Start your day with intelligence. Get The OODA Daily Pulse.

China Cyber Espionage Program Shows Beijing’s Maturation as a Global Cyber Player

Recent reporting reveals that Chinese cyber espionage activities targeted the U.S. Office of Foreign Assets Control (OFAC) in a campaign to steal information about the U.S. sanctioning of Chinese individuals and companies.  In addition, the office of the U.S. Secretary of the Treasury and the Office of Financial Research were targeted, the latter of which monitors the stability of financial markets were also targeted, and confirmed by a Treasury Department letter though no details were provided as to what was done, and what, if any, information was taken.  This activity coincides with a broader Chinese cyber espionage campaign that was exposed during the closing months of 2024, and indicates a more aggressive China searching for information that would provide greater insight into U.S. government planning. An official Chinese spokesperson refuted the claims as “irrational” and without proof, a typical answer when responding to U.S. claims of Chinese cyber malfeasance.

OFAC is an organization that plays a substantial role in supporting U.S. national security.  In 2023, the organization assessed more than USD $ 1.5 billion in penalties across 17 resolutions, making it the highest volume of penalties ever assessed by OFAC in a single calendar year.  And while sanction imposition success varies on the target, the United States uses OFAC as a punitive force to curb bad state behavior and restrict financing for entities and enterprises thereby impacting how they can operate.  Chinese companies have been sanctioned by OFAC in the past.  In December 2024, OFAC imposed penalties on a Chinese cybersecurity company and one of its employees for using a zero-day exploit in a firewall product to deliver malware to roughly 81,000 firewalls in use by thousands of businesses worldwide.  While initiating change in state behavior may be more difficult in the cyber realm than say in something like terrorism, one thing is evident:  OFAC’s sanctions remain a powerful tool in the United States’ statecraft.

Per its website, OFAC “administers and enforces economic and trade sanctions” based on U.S. foreign policy and national security goals against those entities deemed a threat to U.S. interests.  Several individuals and entities from countries like China, Iran, North Korea, and Russia have been added to OFAC’s cyber sanction list.  A breach of this nature would ostensibly be used to discover how the United States determines sanction imposition for cyber-enabled activities, as well potential targets for future sanctions.  Although it appears that the attackers may have only accessed unclassified material, the collection, aggregation, and synthesization of such material provides intelligence value, and could provide a government like Beijing insight into how the United States uses sanctions to align to its political and economic objectives, allowing China to pivot and adjust.  Per one source, the type of information available to the attackers came from such sources as law enforcement and international partners, providing understanding of not just U.S. thinking, but other governments as well with respect to China.

This breach is similar to the campaigns that breached several telecommunications companies, garnering substantial attention for brazenly exploiting critical infrastructure.  However, that activity also revealed perhaps a more nefarious objective – gaining access to the U.S. wiretap system, a vital tool for U.S. law enforcement and national security agencies.  If compromised, such information would be an intelligence windfall, potentially giving China access to data that would expose confidential investigations to include how the U.S. conducts wiretaps, the names of potential surveilled individuals, and potential future targets of wiretapping.  The Center for Strategic and International Studies conducted a survey of Chinese espionage in the United States since 2000 and found that 49% of spying was conducted by Chinese political or military officials and 41% by Chinese nationals.  So, it’s clear why being able to monitor U.S. wiretapping would be an advantage for Beijing to preserve its spying operations in the United States.

The recent TYPHOON campaigns have triggered alarms over China’s perceived move from intellectual property and data theft to pre-positioning cyber resources to be able to conduct disruptive attacks in the event of conflict with the United States.  While such infiltration would certainly facilitate these acts, they also provide China to be able to robustly surveil, monitor, and spy on targets on a more comprehensive level like some other governments are able to do.  What the wiretap and OFAC breaches reveal is that Beijing is not just interested in the theft of trade secrets and information that would give it economic benefit on the world stage but are conducting the types of spying activities that most states do.  Only in this case, China has found a way to exploit a resource that many consider an off-limits target and worry about what could be done than what has been done.  The fact that a nation state has compromised a critical infrastructure is bad enough, but not on par with what allowed such breaches to happen in the first place whether that be poor security patching practices, third-party exploitation, or supply chain attack.  There are just so many times you can blame a thief for robbing your house before you take responsibility in making sure that you’ve done what you can to secure it in the first place.

There is considerable uncertainty with how Trump will deal with the Chinese cyber threat, particularly with Beijing’s long history of economic espionage, which may have aided its technology development and unfair trade practices.  Exacerbating matters is the recent revolution of suspected Chinese hackers targeting phones used by Trump and his JD Vance in the runup to the election.  Some in Trump’s camp advocate cyber attacks against China to retaliate for the various TYPHOON activities, a course of action that will likely not yield the result many hope, especially with a near peer cyber adversary.  Trump will undoubtedly look to use economic leverage when engaging Beijing, and may even look to other countries victimized by China to coalesce against the threat from a standpoint of unified strength.  This may be a better way of bringing Xi to the table to have a serious discussion about the cyber activities both governments have been accused of deploying against each other.  The fact that Beijing has upped their activities to target critical infrastructure may be less about the threat of disruption, and more about demonstrating China’s evolution on a legitimate cyber power.  Such an acknowledgement may be the very ticket to start trying to shape the types of activities that will inform responsible state behavior in cyberspace.

Tagged: China
Emilio Iasiello

About the Author

Emilio Iasiello

Emilio Iasiello has nearly 20 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in such peer-reviewed journals as Parameters, Journal of Strategic Security, the Georgetown Journal of International Affairs, and the Cyber Defense Review, among others. All comments and opinions expressed are solely his own.