SACHA PFEIFFER, HOST:
Cyberattacks backed by the Chinese government are increasing. The Department of Justice indicted two hackers earlier this month and charged them with spying on behalf of the Chinese government. Dakota Cary studies China and cyberactors, and he's described this moment as China's golden age of hacking. He's a nonresident fellow at the Atlantic Council's Global China Hub and a consultant at the cybersecurity platform SentinelOne. Dakota, thanks for coming on the show.
DAKOTA CARY: Of course. Thanks so much for having me.
PFEIFFER: Tell us some details about who was indicted and what the charges against them are.
CARY: So we have two individuals who were indicted, Xu Zewei and Zhang Yu. These two individuals worked at different companies in Shanghai. They've been charged with a variety of crimes typical in hacking cases - violations of the CFAA and intellectual property theft - specifically engaged in intellectual property theft research at universities in the U.S. for coronavirus vaccines. The indictment from the Department of Justice says that Zhang Yu and Xu Zewei both acted at the direction of the Shanghai State Security Bureau. That language, at the direction, is very specific language. It means that the Department of Justice and the FBI can establish a causal link between the intelligence services telling them what to do and then these individuals going and doing that behavior.
PFEIFFER: There's a U.S. cybersecurity firm, CrowdStrike, that put out its 2025 global threat report in February, and that report found that Chinese-backed instances of cyberespionage were up 150% from the previous year. How much is that reflected in the hacking we're experiencing in the U.S.?
CARY: I would say that this hacking increase is actually not only just in the U.S., but it's actually global, and it stems from investments that China made in its cybersecurity talent pipeline almost a decade ago. When Xi Jinping came into power, the Snowden revelations had just occurred. China was very aware that the cyber domain was going to be important in international competition in the coming century, and so they invested in university programs and other ways of training hackers so that eventually they would go on to graduate and do these types of jobs for the government.
PFEIFFER: So is this viewed within China as dirty work or legitimate business or maybe a little of both?
CARY: The attitude has shifted over the last 30 years or so. A wonderful report by a friend of mine, Eugenio Benincasa, covers this in detail, where hackers in the '90s and early 2000s were patriotic and self-organized, and then there was an interregnum between, you know, 2002 and 2009 where the government looked down on this behavior and then eventually came to the realization that they could standardize and professionalize the service to achieve their political objectives, and that's exactly what they've done.
PFEIFFER: So what are they trying to gain by the hacking?
CARY: There's actually a diverse motivation across the folks doing the hacking. When we think about the government organizations behind this, the Ministry of Public Security - these can be - think of the internal or domestic security force in China. They're really concerned about political security, and so a lot of their hacking operations are into dissidents who live overseas or the Chinese diaspora that they're trying to keep tabs on.
The Ministry of State Security fulfills a civilian intelligence role, thought of as like the NSA or the CIA in the United States, and they're responsible for political intelligence collection. What government is going to do what? Who is negotiating with whom? Who has good relationships, and who does not?
Finally, the PLA, China's military, is responsible for procuring intelligence on foreign militaries and preparing for armed conflict. So when we hear about intrusions into U.S. critical infrastructure, these are the groups associated with the military that are preparing for armed conflict so that they can disrupt U.S. critical infrastructure and impact our lives.
PFEIFFER: Most of us civilians have experienced multiple data breaches, notifications from companies that our Social Security numbers have been released. Explain why the general public needs to be concerned about this, if at all, because you're talking about state-backed cyber attacks more than it seems to be the kind of data breach letter we often get in the mail.
CARY: If intellectual property is stolen, for example, that intellectual property is then used by competitors in China that then displace market share from U.S. firms, and it results in job losses in the United States. And so U.S. Steel is actually a really good example where the company was hacked. They lost valuable intellectual property. And then over the following decade, they lost market share and, as a result, had to close down factories, and there were job losses in the United States. And so it took a hack from something kind of, you know, abstract and happening on somebody else's computer into your kitchen.
PFEIFFER: So this is so interesting. I have a - sort of a detailed question about what these Chinese government hacking operations - how they work, what they look like behind the scenes. So they're actually private contractors working with various parts of the government. Is that typically the relationship?
CARY: So there are two groups or two ways that we think about these private companies interacting with the government. When private companies are selling services - offensive hacking to the military - they're typically selling them tools that the military is going to use, and we can think of this like a military buying weapons that then military personnel are going to go use and deploy.
When we think about the intelligence services, the model shifts a little bit. We know from leaked documents in 2024 that a company called i-Soon was selling services and intelligence to a wide number of customers, including the Ministry of Public Security, the Domestic Security Force, as well as the intelligence services, the Ministry of State Security. They, though, were hacking first and selling access and intelligence later, which meant that they would go out and carry out an operation and then try to find somebody to buy that information or access from them. So there's a wide breadth of how these operations occur, and it depends on how good these hackers are and their relationship with the government.
PFEIFFER: We obviously know that a lot of countries spy on one another and have for a very long time, centuries. The methods just get more modern. Is there anything unique about China's hacking infrastructure?
CARY: The way that China hacks is not particularly unique. Their economic model for contracting with these hackers is an innovation in the space. We've not seen other countries kind of put out a wish list of information and then just pay people who are willing to come forward with that information. That said, China is unique among countries in their ability to operationalize stolen intellectual property into their economy. And so in that way, the targeting and the purpose of Chinese hacking is very different from other nations.
PFEIFFER: Is there anything you want the American public to know why they should really focus on cyber protection?
CARY: When a foreign government is harassing individuals inside of the United States for what they say and believe in our country, that is an affront to the way that we have organized our government. And the values that we believe in - freedom of speech, everything that's in our Constitution - should be guaranteed to the people who live here. And I think China's attacks on dissidents overseas, particularly those in the United States, where people are harassed or even, you know, forcibly put onto planes and taken back to China - I think that's a direct affront to the way that we choose to live our lives.
PFEIFFER: That's Dakota Cary. He studies China and cyberactors. Thank you.
CARY: Thank you. Transcript provided by NPR, Copyright NPR.
NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.
