKcon last month, I spoke about cybersecurity for civil society and the needs of both high-risk individuals and organizations. The U.S. Cybersecurity and Infrastructure Security Agency defines high-risk communities as ones targeted by advanced persistent threat actors; have limited capacity to provide for their own defense; and receive limited assistance from the U.S. government. The cases presented here certainly qualify.
As these examples show, securing high-risk individuals and organizations requires a holistic approach – not just a focus on one type of threat or a set of corporate assets. To fully support high-risk communities, we must focus on securing identities — accounting for the devices and systems and workflows these people use every single day. With this in mind, we can begin to share guidance that is truly fit for purpose.