Recent Chinese Cyber Intrusions Signal a Strategic Shift

The commercially available intelligence on Chinese cyber activity can be confusing. The MSS and even the SSF use the services of politically influential private contractors to develop their offensive toolchains. The contractors may also moonlight as criminals, unabashedly using the same toolchains. This operational and infrastructural overlap means that commercial intelligence analysts end up grouping China-linked cybercrime, cyber espionage and military cyber activity into big clusters known in the industry by names such as Winnti, APT40, APT41, Barium and Hafnium. That has greatly muddied the waters.

However, it is possible to unpack these clusters. The MSS and its affiliates have been spotted on global networks and linked with sophisticated political and economic espionage operations. The SSF, working with the five geographically aligned theatre commands of the PLA, has been mainly active in China’s near abroad. After the 2015 reforms, the theatre commands inherited the old, inertial bureaucracies of the PLA and their integration into the joint information warfare command of the SSF is said to be a work in progress.

The technical reconnaissance bases (previously known as bureaus), or TRBs, are the numerous detachments hailing from the legacy structures of the PLA’s signals intelligence setup. Most of them have been reorganized into the theatre commands and are responsible for various cyber missions. The TRBs rely on a mixture of bespoke toolchains and toolchains shared with contractors and the MSS. One example is ShadowPad, which is thought to be behind one of China’s first known prepositioning operations, RedEcho. RedEcho was discovered in the Indian power grid in 2021 during the height of the Indo-China border standoff and is most likely the handiwork of a TRB under the Western Theatre Command.

A de-clustering of Chinese cyber operations undertaken for groups active in China’s near abroad and associated with the PLA was able to link intrusions to TRBs. According to this analysis, which was based on commercially available and open-source intelligence, the ‘Tonto Team’ was related to Unit 65016, a TRB of the Northern Theatre Command; ‘Naikon’ was linked to the Southern Theatre Command; and ‘Tick’ was related to Unit 61419, which is likely a TRB directly under the SSF.

There has been some debate among the experts about how the TRBs fit into the joint command structure of the theatre commands and the SSF. However, the consensus is that because the theatre commanders have managed to remain the foci in a slow-changing bureaucracy, most TRBs are more closely associated with them than with the SSF.

This is the assumption that the Volt Typhoon disclosure seems to challenge. It was undoubtedly a strategic operation and its prepositioning extends far beyond China’s near abroad. Its scope is a sign that the integration of joint information warfare forces into the PLA has matured. The military cyber elements seem to have been extricated from the stovepipes of the theatre commands and are ready to produce strategic effects extending beyond the Indo-Pacific. And the integration isn’t just militaristic but also political: the PLA is the Chinese Communist Party’s army. Strategic cyber operations are directly sanctioned by the Central Military Commission and ultimately authorized by Xi.

An alternative hypothesis is that the MSS or a team of contractors were tasked with gathering intelligence to prepare for a future battlefield. The MSS and its privateers have gone beyond their remit in the past. The 2020–21 exploitation of Microsoft Exchange, for example, which aggressively targeted many Western organizations, is thought to have been orchestrated by a regional bureau of the MSS and so wouldn’t have gone through PLA channels to the top.

That said, the Chinese cyber apparatus also relies on decentralization and outsourcing to maintain deniability. And while the Volt Typhoon intrusion could have been the result of private contractors’ reckless maneuvering, such a move would have been deemed risky by the Chinese political establishment, which is keenly aware of the risk of escalation in cyber operations.

The intelligence that has trickled through from the Five Eyes points to interesting doctrinal and strategic developments in the Chinese cyber establishment, especially the extent and success of its integration with the PLA. A rigorous, transparent assessment by interdisciplinary experts, aided by governments, is required to fully understand these developments and their potential consequences.

Pukhraj Singh is the director of the Centre for Epistemic Security. The views expressed in this article are his own. This article is published courtesy of the Australian Strategic Policy Institute (ASPI).