China's Cyber Ecosystem
The Symbiotic Partnership Fueling Greyzone Operations
A growing body of evidence, including recent high-profile leaks and U.S. government indictments, substantiates the assessment that China fosters a deeply symbiotic partnership with third-party cybersecurity companies to execute its affective greyzone operations. This mutually beneficial relationship allows the Chinese state to project power, gather intelligence, and harass adversaries while maintaining a veneer of plausible deniability, a key characteristic of modern hybrid warfare.
This operational model, often referred to as a "hacker-for-hire ecosystem," is a cornerstone of China's "Military-Civil Fusion" strategy. This national-level directive intentionally blurs the lines between the state's security apparatus and the private sector, compelling and co-opting technology firms to serve the objectives of the Chinese Communist Party (CCP) (U.S. Department of State, n.d.). This arrangement provides the government with access to a vast and agile talent pool, while the companies receive financial backing and political cover.
A pivotal moment of clarity into this shadowy world came with the February 2024 leak of documents from I-Soon (Anxun), a Shanghai-based information security company. The files revealed a direct and contractual relationship between the company and various Chinese government entities, including the Ministry of Public Security (MPS) and the Ministry of State Security (MSS). As detailed in the "Nattothoughts" analysis of the event, the I-Soon leak is significant not because it reveals a new phenomenon, but because it provides unprecedented, tangible proof of the "scale and character" of the government-contractor relationship (Nattothoughts, 2024). It moves the discussion from attribution based on forensic data to documented evidence of contracts, employee complaints, and business operations, confirming that these are not rogue actors but integral, if sometimes messy, parts of the state's intelligence apparatus.
I-Soon's activities included targeting foreign governments, pro-democracy organizations in Hong Kong, and universities (Lyngaas & Goud, 2024). The Nattothoughts article emphasizes that the leaked data shows these contractors engaging in a "mix of the mundane and the malevolent," from monitoring dissent to enabling sophisticated network intrusions, all while functioning like a typical, sales-driven business with performance targets and internal politics.
This practice is not isolated to a single firm. For years, cybersecurity researchers have tracked numerous Advanced Persistent Threat (APT) groups with strong suspected links to the Chinese state. These groups, often given monikers like "APT41" (also known as Barium or Wicked Panda), have been observed conducting both cyber espionage for strategic state purposes and financially motivated cybercrime, indicating a fluid and opportunistic relationship with their government sponsors (Mandiant, n.d.).
The U.S. government has also taken a more assertive stance in exposing these operations. In March 2024, the Department of Justice announced charges against seven Chinese nationals, all employees of the Wuhan Xiaoruizhi Science and Technology Company Ltd. (Wuhan XRZ), for their alleged involvement in a 14-year global hacking campaign. The indictment explicitly stated that Wuhan XRZ acted as a front for the MSS, targeting U.S. and foreign critics of the Chinese government, businesses, and politicians (U.S. Department of Justice, 2024).
This symbiotic relationship offers several strategic advantages for Beijing in the greyzone:
Plausible Deniability: By outsourcing cyber operations, the Chinese government can distance itself from malicious activities, making definitive attribution more challenging and complicating a direct state-to-state response.
Access to Specialized Skills: The private sector often fosters a more dynamic and innovative environment for cyber talent. The government can tap into this expertise without the bureaucratic constraints of its own formal structures.
Scalability and Flexibility: The use of a network of contractors allows for the rapid scaling of operations to meet evolving strategic priorities. Different firms can be activated for specific targets or campaigns, providing a flexible and resilient offensive cyber capability.
Economic Incentives: The "hacker-for-hire" model creates a self-sustaining ecosystem where companies are motivated by profit to proactively seek out vulnerabilities and intelligence that can be sold to the government, further expanding the state's reach.
This deep-seated partnership with a proxy army of cyber warriors is a clear indication that China views these third-party companies as an indispensable tool in its long-term strategic competition. The continued exposure of these relationships by journalists, cybersecurity researchers, and Western governments is crucial in holding Beijing accountable for its actions in the increasingly contested domain of cyberspace.
References
Lyngaas, S., & Goud, N. (2024, February 21). Leaked files reveal details of China's global hacking operations. CNN. Retrieved from https://www.cnn.com/2024/02/21/tech/china-hacking-files-isoon-intl/index.html
Mandiant. (n.d.). APT41. Mandiant. Retrieved from https://www.mandiant.com/resources/insights/apt41
Nattothoughts. (2024, February 22). I-SOON - Kicking off the Year of the Dragon. Nattothoughts on Strategy and Geopolitics. Retrieved from
U.S. Department of Justice. (2024, March 25). Seven Hackers Associated with Chinese Government-Sponsored APT31 Hacking Group Charged with Computer Intrusion Offenses. Office of Public Affairs. Retrieved from https://www.justice.gov/opa/pr/seven-hackers-associated-chinese-government-sponsored-apt31-hacking-group-charged-computer
U.S. Department of State. (n.d.). The CCP’s Military-Civil Fusion Strategy. Retrieved from https://www.state.gov/the-ccps-military-civil-fusion-strategy/