SAN FRANCISCO — China’s state-sponsored hackers have drastically changed how they operate over the last three years, substituting selectivity for what had been a scattershot approach to their targets and showing a new determination by Beijing to push its surveillance state beyond its borders.
The government has poured considerable resources into the change, which is part of a reorganization of the national People’s Liberation Army that President Xi Jinping initiated in 2016, security researchers and intelligence officials said.
China’s hackers have since built up a new arsenal of techniques, such as elaborate hacks of iPhone and Android software, pushing them beyond email attacks and the other, more basic tactics that they had previously employed.
The primary targets for these more sophisticated attacks: China’s ethnic minorities and their diaspora in other countries, the researchers said. In several instances, hackers targeted the cellphones of a minority known as Uighurs, whose home region, Xinjiang, has been the site of a vast build-out of surveillance tech in recent years.
“The Chinese use their best tools against their own people first because that is who they’re most afraid of,” said James A. Lewis, a former U.S. government official who writes on cybersecurity and espionage for the Center for Strategic Studies in Washington. “Then they turn those tools on foreign targets.”
China’s willingness to extend the reach of its surveillance and censorship was on display after an executive for the National Basketball Association’s Houston Rockets tweeted support for protesters in Hong Kong this month. The response from China was swift, threatening a range of business relationships the NBA had forged in the country.
In August, Facebook and Twitter said they had taken down a large network of Chinese bots that was spreading disinformation around the protests. And in recent weeks, a security firm traced a monthslong attack on Hong Kong media companies to Chinese hackers. Security experts say Chinese hackers are very likely targeting protesters’ phones, but they have yet to publish any evidence.
Some security researchers said the improved abilities of the Chinese hackers had put them on a par with elite Russian cyberunits. And the attacks on cellphones of Uighurs offered a rare glimpse of how some of China’s most advanced hacking tools are now being used to silence or punish critics.
Google researchers who tracked the attacks against iPhones said details about the software flaws that the hackers had preyed on would have been worth tens of millions of dollars on black market sites where information about software vulnerabilities is sold.
On the streets in Xinjiang, huge numbers of high-end surveillance cameras run facial recognition software to identify and track people. Specially designed apps have been used to screen Uighurs’ phones, monitor their communications and register their whereabouts.
Gaining access to the phones of Uighurs who have fled China — a diaspora that has grown as many have been locked away at home — would be a logical extension of those total surveillance efforts. Such communities in other countries have long been a concern to Beijing, and many in Xinjiang have been sent to camps because relatives traveled or live abroad.
Chinese police have also made less sophisticated efforts to control Uighurs who have fled, using the chat app WeChat to entice them to return home or to threaten their families.
China’s Ministry of Foreign Affairs did not respond to a request for comment. China has denied past claims that it conducts cyberespionage, adding that it, too, is often a target.
Security researchers recently discovered that the Chinese used National Security Agency hacking tools after apparently discovering an NSA cyberattack on their own systems. And several weeks ago, a Chinese security firm, Qianxin, published an analysis tying the CIA to a hack of China’s aviation industry.
Breaking into iPhones has long been considered the Holy Grail of cyberespionage.
“If you can get inside an iPhone, you have yourself a spy phone,” said John Hultquist, director of intelligence analysis at FireEye, a cybersecurity firm.
The FBI couldn’t do it without help during a showdown with Apple in 2016. The bureau paid more than $1 million to an anonymous third party to hack an iPhone used by a gunman involved in the killing of 14 people in San Bernardino, California.
Google researchers said they had discovered that iPhone vulnerabilities were being exploited to infect visitors to a set of websites. Although Google did not release the names of the targets, Apple said they had been found on about a dozen websites focused on Uighurs.
“You can hit a high school student from Japan who is visiting the site to write a research report, but you are also going to hit Uighurs who have family members back in China and are supporting the cause,” said Steven Adair, president and founder of the security firm Volexity in Virginia.
The technology news site TechCrunch first reported the Uighur connection. A software update from Apple fixed the flaw.
In recent weeks, security researchers at Volexity uncovered Chinese hacking campaigns that exploited vulnerabilities in Google’s Android software as well. Volexity found that several websites that focused on Uighur issues had been infected with Android malware. It traced the attacks to two Chinese hacking groups.
Because the hacks targeted Android and iPhone users — even though Uighurs in Xinjiang don’t commonly use iPhones — Adair said he believed that they had been aimed in part at Uighurs living abroad.
“China is expanding their digital surveillance outside their borders,” he said. “It seems like it really is going after the diaspora.”
Another group of researchers, at the Citizen Lab at the Munk School of Global Affairs & Public Policy at the University of Toronto, recently uncovered an overlapping effort, using some of the same code discovered by Google and Volexity. It attacked the iPhones and Android phones of Tibetans until as recently as May.
Using WhatsApp messages, Chinese hackers posing as New York Times reporters and representatives of Amnesty International and other organizations targeted the private office of the Dalai Lama, members of the Tibetan parliament and Tibetan nongovernmental organizations, among others.
Lobsang Gyatso, the secretary of TibCERT, an organization that works with Tibetan organizations on cybersecurity threats, said the recent attacks were a notable escalation from previous Chinese surveillance attempts.
For a decade, Chinese hackers blasted Tibetans with emails containing malicious attachments, Lobsang said. If they hacked one person’s computer, they hit everyone in the victim’s address books, casting as wide a net as possible. But in the last three years, Lobsang said, there has been a big shift.
“The recent targeting was something we haven’t seen in the community before,” he said. “It was a huge shift in resources. They were targeting mobile phones, and there was a lot more reconnaissance involved. They had private phone numbers of individuals, even those that were not online. They knew who they were, where their offices were located, what they did.”
Adam Meyers, vice president of intelligence at CrowdStrike, said these operations were notably more sophisticated than five years ago, when security firms discovered that Chinese hackers were targeting the phones of Hong Kong protesters in the so-called Umbrella Revolution.
At the time, Chinese hackers could break only into phones that had been “jailbroken,” or altered in some way to allow the installation of apps not vetted by Apple’s official store. The recent attacks against the Uighurs broke into up-to-date iPhones without tipping off the owner.
“In terms of how the Chinese rank threats, the highest threats are domestic,” Lewis said. “The No.1 threat, as the Chinese see it, is the loss of information control on their own population. But the United States is firmly No. 2.”
Chinese hackers have also used their improved skills to attack the computer networks of foreign governments and companies. They have targeted internet and telecommunications companies and have broken into the computer networks of foreign tech, chemical, manufacturing and mining companies. Airbus recently said China had hacked it through a supplier.
In 2016, Xi consolidated several army hacking divisions under a new Strategic Support Force, similar to the United States’ Cyber Command, and moved much of the country’s foreign hacking operation from the army to the more advanced Ministry of State Security, China’s main spy agency.
The restructuring coincided with a lull in Chinese cyberattacks after a 2015 agreement between Xi and President Barack Obama to cease cyberespionage operations for commercial gain.
“The deal gave the Chinese the time and space to focus on professionalizing their cyberespionage capabilities,” Lewis said. “We didn’t expect that.”
Chinese officials also cracked down on moonlighting in moneymaking schemes by its state-sponsored hackers — a “corruption” issue that Xi concluded had sometimes compromised the hackers’ identities and tools, according to security researchers.
While China was revamping its operations, security experts said, it was also clamping down on security research in order to keep advanced hacking methods in house. Chinese police recently said they planned to enforce national laws against unauthorized vulnerability disclosure, and Chinese researchers were recently banned from competing in Western hacking conferences.
“They are circling the wagons,” Hultquist of FireEye said. “They’ve recognized that they could use these resources to aid their offensive and defensive cyberoperations.”