Foreign cyber spies attack information systems of key departments, enterprises, stealing sensitive data: China’s Ministry of State Security

Global Times, February 16, 2024 —

China’s Ministry of State Security warned on Friday that in recent years, national security agencies have discovered that foreign cyber spies have continuously attacked the information systems of key departments and enterprises within China, resulting in the theft of important sensitive data and posing a threat to China’s data security and cybersecurity.

The ministry released an article on its WeChat account, stating that cyberspace has become an important battlefield for foreign intelligence agencies conducting espionage activities against China, and the situation is becoming increasingly severe.

The article also revealed that in recent years, foreign cyber spies have continuously attacked the information systems of key institutions, departments, and enterprises within China, taking advantage of the inadequate security measures, negligence, and convenience-seeking behavior of these institutions to establish covert transmission channels and continuously steal important sensitive data.

These moves pose a threat to China data security and cybersecurity, said the ministry.

It also noted that foreign network spies often utilize various network mapping platforms to conduct batch scans of exposed network vulnerabilities. Once they discover that important institutions have not timely patched these vulnerabilities, they immediately launch targeted attacks to steal data.

The ministry also provided an example of a military-civilian integration enterprise. Recently, the national security agencies discovered that this enterprise, including its office platform, had high-risk security vulnerabilities due to outdated software updates, leaving it susceptible to attacks.

Foreign cyber spies exploited these vulnerabilities to infiltrate and implant Trojan viruses, stealing important production and customer data from the enterprise, thereby posing a threat to China’s military equipment technology development and military and technological security.

The national security agencies have also found that foreign cyber spies pay close attention to software supply chain companies, continuously attempting to attack these companies through methods such as phishing emails and network scanning. They particularly target operations and maintenance personnel who have system management privileges as their preferred targets for attacks and espionage.

The ministry also gave an example of a man surnamed Li, who was an operation and maintenance personnel of an email system manufacturer and was responsible for providing technical support for clients’ email systems with remote management and system administrator account privileges.

In order to seek convenience, Li often recorded the account passwords of the clients and system administrators on his own computer. The foreign cyber spies used open-source intelligence information to identify Li’s identity and launched a network attack on his computer, stealing the client account password table. They then used this as a springboard to carry out espionage on the email systems of thousands of key institutions. As Li possessed administrator-level account passwords, the foreign cyber spies obtained a large amount of internal email data from key institutions, causing serious harm.

Recently, a large State-owned enterprise with good network security protection capabilities and measures inexplicably had encrypted traffic transmitted to foreign countries in the early morning, with suspicious activities targeting different IP addresses each time, the ministry said in the article.

After careful investigation, the national security agencies confirmed that foreign cyber spies used the company’s network export equipment and idle internal network devices as springboards to penetrate into the company’s core internal network, and steal important data from the enterprise.

Further analysis revealed that the company had set up a testing device when testing a certain network system, and various permissions were granted to this device. After the testing work was completed, the device was not taken offline in a timely manner and continued to run unattended. The foreign cyber spies discovered this opportunity and used it as a springboard to launch network attacks through the internal network, successfully stealing the core basic data of the enterprise, resulting in the theft of important public livelihood data in our country, said the ministry.

At the end of the article, the ministry noted that according to relevant regulations and laws, activities such as network attacks, intrusions, disruptions, control, and destruction against state organs, confidential institutions, or critical information infrastructure by spy organizations and their agents, or by domestic and foreign institutions, organizations, and individuals colluding with them, constitute cyber espionage.

Citizens and organizations should collaborate with national security agencies to strengthen security prevention, investigation and disposal efforts against cyber spies. Any suspected cyber espionage activities should be promptly reported to the national security agencies.

The Ministry of State Security has also issued a warning, emphasizing the need for key institutions involved in anti-espionage security prevention to strengthen daily security management of confidential matters, locations, and carriers, and implement physical anti-espionage measures such as isolation reinforcement, closed management, and the establishment of alerts.

They should also adopt corresponding technical measures and other necessary measures in accordance with the requirements and standards of technical anti-espionage prevention to strengthen technical anti-espionage measures for key departments, network facilities, and information systems, as advised by the ministry.