A Chinese cybersecurity company recently published an annual report in which it disclosed that it had recorded more than 1,300 advanced persistent threat (APT) attacks against 14 critical sectors in China in 2024.  Per, the 360 Security Group, leading targets included government agencies, scientific research, national defense/military industry, transportation, and education.  The attacks primarily originated from North America, South Asia, Southeast Asia, and East Asia.  The company linked the attacks to some of the more active groups such as suspected U.S. threat actor APT-C-39, APT-C-01, and  OCEAN LOTUS, as well as identifying two new APT groups APT-C-70 (RHINO UNICORNIS) and APT-C-65 (GOLDEN POTHOS).  The types of observed activities varied to include but not limited to the theft of sensitive information, inflicting disruption, and conducting strategic sabotage depending on the political, military, or economic intent of the governments behind the attacks. 

If the information is valid, the report is noteworthy as it shows China revealing the types of nation state threats it faces in cyberspace, and from where these actors originate.  In the past, China would only acknowledge that it was the victim of cyberattacks, just as any other country.  But this report makes a point of identifying specific APT groups and the Chinese organizations they have targeted, something China has started to do over the past couple of years via cybersecurity vendor reporting.  While it may not be surprising that the company identified alleged U.S. cyber malfeasance, it is interesting to note how many of these campaigns originated in the Asia-Pacific region, which may be more telling how regional actors feel about understanding China’s intentions.  However, like any cybersecurity vendor report, the publicizing of this information puts foreign actors on notice that they are being watched and their activities monitored.  

It’s also further reinforcement that Beijing is mimicking the United States in how it relies on its “private sector” to expose the activities of state cyber threat actors.  In recent years, Beijing has become more assertive using its media apparatus to engage Washington on cyber issues in the attempt to win over public opinion, or at least, cast the United States in an unfavorable light.  The United States has done this for quite sometime with varying levels of success, warning the global community about Chinese cyber espionage or Chinese IT companies, and trying to get the world to follow Washington’s lead in banning equipment or other economic or diplomatic punitive measures.  Ever since the first APT-1 report, U.S. cybersecurity companies have eagerly published accounts of alleged Chinese spy campaigns, further painting Beijing as a bad faith state cyber actor.  No longer content to remain silent, Beijing has embraced these tactics trying to turn the tableson the United States and any government that points a finger at China.  This is something that Beijing must see as a winning formula in its discourse war with the United States, which is not surprising given China’s history of copying the United States in areas of strategic importance.

For example, China has long borrowed or outwardly stole U.S. intellectual property and technology in the military field, giving Beijing the early though now outdated reputation of being a copycat rather than an innovator.  This can be seen in China’s replication of prized U.S. military assets such as the F-22 designs for its Chengdu J-20 and U.S. aircraft carrier designs that it put into its Fujian carrier.  Even China’s recent military reforms have restructured its military in a way that more closely resembles the United States than its previous iteration.  Notably, China has abandoned its old command structures in favor of a more flexible realignment capable of conducting joint operations.  Even as it evolves, Beijing’s first inclination is to look to the United States ahead of any of its allies or friends.

So, it should come as no surprise that Beijing has done and is likely doing the same thing when it comes to cyber warfare.  Now a proficient cyber actor, at the onset China often mimicked U.S. military thoughts over the use of Information Warfare (IW).  According to noted Chinese expert James Mulvenon, China’s early writings of IW closely mirrored those of the U.S. military doctrine, either borrowing heavily from it or “outright plagiarizing” it.  Though China’s thoughts in this space have evolved considerably and now reflect the information space in terms of Chinese characteristics, it is clear that Beijing still follows what the United States does and says closely for the purposes of adopting it to fit its own needs.  This is seen in how it uses cyber espionage, conducts cyber diplomacy via its tech companies in the developing world, and pushes to become an influence when it comes to setting tech standards.  Certainly, the mass cyber espionage apparatus that steals data, infiltrates networks for sustained access, and has allegedly compromised critical infrastructure targets in key countries (e.g., the United States, India), could be viewed as Beijing’s attempt at creating its own global surveillance capability, similar to what Snowden exposed in his leaks.

But as the fissure widens between Beijing and Washington, and the fight spills into public discourse and media channels, one question lingers: Will China continue to copy what the United States does and adopt its own active defense program in cyberspace?  

The premise of “active defense” is that a government will preemptively “attack” an aggressor for the purposes of defense – something the United States has led on and that more governments are following.  Still, active defense seems contradictory, a justification for a government to take unilateral or multilateral action in cyberspace to commit its own offensive infractions.  There is nuance in that fine line between proactive defense and traversing boarders and legal measures in executing offenses against a would-be attacker.  Beijing has been consistent across many different disciplines of its position on not being an aggressor.  Whether it be its policy on nuclear weapons, cyber attacks, or even tariffs, China has long maintained its position that it will never be the one to initiate any of these offensives.  This coupled with the fact that China is in a constant state of trying to combat the negative perception of its brazen cyber spying would make outright pursuit of such an endeavor counterproductive to Beijing’s interests.

However, under Xi’s more aggressive foreign policy stance to those against China’s ascent, such a policy could go into effect if Beijing feels pushed into that corner.  A common question raised is – why doesn’t the United States hack China back?  Notwithstanding the public has little insight into what happens behind classified closed doors, one simple reason is that China has spent the better part of 20 years evolving its cyber capabilities and they are no longer substantially behind the United States in that capacity.  The United States still reigns at the top but the distance between Tier One and Tier Two is closing, especially as China engages in a full court press in all things cyber.  The fact that China has been bolstering its long-term security agreements with Iran and Russia as a natural response to heated U.S. rhetoric, which includes strengthening the cyber bonds between other cyber capable U.S. antagonists, raises further concerns for the United States.  Worse, in the court of public opinion, any further militarization of cyberspace could be perceived as a move prompted by the United States who has led in this effort, as China’s cyber activities have overwhelmingly been in cyber espionage and not cyber attack.  After all, there has been no study done that has quantified how active defense has improved security, but it’s clear that more governments want in on that arrangement which means more state attacks will occur cross boundaries and boarders.

Suffice to say that it is unlikely for Beijing to adopt an official active defense policy – unless it feels painted in a corner to do so.  And given the extent with which China is believed to have compromised networks worldwide, that is not a comforting thought, especially in the wake of SALT TYPHOON activities that have compromised critical infrastructure networks.  China should remain patient as it continues to expertly play the long game, and cyber is the perfect environment for it to make steady, incremental gains that could pay dividends when all is said and done.