Every year ahead of the June 4 anniversary of the Tiananmen Square massacre, the Chinese government tightens online censorship to suppress domestic discussion about the event.
Critics, dissidents and international groups expect an increase in cyber activity, ranging from emails with malicious links to network attacks in the days and weeks leading up to the anniversary.
Much of Beijing’s cyber activity is done in secret. But a recent restructuring of China’s cyber power and a document leak exposing the activities of Chinese technology company i-Soon have shed some light on Beijing’s approach to hacking.
As a China expert and open source researcher, I believe the latest revelations bring down the curtain on a contractor ecosystem in which government officials and commercial operators are increasingly working together. In short, Beijing is outsourcing its cyber operations to a patchwork of private sector hackers who offer their services out of a mix of nationalism and profit.
From censorship to cyber attacks
Chinese authorities restrict the flow of information online by banning search terms, scanning social media for subversive messages and blocking access to foreign media and applications that may host censored content. Controls on online activity are particularly tight around the anniversary of the 1989 Tiananmen Square protests, which ended with a bloody crackdown on demonstrators by troops on June 4 that year.
Since then, pro-democracy activists have tried to commemorate the massacre on its anniversary – and Beijing has tried to counter mention of the crackdown. Chinese internet users are noticing more restrictions and censorship in the run-up to the anniversary, with more words being banned and even certain emojis – such as candles, which signify vigils – disappearing.
In 2020, Chinese authorities ordered Zoom, a US tech company with a development team in China, to suspend the accounts of US-based activists in commemoration of June 4 and cancel online vigils on the platform. Zoom complied, stating that it was following local laws.
In addition to censorship, cyber attacks on dissident groups and Chinese-language media in the diaspora have also taken place on or around the commemoration.
On June 4, 2022, Media Today, a Chinese-language media group in Australia, suffered an unattributed cyberattack on its user accounts. And earlier this year, the US Department of Justice charged seven China-based hackers with sending malicious tracking emails to members of the Inter-Parliamentary Alliance on China, a group formed in 2020 to mark the anniversary of the Tiananmen Square massacre.
China’s cyber power
The increasing sophistication of online attacks on dissidents and international groups comes as China has restructured the agencies responsible for its cyber operations.
Today, much of China’s malicious cyber activities are carried out by the Ministry of State Security, or MSS, the country’s main intelligence agency and secret police. But before the MSS took on this role, the People’s Liberation Army (PL) was responsible for the first cyber attacks attributed to the Chinese government. In 2015, the PLA dedicated a new service to cyber warfare and network security, the Strategic Support Force.
But in April 2024, the PLA abruptly announced the dissolution of the Strategic Support Force and the creation of three new forces: the Aerospace Force, the Cyberspace Force and the Information Support Force. They, together with the existing Joint Logistics Support Force, report directly to the Chinese Communist Party.
This restructuring comes at a time of political uncertainty for the Chinese leadership. In 2023, Defense Minister Li Shangfu became just months away from taking on his new role, along with Foreign Minister Qin Gang and Rocket Force commander Li Yuchao.
Although Beijing has not yet announced details of the military reorganization, its timing seems to send a message. President Xi Jinping personally presided over the inauguration of the Information Support Force, telling the force’s members to “listen to the Party’s orders” and be “absolutely loyal, absolutely pure and absolutely trustworthy.”
Hackers: patriots, pirates or profiteers?
The restructuring of China’s cyber power coincides with a trend toward outsourcing malicious cyber operations to private sector contractors acting with the explicit or tacit approval of the state.
In February 2024, a document leak exposed an underground network of Chinese cyber contractors hacking for profit.
Cyber experts have long suspected that hackers may be working with the Chinese government, but the leak shows how operators working for the Chinese company i-Soon sell services and products to Chinese government agencies and state-sponsored threat groups. The company was founded in 2010 by Wu Haibo, a former member of the Green Army, often described as China’s first hacker community.
The Green Army was founded in 1997 so that hackers could learn and exchange hacking techniques. In 1998, patriotic Chinese hackers began organizing cyber attacks. For example, when riots in Indonesia caused by the Asian financial crisis sparked racist violence against Chinese Indonesians, Chinese hackers targeted Indonesian government websites.
In 1999, Chinese hackers destroyed US government websites after NATO’s accidental bombing of the Chinese embassy in Belgrade. The term ‘honker’, meaning ‘red hacker’ in Chinese, emerged around this time to describe Chinese hackers motivated by ideology and nationalism.
Yet Chinese hackers have an uneasy relationship with the authorities. While they provide the Chinese government with both cyber skills and plausible deniability, they tend to cloud Beijing’s foreign policy when their actions go too far and draw criticism.
They are also susceptible to cybercrime, such as fraud and intellectual property theft, in addition to state-sponsored espionage.
The Chinese government and prominent “patriotic” hackers have previously tried to rein in the community and promote legitimate work such as cybersecurity.
However, the i-Soon leak documents how Chinese state-sponsored contractors engage in bribery and other illegal activities.
Exploiting security flaws
China’s cyber capabilities have grown through the control and exploitation of cyber professionals, state-sponsored or otherwise. But it’s a complicated relationship.
To gradually eliminate hackers’ criminal behavior, Beijing has developed a pipeline to train its cyber workforce. And partly to avoid sharing expertise with foreigners, Chinese cyber professionals are generally excluded from international hacking competitions.
Although cybersecurity is improved when security professionals share newly discovered security flaws, Chinese regulations limit the flow of such information. By law, software vulnerabilities discovered in China must be immediately reported to the Chinese government. Experts believe that the Ministry of State Security then exploits this data to develop cyber-offensive capabilities.
Still, the i-Soon leak points to corruption in at least one corner of China’s growing network of commercial hackers. Internal correspondence shows that contractors bribe government officials with money, alcohol and other favors. Reports also show that contractors are failing to generate revenue, delivering substandard work and complaining about their workers’ salaries.
As local governments in China struggle to pay for basic services in a weak economy, companies like i-Soon, which support Beijing’s cyber operations, are facing not only political but also financial headwinds. Despite Beijing’s intention to implement an online crackdown on June 4 every year, the cyber forces it deploys for this purpose face their own problems that invite investigation and rectification by the Chinese Communist Party.
This article is republished from The Conversation, an independent nonprofit organization providing facts and analysis to help you understand our complex world.
It was written by: Christopher K. Tong, University of Maryland, Baltimore County.
Read more:
Christopher K. Tong does not work for, consult with, own shares in, or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.