(Illustration: Saurabh Singh)
PICTURE THIS. ONE morning or night in the near future, Chinese President Xi Jinping decides the time is just right to invade Taiwan and take the island by force and ‘unite’ it with the mainland, making de jure One China de facto. The US, with longstanding guarantees on democratic Taiwan’s ‘independence’, which is not quite recognised on paper but allowed in practice, rushes its naval forces in the Indo-Pacific to discourage and even thwart the Chinese takeover. As that face-off ensues with armed conflict looking inevitable, domestic and foreign US military bases along with millions of American civilians lose water, electricity, communications, and sundry other essentials including food and medical care. America, in attempting to push China off Taiwan, finds itself paralysed at home and abroad and its defence of Taiwan is stillborn.
A few years ago, such a scenario was still the stuff of sci-fi movies and futuristic war-gaming. The charges the US and the UK have levelled against China, besides imposing sanctions on some of the most elite hacking outfits in Beijing’s control, earlier this week not only make that scenario a real situation, in the here-and-now, but also illustrate how far back in time China’s aggressive hacking on an industrial scale across the globe goes and how deep state-backed Chinese hackers had penetrated. It’s not the first time Chinese cyber espionage has come to light but it’s the formality of the allegations and the finality of the act of sanctioning that’s new and marks what a group of targeted British MPs called a “watershed”.
In May last year, Microsoft detected a mysterious code in communication systems in Guam. Guam is a major US military base and would be indispensable for any American defence of Taiwan. The code was malware allegedly installed by a Chinese state-backed hacking group that came to be called Volt Typhoon. Since then, American intelligence and defence officials have been testifying before Congress about the extent of that threat. On Monday, March 25, the US Treasury Department also sanctioned the Wuhan Xiaoruizhi Science and Technology Company (Wuhan XRZ) which in turn was a front for a hacker group named Zirconium which is labelled officially by the Americans as Advanced Persistent Threat Group 31 (APT31). APT31 aka Zirconium operated via Wuhan XRZ from at least 2010 till January this year.
There are several strands or layers to the alleged cyber espionage. In the US, the Chinese are said to have bu`ried malware, initially exploiting untreated systemic weaknesses and old routers, “deep inside the networks controlling power grids, communications systems and water supplies that feed military bases in the United States and around the world,” as the New York Times had reported in July 2023 when the Biden administration’s tussle with Volt Typhoon came to light. In FBI Director Christopher Wray’s words, the hidden malware had amounted to “pre-operational reconnaissance and network exploitation against critical infrastructure.” By the time this week’s charges were levelled, American defence systems and even some private companies contracting for the US military, as well as more details of the penetration of critical infrastructure, had been named as victims of the Chinese operations. In a separate but related case, the US Department of Justice also indicted individual Beijing-linked hackers for targeting and intimidating China’s critics around the world.
The UK, meanwhile, accused China of conducting a cyber campaign, including espionage and hacking, against some of its MPs—all members of the Inter-Parliamentary Alliance on China, a group that analyses Beijing’s activities and is often critical of Xi’s regime. The Chinese have also been accused of targeting the UK’s Electoral Commission and accessing the data of almost 40 million voters. This didn’t happen this week, of course, but for more than a year stretching from August 2021 to October 2022. According to reports, the hacking went beyond databases of names and addresses and “sensitive emails” were accessed as well. What exactly the Chinese would do with such data is not understood clearly since a lot of it was available in the public domain in any case but intelligence agencies and security experts think that such details when combined with other personal information people put out themselves, say on social media, could help China build profiles at individual, social and political levels extending one level into the next. But what has concerned the UK the most is the arrest last year, on grounds of suspected espionage, of a 28-year-old British citizen working as a researcher in the British parliament with access to some of the MPs concerned.
The charges the US and the UK have levelled against Beijing illustrate how far back in time China’s aggressive hacking on an industrial scale across the globe goes and how deep state-backed Chinese hackers had penetrated
Share this on
These separate instances and cases put together build a fuller picture. But the bottomline that would worry governments at the receiving end, from Washington to New Delhi or from Tokyo to Wellington (New Zealand’s parliamentary network was targeted in 2021 too), is Wray’s summary before Congress last month: “If and when China decides the time has come to strike, they’re not focused just on political or military targets.” In other words, Chinese hackers were readying themselves to “wreak chaos and cause real-world harm to American citizens and communities.”
Behind all this is a significant change that has happened in China. Wuhan XRZ, et al have all been fronts for the Chinese Ministry of State Security which has taken over from the People’s Liberation Army (PLA) which used to run most of China’s cyber espionage programmes, especially the aggressive/attacking ones. The ministry is now regarded as “Beijing’s largest hacking operation”, bolstered by largescale investments by the state. What’s more, the ministry answers directly to and works under the Chinese political leadership. Thus, it has been, in a way, easy to point fingers directly at the regime in Beijing.
In February, the Washington Post had revealed that Chinese hackers, while targeting countries ranging from the UK, South Korea, Thailand, Malaysia to some of the Central Asian republics, had accessed more than 95GB of Indian immigration data in 2020 (against the backdrop of the Galwan clashes in eastern Ladakh). Knowledge of this information was the outcome of a leak, itself an accident or perhaps even sabotage—to the extent that the Chinese government instituted an investigation into the leak. Data in the form of documents, chats and images connected with a contractor, this time for the Ministry of Public Security, called I-Soon came to be posted on GitHub, an open-source developer platform. As per reports, the targeted major Indian ministries included finance, home and external affairs. User data was also allegedly accessed from the Employees’ Provident Fund Organisation (EPFO), Bharat Sanchar Nigam Ltd (BSNL), and at least one private hospital chain. The data on immigration was allegedly stolen largely from Air India’s check-in lists.
India has always been a focus of China’s cyber espionage and nobody in Indian officialdom or among the public is likely to be surprised by that fact. The scenario that could have—and still could—played out vis-à-vis the US would be stark when it came to India too, given the disputed border and the possibility of future skirmishes or even conflict. While it’s a “watershed” for the UK, which had heralded a “golden era” in bilateral relations with China about a decade ago, and while the US has come a long way since the Obama administration when Chinese cyber threats were routinely played down and/or no accusations were made, for a decade now, New Delhi has had no illusions about China. What still needs to be emphasised is the necessity and upgrade of safeguards in light of this week’s developments.
A dilemma for Washington was whether to let the Chinese malware stay in the networks to mislead the hackers or go public. In the end, the call was taken to excise the malware as its unknown risks were deemed too high. And the US and UK jointly announced the sanctions while formally accusing China. For all targeted states across the globe, that has been a relief. Knowledge is power but acting on knowledge is not always the logical next step. Till we learn enough to realise we cannot wait any longer.
More Columns
Ravichandran Ashwin: India’s Spin King Retires Aditya Iyer
India’s Message to Yunus Open
India’s Heartbeat Veejay Sai