The latest in China's cyber espionage efforts include the successful impersonation of a congressperson to manipulate policy. The US has partnered with others to release a cybersecurity advisory with guidance against the espionage.
On September 8, the House Select Committee on China published a press release detailing the latest cyber-espionage efforts believed to be connected to the People’s Republic of China (PRC). The campaigns targeted groups and individuals who work in trade policy and diplomacy, like federal agencies, businesses, DC think tanks and law firms, and even one foreign government.
The committee discussed the specific acts that were uncovered: “In recent weeks and on multiple occasions, suspected Chinese cyber-attackers impersonated Chairman John Moolenaar in emails to trusted counterparts, attempting to deceive recipients and get them to open files and links that would grant the cyber-attackers access to their systems and information during on-going, high-level U.S.–China trade engagements, unbeknownst to the victim.”
Technical analysis reportedly showed that the hackers exploited software and cloud services to cover their tracks as they stole sensitive data - a telltale sign of state-sponsored espionage. These cyberattackers abused developer tools to burrow into programs and discreetly funnel the data to their servers, all with the aim of “influencing U.S. policy deliberations and negotiation strategies to gain an advantage in trade and foreign policy.”
Republican Chairman Moolenaar, whose identity was assumed in this operation, condemned the attack in the statement, saying: “This is another example of China’s offensive cyber operations designed to steal American strategy and leverage it against Congress, the Administration, and the American people. We will not be intimidated, and we will continue our work to keep America safe.”
The statement also disclosed an earlier campaign connected to China. In January 2025, a spear-phishing campaign successfully managed to steal the Microsoft 365 credentials of four members on the House Select Committee on China. Posing as a ZPMC North America representative (ZPMC is an engineering company owned by the PRC), the attackers tricked the staffers with a file-sharing deception, directing them to visit a site that would take their credentials without needing to use malware.
This incident was reported to the Federal Bureau of Investigations (FBI) and the US Capitol Police, and the Select Committee “will continue to share indicators with federal partners and impacted organizations and will support any necessary defensive or investigative actions.”
While the FBI is yet to make a comment on the situation, the spokesperson for China’s embassy in the nation’s capital has denounced the allegations. Mr. Liu Pengyu said the Committee members “have consistently resorted to unscrupulous means to attack and smear China” and asked them to “cease their erroneous actions.”
This denial of involvement from China’s embassy was also apparent in the first response to the Salt Typhoon hack. After the intrusion, which compromised the infrastructure of nine US telecommunications firms, and exposed the cellular metadata of many Americans, the embassy referred to the accusations as “unfounded and irresponsible smears and slanders".
Despite these denials, several nations recently collaborated to release a cybersecurity advisory (CSA) addressing campaigns the Salt Typhoon hack: Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System. The advisory warns of a cluster of cyber threat activity by “Advanced Persistent Threat (APT) actors” who are specifically targeting “networks globally, including, but not limited to, telecommunications, government, transportation, lodging, and military infrastructure networks…These actors often modify routers to maintain persistent, long-term access to networks.”
The groups the warning identifies as sponsored by the PRC are Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor. The CSA notes that the APT actors typically exploit publicly known common vulnerabilities and exposures (CVEs), but have not yet exploited zero-day vulnerabilities. These actors are also known to use virtual private servers (VPSs), compromised routers, and vulnerable internet-exposed devices to infiltrate systems and telecommunications networks.
Fortunately, the CSA covers a number of possible mitigation strategies, namely 1) hardening management protocols and services, 2) implementing robust logging, 3) routing best practices, 4) virtual private network (VPN) best practices, and 5) Cisco-specific recommendations. The document goes into more detail about these specific strategies, but also offers some useful general recommendations addressing the PRC-sponsored APT actors:
- Consistently check network devices for suspicious activities
- Set up a robust change management process with regular reviews of device configurations
- Understand the breadth of suspected intrusions before mitigating so threat actors can be completely excised with minimal damage
- Block outbound connections with management interfaces to prevent lateral movement on other network devices
- Only use encrypted and certified management protocols, and disable any others, including unused ports and protocols
- Change admin credentials, prioritizing network appliances and devices
- Remove password authentication where possible to limit brute force and password spray attempts, and ensure admin roles use public-key authentication
- Keep network device operating systems (OSs) current, with the patches, and aligned with vendor security updates
On top of this guidance, the advisory shares critical resources to help organizations improve their cybersecurity posture, focusing on the US and the UK, with a small highlight on international resources. Hopefully these tools can help slow down China-backed cyber espionage operations not just in the US, but across the globe.