As the calendar turns to June, the echoes of the Tiananmen Square tragedy reverberate across China. Yet, the government’s iron grip on online discourse intensifies, muffling any domestic chatter about the event.
Observers, both within and outside China, brace themselves for a surge in cyber manoeuvres. These could span from deceptive emails laced with harmful links to full-blown assaults on networks. The crescendo of such activities is expected to build in the days and weeks that culminate in the sombre anniversary.
Much of this cyber activity by Beijing is done covertly. But a recent restructuring of China’s cyber force and a document leak exposing the activities of Chinese tech firm ‘i-Soon’ have shed some light on how Beijing goes about the business of hacking. Some Chinese experts and open-source researchers believe that the latest revelations draw the curtain back on a contractor ecosystem in which government officials and commercial operators are increasingly working together.
In short, Beijing is outsourcing its cyber operations to a patchwork army of private-sector hackers who offer their services out of a mix of nationalism and profit.
The Chinese government exercises stringent control over online information, employing tactics such as prohibiting specific search terms, scrutinizing social media for dissenting content, and denying access to foreign media and apps that might carry censored material. The grip on digital activity tightens notably around the anniversary of the 1989 Tiananmen Square protests, which culminated in a brutal suppression of the demonstrators by military forces on June 4th of that year.
In the years since, advocates of democracy have endeavoured to honour the memory of the massacre each year on its anniversary, while Beijing has made efforts to suppress any mention of the crackdown. As the anniversary approaches, Chinese internet users observe an increase in restrictions and censorship, with an expanding list of banned words and the removal of certain emojis, such as candles symbolizing vigils.
In 2020, Zoom, a US tech company with a team in China, was directed by Chinese officials to deactivate accounts of US activists marking June 4 and to abort online memorials on the platform. Zoom complied, citing adherence to local laws. Around the anniversary, cyberattacks on dissident groups and overseas Chinese-language media have been reported. In 2022, Media Today, an Australian Chinese-language media group, was targeted by an anonymous cyberattack. Earlier this year, seven hackers based in China were indicted by the US Department of Justice for sending harmful tracking emails to members of the Inter-Parliamentary Alliance on China.
As online attacks on dissident and global groups grow more advanced, China has been reshaping its cyber operations agencies. Currently, the Ministry of State Security (MSS), China’s primary intelligence and secret police agency, conducts most of China’s harmful cyber activities. Before MSS took over, the People’s Liberation Army (PLA) was behind the earliest government-linked cyber attacks. In 2015, PLA established the Strategic Support Force for cyber warfare and network security. However, in April 2024, PLA disbanded it and formed three new forces: the Aerospace Force, the Cyberspace Force, and the Information Support Force, which, along with the Joint Logistics Support Force, report directly to the Chinese Communist Party.
Amidst political instability in China’s leadership, 2023 saw the removal of Defence Minister Li Shangfu, Foreign Minister Qin Gang, and Rocket Force Commander Li Yuchao, all new to their roles. Beijing remains silent on the details of the military reshuffle, but the timing seems intentional. President Xi Jinping personally oversaw the launch of the Information Support Force, emphasizing the need for absolute loyalty, purity, and reliability, and adherence to the party’s commands.
China’s cyber forces restructuring aligns with a trend of outsourcing harmful cyber activities to private contractors, with state approval. In February 2024, a leak revealed a clandestine network of Chinese cyber contractors hacking for profit. It confirmed suspicions of hackers’ collaboration with the Chinese government, showing how i-Soon, a Chinese firm, sold services to government entities and state-backed threat groups. Founded in 2010 by Wu Haibo, a former Green Army member, i-Soon represents the commercialization of China’s cyber capabilities. The Green Army is often considered China’s first hacker community.
Established in 1997, the Green Army served as a hub for hackers to share knowledge. By 1998, Chinese hackers, driven by patriotism, initiated cyber attacks. Notably, during the Asian financial crisis-induced Indonesian riots, they targeted Indonesian government websites in response to violence against Chinese Indonesians. In 1999, following NATO’s inadvertent bombing of the Chinese embassy in Belgrade, US government websites were defaced by Chinese hackers. This period saw the rise of the term “ honker,” denoting ideologically and nationally motivated Chinese hackers.
Chinese hackers’ relationship with the authorities is complex. They provide cyber expertise and plausible deniability for the government, but can complicate Beijing’s foreign policy when their actions invite criticism. They’re also known to engage in cybercrimes like fraud and intellectual property theft, in addition to state-backed espionage. Efforts have been made by the Chinese government and notable “ patriotic” hackers to regulate the community and encourage lawful work like cyber security. However, the i-Soon leak reveals that state-sponsored contractors are involved in bribery and other illegal activities.
China’s cyber prowess has evolved through the management and utilization of cyber experts, whether state-backed or not. However, the relationship is intricate. To eliminate hackers’ illicit activities, Beijing has established a system to educate its cyber workforce. To prevent the sharing of expertise with foreigners, Chinese cyber professionals are typically prohibited from participating in global hacking contests. While the sharing of newly found security flaws enhances cyber security, Chinese laws restrict such information flow. Any software vulnerabilities identified in China must be reported to the government immediately. It’s believed that the Ministry of State Security uses this data to build cyber offensive capabilities.
The i-Soon leak reveals corruption within China’s expanding commercial hacking network. Internal communications indicate contractors bribing officials with money, alcohol, and other incentives. There are also reports of contractors failing to meet sales targets, delivering inferior work, and expressing dissatisfaction with their wages. Amidst a struggling economy, local governments in China find it challenging to fund basic services, posing financial and political challenges for companies like i-Soon that aid Beijing’s cyber operations. Despite Beijing’s annual June 4 online crackdown plan, the cyber forces it employs face their own problems, warranting examination and correction by the Chinese Communist Party.
