Zuola had never fallen in with the party line. He would post translated news about Tibet, assert Taiwan’s sovereignty and call out misuse of government power. In 2010, on December 22, the Hunan-based cyber activist received a mail from a head-hunter offering a 400,000-yuan job. About Rs 43 lakh a year. It was too much money. Hours later, he got another mail from the “Taiwan Foundation for Democracy” inviting him to a youth leadership camp. It was strange that the mail made it through the Great Firewall.
Both were loaded with Trojans.
“The cyber army exists but within China there are not many reports about them. The cyber army has three kinds of targets — activists they need to shut down, overseas business companies for their IP (intellectual property) and governments for expanding influence,” Zuola told TOI. “Because I wrote about the government, I would keep getting these APT emails.” APT, or advanced persistent threat, is a targeted, sophisticated and prolonged cyberattack. The kind that Indian intelligence agencies have been warning the country could be facing from China-based actors.
Since 2016, India has been the sixth most targeted country by China-based hackers — right after the US, South Korea, Hong Kong, Germany and Japan. Government sites came under attack most frequently, followed by telecommunications, media, high tech and transportation, according to a report shared with TOI by US-based cybersecurity firm FireEye. In 2013, FireEye, then Mandiant, had first established the presence of China’s PLA Unit 61398, a “cyber espionage” unit of the Chinese military — the 2nd bureau of the 3rd General Staff Department under PLA General Staff. “We found that APT1 (the name assigned to the unit) maintained access to the victim’s network for an average of 356 days. The longest time … was at least 1,764 days,” the report said. Three victims were from India. IT, aerospace and public administration were the sectors most often targeted. Its last known activity was in early 2015 and by 2018, the US department of justice had indicted at least seven state-backed hackers named by the agency.
But a change was under way. The report says PLA reform talks began in early 2014 and by September 2015, an official announcement had been made. In December that year, the Strategic Support Force, or SSF, was formally established. That took over network operations under a streamlined Chinese Military Commission, subsuming Unit 61398 and other tech and space units. The focus shifted — the foray into media sites is relatively new. With a reason. The report says the agency “anticipates more aggressive efforts to influence public opinion in the future.” Phishing, the kind Zuola was subjected to, remains the chosen form of attack, followed by server compromise and web compromise. The use of China-specific malware has reduced and hackers have shifted towards “more broadly used malware.”
The most active groups as of now are APT41 (which has targeted 14 countries including India and operates in keeping with China’s five-year economic development plans), APT 40 (which targets countries central to the Belt and Road Initiative), APT10 (active since 2009, has targeted India, Japan and northern Europe) and APT19 (which attacks legal and investment firms). Another group, APT30, operated for at least 10 years in intelligence gathering from India and southeast Asian countries. But it was last reported in 2015 and it’s not certain if it’s still active.
Indian agencies have come under attack several times. A cyber espionage network from Chengdu compromising government systems in India was reported in 2010 by the Citizen Lab, directly linking it to “the underground hacking community” in China. Then in 2016, the Calypso APT was reported to have targeted government organisations in India and five other countries. By 2018, about 35% of all cyber attacks on Indian sites were from China, Indian Computer Emergency Response (CERT-In) had said. Chinese media, meanwhile, said Indian hackers had been attacking China’s medical organisations during the Covid outbreak.
But Zuola said there is more to this than just warfare: “The goal of CCP (Communist Party of China) is not cyber warfare but to obtain benefits through propaganda, disinformation, bribery, infiltration, large-scale collection of information to monitor, efforts aimed at undermining or influencing the policies, security or stability of other countries.”
To do that, it relies on more than just hired hackers. “If the internet is a weapon, top hackers are a nation’s precious wealth,” says a post on a Chinese tech blog, going on to list China’s top hackers. The names Guo Shenghua, goodwell, badboy, Chinese Hawk and coolfire are hallowed here. Hacker communities speak of four “generations” of hackers: the first that began when China logged on to the internet in 1987, the second started around 1998 (considered by many to be the birth of Chinese hacking, in response to the Indonesian riots in which Chinese communities were attacked), the third around 2001 and the “new” generation which has been around for about five years.
“Organisations like Hongke Alliance, Red Hacker Alliance and Chinese Eagle (top hacker groups in China) are not professional ones … When patriots and nationalists use keyboards and international networks to conduct online protests, they find a flag and a slogan to summon support. It becomes a gathering place for protest and distribution of hacking technology and hacking tools,” said Zuola. When their goals align, the government could look the other way. “Hackers recruited by the government will not be full-time ones. They usually act as consultants to provide solutions for the needs of the government … The government-recruited hackers can claim to be database engineers, systems engineers, software developers, project managers or academic researchers. They don’t even need to deliberately cover up their status of working for the government unless they need to work in a foreign company. In that case, they work remotely.”