The document (pdf), titled “Cybersecurity Risks, Challenges, and Countermeasures,” was issued by a municipal agency of Tieling city in the northeastern province of Liaoning. The document was dated June 19, 2020, weeks before CCP’s founding anniversary.
The document, obtained by The Epoch Times, was intended for internal circulation within agencies of the Chinese regime. The goal was for the agencies to “clearly understand the extreme importance and complexity of cybersecurity ahead of the anniversary.”
The agencies were required to be politically, financially, and technologically prepared for any cybersecurity incidents.
Internet Is ‘Important Battleground’
The document starts by saying that the goal of “the Western anti-China forces” and “a certain Western country” is to “overthrow the CCP’s rule and stop the ‘revival’ of the Chinese nation” by any means possible.
It states that the internet has become an “important battleground.” Specifically, a certain Western country uses its strong technological resources to infiltrate, subvert, defame, and attack the CCP in an all-encompassing manner.
The document gives some examples of cyberattacks by “anti-China forces.” It states that a certain Western country has established more than 100 cyber combat teams and has developed several thousand cyberattack and defense weapons. But China is lacking in this regard and has become a major victim of hacking attacks.
It then claims that “in the past few years, about 70 percent of Chinese netizens have become victims of cyberattacks,” without providing details about who was behind the attacks.
Although not specifically named, “a certain Western country” appears to refer to the United States. The reference to the “100 cyber combat teams” is apparently based on a speech given by the director of the National Security Agency, Michael S. Rogers, at a U.S. Senate hearing in 2016 (pdf).
However, there is no evidence linking the U.S. cyber combat teams to cyberattacks targeting Chinese netizens. The “70 percent of netizens” is likely from domestic cyber fraud, according to a report by China Internet Network Information Center (CNNIC).
The CNNIC report says that in 2016, 70.5 percent of internet users encountered certain types of cybersecurity incidents. Seventy-five percent of such incidents trick the user into believing he or she has won a prize.
A hacker by the name of @fangongheike (“anti-communist hacker”) is known for posting anti-CCP messages on the homepages of hacked regime websites.
This hacker is mentioned by the leaked document as part of the threats from the West. In addition, in a set of training slides on cyber security, the hacker appears under the “threat” slide. It says that since May 2012, the so-called “anti-communist hacker group” hacks into a regime website every three days, posts derogatory remarks, and aims at “overthrowing” the CCP.
The hacker said on his own Twitter account that it’s been the work of a single person.
“Since April 12, 2012, when I hacked into a web page to vent my dissatisfaction with the government, everything has been done by myself alone. I use ‘we’ to make myself look bigger,” he said.
In addition, @fangongheike says on his profile that he doesn’t contact any individual or organization via any means, and that he hacks regime websites to satisfy his own private interests. He posts screenshots of hacked websites overlaid with @fangongheike messages, while the website functionality doesn’t seem to be affected.
As another example, the leaked document says that “according to a Western media report, a certain Western country has planted a Trojan horse virus in the Russian power grid, and that it can instantaneously cause a complete blackout in Russia.”
In June 2019, there was a blackout in Argentina, Paraguay, and Uruguay. While Argentina’s energy secretary ruled out a cyberattack as the cause of the blackout, it was later concluded that the trigger was a short circuit that had disconnected a 500-kV transmission line.
However, the leaked document says that “it was a ‘rehearsal’ by a certain Western country to attack Russia.”
Chinese State-Sponsored Hackers Charged
The leaked document also mentioned that several so-called advanced persistent threat (APT) hacker groups have been targeting Chinese businesses and regime entities. But it failed to provide solid examples of damage done by these groups, which include APT32 (OceanLotus), APT-C-09 (patchwork), and APT-C-08. These groups target countries in Asia and the Middle East.
APT is a covert cyberattack on a computer network where the attacker gains and maintains unauthorized access to the targeted network and remains undetected for a significant period. During the time between infection and remediation, the hacker will often monitor, intercept, and relay information and sensitive data.
Several APT hacker groups are sponsored by the CCP. Since 2017, the U.S. Justice Department (DOJ) has indicted multiple Chinese hackers as members of CCP-sponsored APT groups.
Three Chinese hackers belonging to APT 3 were charged in November 2017 for computer hacking, theft of trade secrets, conspiracy, and identity theft directed at U.S. and foreign employees and computers of three corporate victims in the financial, engineering, and technology industries between 2011 and May 2017. Siemens alone lost 407 gigabytes of data due to APT3 hacking.
In December 2018, two Chinese hackers were indicted as members of the APT 10 group for targeting intellectual property and confidential business information. According to the indictment, from around 2006 to 2018, APT 10 conducted extensive hacking campaigns, stealing information from more than 45 victim organizations, including U.S. companies. Hundreds of gigabytes of sensitive data were secretly taken from companies in a diverse range of industries, such as health care, biotechnology, finance, manufacturing, and oil and gas.
In August 2019 and August 2020, the DOJ charged five hackers from APT 41, which orchestrated intrusions at more than 100 companies across the world, ranging from software vendors, video game companies, telcos, and more. The APT 41 group is now one of the most infamous and active state-sponsored hacking groups. Victim companies are from countries such as the United States, Australia, Brazil, Chile, Hong Kong, India, Indonesia, Japan, Malaysia, Pakistan, Singapore, South Korea, Taiwan, Thailand, and Vietnam.
In February 2020, the DOJ charged four members of the Chinese military for hacking into credit reporting company Equifax, which affected more than 150 million customers. According to the indictment, the state-sponsored hackers ran approximately 9,000 queries on Equifax’s system obtaining records for nearly half of all U.S. citizens. Exposed data included names, birth dates, and Social Security numbers.
In July 2021, four members of APT 40 were charged with hacking various companies, universities, and government entities in the United States and worldwide between 2011 and 2018. Examples of APT 40 activity include targeting maritime industries and naval defense contractors in the United States and Europe, regional opponents of the Belt and Road Initiative, and multiple Cambodian electoral entities in the run-up to the 2018 election, according to the UK’s National Cyber Security Center.
In September 2020, then-U.S. Deputy Attorney General Jeffrey A. Rosen summarized the goal of CCP hacking.
“The record of recent years tells us that the Chinese Communist Party has a demonstrated history of choosing a different path, that of making China safe for their own cybercriminals, so long as they help with its goals of stealing intellectual property and stifling freedom.”