cyber attack Photo:VCG

The Cyber Security Association of China on Friday released details of two cases related to frequent cyberattacks and espionage by US intelligence agencies targeting China's key industries, issuing security alerts for critical sectors. One case involved an attack exploiting the zero-day vulnerabilities in the Microsoft Exchange email system, while the other exploited flaws in an electronic document system.

In response to a media inquiry regarding the report released by the Cyber Security Association of China, Chinese Foreign Ministry spokesperson Guo Jiakun said at Friday's press briefing, "It is the latest evidence of the US government's malicious cyberattacks on China, once again shows that the US is the top cyber threat faced by China and exposes the US' hypocrisy on the issue of cybersecurity - claiming itself to be the victim while it's the other way around. China will continue to do what is necessary to safeguard its cybersecurity."

"We also noted that the US used its allies in Europe and in China's neighboring region to launch the cyberattacks. China always believes that cybersecurity is a common challenge faced by all countries and requires a joint response through dialogue and cooperation," Guo said.

According to the report by the Cyber Security Association of China, the National Computer Network Emergency Response Technical Team/Coordination Center of China reported that in recent years, US intelligence agencies have increasingly targeted high-tech military-related universities, research institutions, and enterprises in China. They aim to steal sensitive information related to military research data or core production data involved in design, development, and manufacturing processes. These attacks have become more targeted and covert, posing a serious threat to the research and production security of China's defense and military industry, and even to national security, said the report.

Since the exposure of the US National Security Agency (NSA)'s cyberattack on China's Northwestern Polytechnical University in 2022, US intelligence agencies have frequently and aggressively carried out cyber espionage attacks on China's defense and military industries, according to the report.

From July 2022 to July 2023, US intelligence agencies exploited zero-day vulnerabilities in the Microsoft Exchange email system to attack and control the email servers of a major Chinese military-industrial enterprise for nearly one year, according to the report. 

Investigations revealed that the attackers controlled the enterprise's domain controller server, which they used as a springboard to access more than 50 key devices within the internal network. Additionally, they implanted a tool in an external work server of the enterprise, with the aim of gaining long-term control. At the same time, the attackers created multiple covert channels within the enterprise network for data exfiltration, according to the report.

During this period, the attackers used proxy IPs from multiple countries, including Germany, Finland, South Korea, and Singapore, to launch more than 40 cyberattacks. They stole emails from 11 individuals, including senior executives, containing design blueprints and core system parameters related to military-industrial products in the enterprise, according to the report. The attackers also implanted malicious tools on the company's devices, using obfuscation techniques to evade detection by security software, according to the report. 

The US government has consistently maintained a leading global position in both cyber surveillance operations and cyber warfare. For many years, it has implemented an offensive-oriented cyber operations strategy, Li Yan, director of the Institute of Technology and Cybersecurity at China Institutes of Contemporary International Relations, told the Global Times. 

Li said China is the biggest victim of cyberattacks and the revelation by the Chinese side is merely the tip of the iceberg. Whether it is against China or other countries, the US has continued to throw dirty water at us.

The expert warned that national security is no trivial matter. Our security awareness must be thorough, maintaining a high level of vigilance. We should continuously identify and remedy vulnerabilities.

According to statistics, in 2024 alone, there have been over 600 cyberattack incidents by state-level APT groups overseas targeting important Chinese agencies, with the national defense and military industry being the primary target. In particular, hacker organizations backed by US intelligence agencies rely on well-organized cyberattack teams, a large supporting engineering system, standardized attack tools, and strong vulnerability analysis and exploitation capabilities to conduct attacks and infiltrations against China's key information infrastructure and information systems, and key personnel, posing a grave threat to China's national cybersecurity, said the report.

In another case, from July to November 2024, US intelligence agencies conducted cyberattacks on a military-industrial enterprise involved in communications and satellite internet. According to the investigation, the attackers first used proxy IPs located in multiple countries, including Romania and the Netherlands, to exploit unauthorized access vulnerabilities and SQL injection vulnerabilities to attack the enterprise's electronic file system. They implanted a memory backdoor program into the company's electronic file server and further uploaded a trojan, according to the report.

Subsequently, the attackers exploited the enterprise's system software upgrade service to deliver a data-stealing trojan to the internal network of the enterprise, compromising over 300 devices. They specifically searched for keywords such as "military special network" and "core network" to target and steal sensitive data from the compromised hosts.

In both cases, the attackers used keyword searches to target sensitive information in the defense and military industry, which clearly falls within the scope of interest for state-level hacker organizations and carries strong strategic intent, said the report. Furthermore, the attacker employed multiple overseas proxy IPs to carry out the cyberattack, taking measures such as actively deleting logs, using trojans, and proactively monitoring machine status to conceal their identity and true attack motives. These actions reflect a high level of cyberattack capability and tactical concealment, according to the report.