Chinese Hacker Reveals How He Helped Beijing Steal Secrets From Foreign Governments, Companies

November 26, 2020 Updated: December 2, 2020

A Chinese hacker has revealed how he conducted cyberattacks on foreign governments, companies, and overseas dissident groups on behalf of the communist regime, blowing the lid off the secretive world of Chinese state-sponsored cyber espionage operations.

The whistleblower, who spoke to The Epoch Times on the condition of anonymity, is a senior cybersecurity officer at a tech firm named Nanjing Anzhiyida Technology Ltd. in eastern China’s Jiangsu Province.

The firm, he said, is controlled behind-the-scenes by senior Chinese officials who use it as a cover to carry out complex cyber intrusions known as “advanced persistent threats” (APT) to steal trade secrets from foreign targets. APT attacks are designed to gain access into a system and stay undetected for a long period of time, pilfering a steady stream of data.

The Chinese Communist Party (CCP) has a “huge demand” for APT operations, creating a “long-standing industrial chain,” the whistleblower said.

“For example, there’re many foreign shipbuilders that have advanced technologies, or the Chinese Academy of Sciences needs some high tech from overseas. They will then work to access their email accounts to take [the information],” he said. The technology “then instantly becomes that of the CCP’s,” he added.

According to U.S. officials, the regime has launched an aggressive cyber espionage campaign, harnessing both state and non-state hackers to steal sensitive commercial and personal information from a range of overseas targets: governments, companies, and activists critical of the CCP. In recent years, federal prosecutors have unveiled several indictments against Chinese hackers with ties to the regime’s top intelligence agency, the Ministry of State Security (MSS).

Lucrative Business

On paper, Anzhiyida is a tech firm specializing in facial recognition and artificial intelligence for the regime’s legal and security agencies.

But the company also had a secret business: conducting APT intrusions on a range of targets, operations which the whistleblower was deeply involved with. This work was undertaken under the ultimate direction of the recently-sacked chief of Jiangsu Province’s Political and Legal Affairs Commission (PLAC) Wang Like, he said. The PLAC is a powerful Party agency that oversees the country’s security apparatus, including police, courts, and prisons.

In late October, the regime’s anti-graft body announced it had launched a corruption investigation into Wang, who was also a core member of the Jiangsu Provincial Party Committee. Wang submitted himself to authorities for questioning on Oct. 24, it said.

While Anzhiyida lists its sole shareholder as a person named Jiang Peng, according to company registration records, the company was actually controlled by a 34-year-old woman named Qiu Peipei, who was Wang’s proxy, according to the whistleblower. Qiu’s husband is Liu Bin, the director of the big data command center of Jiangsu’s public security bureau, who also commissioned work through the firm, he added.

Qiu directed the whistleblower to conduct APT attacks targeting foreign governments and businesses, particularly jobs that are too difficult for cyber hackers working in state agencies, he said. These jobs netted the company’s powerful backers huge financial benefits.

“They leave all hard-to-intrude websites to us, where China’s police, national security, or the General Staff Department of the People’s Liberation Army have failed,” he said.

The firm invested huge resources to boost its APT business, according to the whistleblower, and controlled a network of cybersecurity companies to carry out attacks.

Targeting Falun Gong Practitioners

Other than for profit, the officials also directed the firm to conduct hacks for political gain: by targeting Falun Gong practitioners domestically and Falun Gong websites abroad.

In China, adherents of Falun Gong, a spiritual practice persecuted by the regime, are routinely surveilled, harassed, detained, and imprisoned by authorities in an effort to force them to renounce their faith.

The hackers carried out APT attacks to find out the IP addresses of Falun Gong practitioners, which then could be used to track them down and arrest them.

“Because in China, every broadband connection requires real-name authentication. With someone’s IP address used for surfing, you can find the internet user’s home address, personal information, and mobile phone number,” he said.

The company was also rewarded with a bonus for every Falun Gong practitioner arrested, the whistleblower added.

In addition, the firm was tasked to infiltrate Falun Gong websites, other websites, and email accounts of those critical of the regime, he said. The work was carried out in concert with the Jiangsu Provincial arm of the MSS (known as JSSD) and other cyber firms controlled by JSSD.

The whistleblower said Wang and Liu organized the cyber companies they controlled to create a facial recognition database of Falun Gong practitioners, in anticipation of reaping huge political advantages and financial returns.

“If the camera on the road has facial recognition, suppose the Falun Gong practitioner they want to capture is walking on the street. [With the database] the face can instantaneously be recognized, and they can be arrested immediately,” he said.

‘Hacker Army’

The whistleblower described most Chinese hackers as young people born after 1990 or 2000. A good portion of them are recruited by CCP officials like Wang, Liu, or their proxies like Qiu.

Either Liu or Qiu would reach out to them, taking a carrot-and-stick approach to get them to accept the job, using inducements such as: “It’s good for our country,” “You’ll be granted an identity: special agent.”

If they resist, then comes the threats, like, “If you don’t do this, you’ll end up with an inmate,” the whistleblower said.

He also said that the size of the Chinese regime’s official “hacker army” is not as large as it is rumored.

“The CCP simply cannot afford to hire them, and hackers themselves would not like to work within the system for a long time.”

Instead, the regime heavily depends on its network of semi-official cybersecurity firms like Anzhiyida to launch attacks.

Jiangsu: An Espionage Hotbed

The Department of Justice launched several recent prosecutions centered around alleged cyber and economic espionage orchestrated by the JSSD.

In September 2018, Ji Chaoqun, a 27-year-old Chinese national, was arrested in Chicago on charges that he covertly worked for a high-ranking JSSD official to help try to recruit engineers and scientists. His alleged handler was Xu Yanjun, a deputy division director at JSSD.

Weeks later, Xu was extradited to the United States from Belgium on charges of conspiring and attempting to commit economic espionage and steal trade secrets from multiple U.S. aviation and aerospace companies.

The department later in October unveiled an indictment against 10 Chinese nationals, including two JSSD officials and six hackers working under the direction of JSSD. The JSSD officials were accused of leading a scheme to steal turbofan engine designs being developed through a partnership between a French aerospace manufacturer and a U.S.-based aerospace company.

Gu Xiaohua and He Jian contributed to this report.