>
Research (Insikt)

From Coercion to Invasion: The Theory and Execution of China’s Cyber Activity in Cross-Strait Relations

Publié : 23rd November 2022
By: Insikt Group®

insikt-group-logo-updated-3-300x48.png

Editor’s Note: This is an excerpt of a full report. To read the entire analysis with endnotes, click here to download the report as a PDF.

This report examines how China conceptualizes and executes cyber coercion and cyber warfare, with a focus on Taiwan. It will be of most interest to Taiwan’s government and military, governments and militaries active in the Indo-Pacific region, as well as researchers who focus on China’s military and cyber activities. The report’s authors, Devin Thorne and Zoe Haver, thank Jessica Drun and Joe McReynolds for their generous reviews and support. Information about the authors can be found at the end of the report.

Executive Summary

The leadership of the People’s Republic of China (PRC) firmly believes that Taiwan (ROC) belongs to China. Despite the fact that Taiwan has never been part of the PRC, the Chinese party-state has long sought “reunification” with Taiwan, describing “reunification” as “a shared aspiration of all the sons and daughters of the Chinese nation”, “indispensable for the realization of China's rejuvenation”, and “a historic mission of the Communist Party of China”. In support of this objective, China has consistently attempted to influence Taiwan’s behavior, including through coercive diplomatic, economic, and military activity.

Furthermore, China’s party-state has vowed to oppose “separatist forces” and “external interference” by the United States, emphasizing that China will strive for peaceful “reunification” with Taiwan but “will always be ready to respond with the use of force or other necessary means to interference by external forces or radical action by separatist elements”. This is not an empty threat: the People’s Liberation Army (PLA) has long prioritized preparations for a full-scale amphibious invasion of Taiwan, and the PLA is actively pursuing the capabilities that it needs to successfully carry out such an invasion.

With a focus on Taiwan scenarios, this report assesses how the PLA and other relevant actors in China conceptualize and execute cyber coercion and cyber warfare. The report analyzes China’s theory of cyber coercion in general and in cross-strait relations, as well as China’s theory of cyber warfare and cyber activity in cross-strait conflict scenarios. The report then surveys China’s network forces and examines China’s efforts to prepare for and execute peacetime and wartime cyber activity, focusing on network forces development, network reconnaissance, and network attacks.

We find that, during peacetime, China is very likely to use network coercion to compel the cessation of perceived pro-independence activities or deter any perceived moves by Taiwan toward independence. During wartime joint landing or blockade campaigns against Taiwan, China would almost certainly engage in network warfare to help seize information dominance, with major targets being military and civilian information systems as well as critical infrastructure. We judge that China’s efforts to carry out network forces development, network reconnaissance, and network attacks are equally relevant to peacetime cyber coercion and wartime cyber operations. China is leveraging universities, private enterprises, hacking competitions, cyber ranges, and other means in a whole-of-nation effort to develop weapons and talent for use in both peacetime and wartime network operations. China-linked cyber threat actors have also demonstrated a willingness to use network scanning, phishing, domain spoofing, zero-days, and other tools to carry out network reconnaissance, likely aiming to acquire intelligence and prepare for network attacks. Moreover, China-linked cyber threat actors have already carried out ransomware, distributed denial-of-service (DDoS), and defacement attacks against Taiwan during peacetime and have revealed an interest in attacking adversaries’ critical infrastructure.

Key Judgments

  • China very likely views the use of cyber capabilities as an option for compelling the Taiwanese government or public to cease perceived pro-independence activities or deterring perceived moves toward Taiwanese independence.
  • If China decides to use force against Taiwan, cyber capabilities would almost certainly be used to seek information dominance as part of joint landing or blockade campaigns.
  • China’s network forces available for use in coercion and war include armed forces units, the personnel of civilian government organizations, and civilians in technology enterprises, and likely also “hobbyists” or patriotic hackers.
  • China almost certainly views the full range of cyber attack and technical network investigation tools found in the military and civilian spheres as applicable in coercion and war.
  • Network weapons and talent development pipelines in China include military weapons development and training programs, civilian educational programs and recruitment, and national efforts to build cyber ranges.
  • China very likely views network reconnaissance, including network inspection and espionage, as an ever-present form of struggle, and has considerable capabilities for carrying out such activity.
  • Based on observed cases, China’s approach to cyber-enabled espionage prioritizes targeting mid-level and high-level telecommunications infrastructure from which threat actors can collect data on a range of more specific targets.
  • China’s objectives for cyber war and coercion almost certainly include disrupting, damaging, or destroying the function of military and civilian information systems and critical infrastructure, as well as shocking Taiwanese decision-makers and weakening their will to fight.

Sources

This report is organized around theoretical discussions of China’s approach to cyber coercion and warfare as well as evidence of China’s cyber capabilities in practice. The theoretical sections of this report draw heavily from authoritative PLA textbooks published by the Academy of Military Science (AMS; 军事科学院) and National Defense University (NDU; 国防大学). These include NDU’s Science of Campaigns (published in 2006), the 2013 edition of AMS’s Science of Military Strategy (hereafter SMS 2013), the 2017 edition of NDU’s Science of Military Strategy (SMS 2017), and the 2020 edition of NDU’s Science of Military Strategy (SMS 2020).

AMS and NDU are “China’s two premier defense institutes”, and foreign experts assess their various editions of Science of Military Strategy to be core textbooks “for senior PLA officers on how wars should be planned and conducted at the strategic level”. The 2001 edition AMS’s Science of Military Strategy is believed to have been used to “educate senior PLA decision-makers, including those on the [Central Military Commission], as well as officers who may become China’s future strategic planners”. Science of Campaigns has also been an important educational text used for teaching campaign theory. These edited volumes are not official descriptions of China’s military doctrine but are generally believed to provide insight into the PLA’s evolving thinking on various doctrinal challenges. When possible, we supplement our reading of these major PLA volumes with analysis of journal articles authored by personnel from Chinese cyber-related military and civilian organizations.

Cyber Coercion

This section discusses China’s theory of cyber coercion and the potential for China to use cyber coercion against Taiwan in peacetime, which China could very likely use in an effort to counter perceived moves toward Taiwanese independence. Coercion comprises 2 distinct theories of action to change the behavior of a target: deterrence and compellence. Deterrence uses the threat of punishment to prevent undesirable actions, and compellence wields punishment to motivate desirable actions (or cessation of undesirable actions). Coercion can take many forms, including diplomatic, economic, and military. States can also carry out coercion through cyber means, though experts question its effectiveness.

China’s Network Coercion Theory

The 2 elements of coercion, compellence and deterrence, are captured by a single word in Mandarin: weishe (威慑). The 2001 edition of the Science of Military Strategy defines weishe as “the military conduct of a state or political group in displaying force or showing the determination to use force to compel the enemy to submit to one’s volition and refrain from taking hostile actions or escalating … hostility”. Although SMS 2013 is less explicit, the PLA almost certainly continues to view theories of weishe as allowing for what foreign observers call compellence rather than deterrence alone. However, official English translations of Chinese military texts and government-issued white papers on defense strategy translate weishe only as “deterrence”. Below, we use weishe for clarity.

Weishe is both a peacetime and wartime activity, though primarily a peacetime activity given that its fundamental aim is to prevent the outbreak of war or escalation of threats. As a foreign PLA expert summarizes, weishe “is to be employed both before and after fighting begins, preferably to avoid war, but also to avoid horizontal escalation (to other regions or strategic directions) or vertical escalation (up the spectrum of violence, especially to nuclear war)”. SMS 2013 asserts that “the basic goal” of weishe is to “contain a possible offensive from the opponent”, “maintain the status”, or “stop activities that endanger oneself from happening”. Crucially, “activities that endanger oneself” (that is, China) almost certainly include threats other than war, such as threats to China’s political security and development interests.

Weishe is also an explicitly political endeavor that involves both military and non-military activity. SMS 2013 stresses that weishe aims to achieve political goals, is subordinate to politics, and requires the use of diplomatic, political, military, economic, science and technology, and other means. Likewise, SMS 2017 says that “in peacetime, the major role of strategic weishe is the application of national military, political, economic, cultural, diplomatic, and other strategic forces” to influence a state of affairs. The implication is that weishe is a whole-of-government effort and civilian entities are very likely involved in activities to support “integrated-whole _weishe_” (整体威慑) alongside any action the military may take.

The range of specific issues in response to which the PLA and the Chinese government may conduct weishe, whether military or non-military, is not explicitly listed in any texts reviewed by Recorded Future. However, China’s 2019 white paper titled “China’s National Defense in the New Era”, which was issued by the State Council Information Office, identifies the points listed below as goals of national defense broadly. We believe that this represents a relatively comprehensive list of objectives to which coercive capabilities — up to and including the threat of war — could be applied.

  • To oppose and contain “Taiwan independence”
  • To deter and resist aggression
  • To safeguard national political security, the people’s security and social stability
  • To crack down on proponents of separatist movements such as “Tibet independence” and the creation of “East Turkistan” (that is, an independent Xinjiang)
  • To safeguard national sovereignty, unity, territorial integrity, and security
  • To safeguard China’s maritime rights and interests
  • To safeguard China’s security interests in outer space, electromagnetic space, and cyberspace
  • To safeguard China’s overseas interests
  • To support the sustainable development of the country

Although China almost certainly views weishe as a strategic concept applicable to many threats, the majority of PLA and civilian texts reviewed by Recorded Future define cyber coercion, or network weishe (网络威慑), only with regard to the goal of deterring or responding to cyberattacks from an adversary. SMS 2013, for example, asserts that the goal of network weishe is specifically to “forcibly prevent the adversary from daring to willfully carry out large-scale network attacks” and “severe sabotage”, principally from “hostile nations” or “terrorist organizations”. The focus is on weishe “in kind … rather than the use of cross-domain” weishe. However, SMS 2017 and SMS 2020 also stress that network warfare should be integrated with struggles in the political, diplomatic, economic, and other domains to serve China’s overall strategic goals. Likewise, some non-authoritative sources, such as a 2019 article in China Information Security (中国信息安全) — which is affiliated with China’s leading civilian intelligence service, the Ministry of State Security (MSS; 国家安全部) — explicitly acknowledge that network weishe is “a kind of cross-domain weishe strategy” naturally integrated with the pursuit of state goals in other domains.

Even if network weishe is limited to countering threats in cyberspace, the scope of what constitutes a threat is likely quite large. China’s national defense goals include defending the country’s “security interests in … cyberspace”. Released in 2016 by the Cyberspace Administration of China, China’s National Cyberspace Security Strategy offers insight into what types of online threats network weishe might address in a section discussing the “severe challenges” facing China. These include threats to China’s political system, economy, culture, society, and national defense.

Cyber Coercion in Cross-Strait Relations

China could decide to carry out cyber coercion against Taiwan in an attempt to influence the behavior of the Taiwanese government or Taiwanese political parties, such as to compel the cessation of perceived pro-independence activities or to deter perceived moves toward Taiwanese independence. Indeed, China has likely already carried out cyber coercion against Taiwan, though it is often difficult to conclusively attribute a coercive motive to alleged Chinese cyber activity.

An instance of cyber coercion likely occurred in response to the visit of Nancy Pelosi, the US Speaker of the House of Representatives, to Taiwan in August 2022, when large-scale cyber attacks allegedly emanating from China hit Taiwan. The attackers, who cybersecurity analysts believe were likely hacktivists rather than China’s core network forces (discussed further in the China’s Network Forces section below), reportedly targeted government websites, utility and transportation websites, infrastructure like railway station screens, and screens in 7-Eleven convenience stores with DDoS attacks and other cyberattacks. Cyber threat activity targeting Taiwan reportedly began increasing as early as July 29, 10 days after the possibility of Pelosi’s visit was publicly reported and 2 days after the first “on-the-record” confirmation from a member of the US Congress that Pelosi had indeed invited other legislators to join such a trip. Citing Taiwanese Minister of Digital Affairs Audrey Tang, news organizations reported that “the volume of cyber attacks on Taiwan government units on [August 2], before and during Pelosi's arrival, surpassed 15,000 gigabits, 23 times higher than the previous daily record”. The Taiwanese authorities did not directly attribute the attacks to the Chinese government but did indicate that the attacks on government websites originated from IP addresses in China and Russia. The attacks reportedly did little damage as a result of Taiwanese cybersecurity mitigations. This cyber activity coincided with more easily attributable, non-cyber forms of coercion such as military exercises and missile tests.

Cyber Warfare

This section analyzes China’s theory of cyber warfare and the potential for China to use cyber warfare against Taiwan in conflict scenarios. We find that Chinese military strategists greatly prioritize offensive cyber action and that the PLA would almost certainly use offensive cyber means, such as “computer viruses” and “hackers”, to pursue information dominance during joint landing or blockade campaigns against Taiwan.

China’s Network Warfare Theory

The 2017 and 2020 editions of Science of Military Strategy argue that networks have become the center of the multidimensional battlefield, and that operations in the network space are, without exception, the backbone of winning wars. The goal of network warfare (网络战) and network operations (网络作战) is to degrade an adversary’s information environment, prepare to do so through network reconnaissance (网络侦查), and defend one’s own information environment. The network domain involves both computer- and internet-based military operations and electromagnetic warfare operations, though this report focuses on the former. PLA writings sometimes conceptualize the network domain alongside other domains like land, sea, air, and space; in other instances, they present it as a component of the broader information domain.

The various editions of SMS largely present a consistent description of network warfare’s characteristics. These include emphasis on the following aspects: wide scope, hidden quality, and destructive potential. Other texts reviewed by Recorded Future as well as broader surveys of works by Chinese analysts show these views are often consistent across diverse sources.

  • Wide Scope: The battlefield scope is massive because information networks are ubiquitous in modern life and because military and civilian networks are interconnected.
  • Hidden Quality: Attribution of an attacker or where an attack originates is exceedingly difficult to determine because network attacks are unbounded by time, place, or identity.
  • Destructive Potential: The effects of a network attack can be devastating across military and civilian systems because the scope of the network space is so wide.

SMS 2017 and SMS 2020 particularly highlight the blurred line between peace and war, noting the networks of all countries are being penetrated in peacetime. They further use America’s treatment of Iraq following the Gulf War and just prior to the 2003 Iraq War, which they claim entailed significant intelligence collection and psychological operations, as well as the use of the Stuxnet malware that targeted Iran’s nuclear program, to highlight how cyber warfare is defined by escalation and de-escalation in the level and scope of damage rather than the commencement and cessation of activity. These examples are also used to highlight how peacetime cyber operations can act as a forerunner to war. In other words, cyber warfare is a constant element of modern statecraft. Ye Zheng (叶征), the first director of AMS’s Informatized Warfare Research Office (信息化作战研究室), has gone as far as to argue that China’s network warfare forces should be constantly preparing to conduct network warfare operations and be in a “perpetual state of mobilization”.

While Chinese military strategists and analysts discuss both the offensive and defensive aspects of network warfare, offensive capability and “striking first” are greatly prioritized, though SMS 2013 says defense should be the primary consideration. Network operations are seen as an asymmetric weapon for a weaker state (as China perceives itself to be in some domains) to effectively oppose a stronger, technologically advanced adversary (namely, the US). The goal of striking first is to seize information dominance, thereby capturing the “initiative” of a conflict. That is, China can use first strikes to gain an advantage over its adversary, and likely in an overall contest, by disrupting the ability of an adversary’s information systems’ to effectively function. Some Chinese researchers argue that this “ideology of the offensive” was relatively mainstream among strategists until 2008, after which it became more tempered by a prioritization of defense. However, SMS 2017 continues to emphasize that even defense “relies on actively initiated offensive operations” to seize information dominance.

Cyber Activity in Cross-Strait Conflict Scenarios

If China chose to use military force in pursuit of “reunification” with Taiwan, the PLA would very likely carry out joint landing or blockade campaigns. According to PLA campaign writings, a joint landing campaign would almost certainly involve a push for sea and air dominance in the Taiwan Strait, as well as for dominance in the information domain. The campaign would almost certainly also use key-point strikes to disrupt Taiwan’s defenses, including its early warning detection systems, runways and hangars, command and communications systems, missile positions, and harbors. Other components would almost certainly include rapid, continual, and concentrated assaults to penetrate Taiwan’s coastal defenses and logistics operations to support the amphibious forces that successfully land on Taiwan. A joint blockade campaign would almost certainly aim to sever Taiwan’s “sea-air lanes of communication” by blockading enemy ports and navigational routes, carrying out monitoring, spot inspections, seizure, and attacks at sea, and implementing airborne monitoring, expulsion, intercepts, and attacks.

Joint landing or blockade campaigns carried out by China against Taiwan would almost certainly involve cyber activity as part of operations in the information domain. Science of Campaigns describes campaign information warfare as permeating the entirety of campaign operations, from beginning to end, and targeting enemy information detection sources, information channels, and information processing and decision-making systems. The textbook stresses that campaign information warfare comprises both information attack and information defense, and that the former includes network, electromagnetic, and psychological attacks, as well as physical destruction. It states that network attacks (mainly via computer viruses and hackers) are invasive and destructive activities that target enemy computers and computer network systems, including command and control systems.

During a joint landing or blockade campaign, the PLA would almost certainly seek information dominance during the early stages of the campaign, which Science of Campaigns frames as an essential prerequisite for seizing air and sea dominance. Information dominance in a joint landing campaign requires — among other components — carrying out information suppression, which includes the use of network attacks and other tools to degrade enemy “information systems’ information processing and decision centers”, “information detection sources and information channels”, “navigation and positioning systems”, “communications systems”, “early-warning detection systems”, and “anti-missile interception systems”. Information dominance during a joint blockade campaign requires — among other components — carrying out information reconnaissance, which includes network-based information attacks that aim to “infiltrate computer networks”, “break enemy information security codes”, “steal intelligence”, “implement encroachment by computer viruses”, “destroy enemy network operations processes”, and “paralyze enemy command and information systems”.

Preparation and Execution

This section seeks to bridge the gap between theory and execution, surveying China’s range of network forces and examining how China conceptualizes and then implements 3 key types of cyber activity: network forces development, network reconnaissance, and network attack. PLA writings strongly indicate that these 3 categories of activity are relevant to both peacetime cyber coercion and wartime cyber operations. SMS 2020 and SMS 2017 contend that, unlike the military struggles in other domains, network domain struggle is not limited to wartime, but is also found during political, economic, military, cultural, and science and technology struggles in peacetime. To this point, they call for the fusion of peace and war, which includes carrying out weishe, intimidating the adversary, constraining war, and preparing for war. Based on this evidence and observed patterns in China’s behavior, the content discussed in this section is almost certainly applicable to Chinese cyber activity that could target Taiwan before and during a war.

China’s Network Forces

China’s network forces include military, government, and non-governmental entities, a combination of which is very likely to participate in a conflict over Taiwan and the preparation for such a conflict. SMS 2013 identifies 3 types of forces for network operations.

First are professional network warfare forces, which are specially trained military units such as those within the Strategic Support Force’s (SSF) Network Systems Department (战略支援部队网络系统部) and other parts of the PLA. Network militias also provide a cyber capability within China’s armed forces.

Second are authorized forces, which are “local strengths” that can be approved by the military to carry out network operations, such as the MSS and the Ministry of Public Security (MPS).

Third are civilian forces, which are non-governmental entities that can “spontaneously carry out network attack and defense” or be mobilized for network operations. SMS 2017 and SMS 2020 specify that network-electromagnetic forces can include personnel from civilian enterprises and “even some hobbyists with specialized technical skills”. In 2015, a researcher affiliated with AMS's Combat Theory and Regulations Research Department (作战理论和条令研究部) described this arrangement of forces as “small core, big periphery” (小核心、大外围), calling for network militias, network police, patriotic hackers, and technical personnel from commercial enterprises to complement China’s military strength.

Notably, the entities named in this section are the same seen in real-world examples of peacetime cyber activities emanating from China, including cyber-enabled espionage carried out by the MSS and cyber coercion carried out by likely hacktivists (see Figure 1 below).

from_coercion_to_invasion_the_theory_and_execution_of_china_cyber_activity_figure_1.png

Figure 1: Defacement attack carried out by self-described patriotic hacking group Panda Intelligence Bureau during the 2017 China-South Korea THAAD dispute (Source: Boan News; Panda Intelligence Bureau)

Network Forces Development

Any significant cyber action that China’s military or intelligence forces might take against Taiwan, or in preparation for a Taiwan conflict, would be predicated on the availability of capable forces and effective cyber weapons. While much attention is paid to newly discovered cyber intrusions targeting Taiwan, there are lessons to be learned about China’s cyber capability, force strength and identity, and plans by investigating talent and weapons development pipelines. This section briefly outlines the preparation of China’s network forces and tools through authoritative sources and real-world examples.

The various editions of Science of Military Strategy discuss development of network warfare capabilities from the perspectives of both technical research and talent cultivation, though more detail is provided for the latter. With regard to network warfare weapons, these texts urge readers (presumably PLA officers and other relevant decision-makers) to “plan in advance” and prepare by studying “frontier trends” in technology. Specific types of capabilities to develop are not discussed beyond a call for “‘trump card’ [撒手锏] means”, but those listed in the Network Reconnaissance section below and those that would facilitate China’s network attack objectives (discussed in the Network Attack section) are very likely candidates.

These textbooks, particularly SMS 2017 and SMS 2020, devote more time to the higher-level concern of talent cultivation. They call for training “high-quality network confrontation talent” with a strong understanding of technology and tactics. They further identify 4 types of network warfare talent: 1) “advanced network command talent” for preparing war plans; 2) “staff officer talent” for carrying out network confrontation tasks; 3) “advanced professional talent” with special skills and the ability to develop network weapons; and 4) “network support talent” for operational maintenance and security. According to these textbooks, China’s network warfare forces should focus on strategy and strengthen their proactiveness, flexibility, and creativity.

Whole-of-Nation Solutions
All editions of Science of Military Strategy reviewed for this study emphasize the importance of military-civil linkages in preparing for, and carrying out, struggle in the network domain. SMS 2017 and SMS 2020 stress drawing on “specialized technical talent” from government departments, enterprises, and society in fostering talented personnel and conducting research relevant to network warfare.

In practice, the SSF’s talent development pipeline largely relies on military technical universities and research institutes, with recruitment from civilian universities also being an important avenue of talent acquisition. Network weapons development is contracted by the PLA and military educational institutions to civilian universities and information technology companies, but “the massive scale of the SSF’s information warfare programs requires a more controlled and regularized workforce that can only be properly maintained in-house”.

The MSS appears to rely relatively more heavily on external contractors, though it has an important in-house capability as well. For example, a professor in Hainan University’s Information Security Department allegedly worked with intelligence officers of the Hainan Province State Security Department to recruit and manage contract hackers for APT40. The professor reportedly helped establish at least one technology front company, orchestrated password cracking competitions with real-world applications among Hainan University students, and was a point of contact for recruited hackers on managerial issues like pay and benefits.

Examining military-civil and broader government-society coordination in support of China’s network capabilities and talent development for military and intelligence purposes reveals numerous real-world examples. A selection of these demonstrating coordination among academia, business, the military, and government are discussed below. Actors from all of these sectors could play a role in a Taiwan wartime scenario, based on the conception of China’s network forces found in SMS 2013 discussed above.

In academia, 100,000 cadres from Shanghai’s government and defense enterprises are learning “secrets theft and anti-secrets theft” skills through a training platform built by the Ministry of Education Engineering Research Center for Network Information Security Management and Services (网络信息安全管理监控与服务教育部工程研究中心) at Shanghai Jiao Tong University (上海交通大学). Separately, the Southwest University of Science and Technology Net Emergency Response Team (SNERT; 西南科技大学校园网络应急响应小组) in Mianyang, Sichuan, is actually a network militia that organizes training for other militia forces that involve building battlefield local area networks, reconnaissance of enemy system services and permissions, and intelligence interception.

Among businesses, the technology enterprise-sponsored 2018 Tianfu Cup hacking competition led to the discovery of a “chain of exploits” in iPhones that enabled China’s intelligence apparatus to spy on members of the Uyghur ethnic community between November 2018 and January 2019 (when Apple issued a fix). Qihoo 360 Technology Co., Ltd. (奇虎360科技有限公司), a cybersecurity company deeply involved in military-civil fusion programs and one of the Tianfu Cup sponsors, has at least one Beijing-based network security militia responsible, in part, for researching (and presumably carrying out if needed) forms of offensive and defensive network operations.

In military and government efforts, PLA Unit 61419 sought the purchase of multiple versions of English-language antivirus software, such as McAfee Total Protection and BitDefender Total Security, in 2019, likely for the purpose of developing their cyber capabilities. The China National Vulnerability Database of Information Security (CNNVD; 中国信息安全漏洞库), which is affiliated with the MSS, has also likely delayed public disclosure of high-threat vulnerabilities exploited by China-linked APT groups. Relatedly, national regulations likely facilitate opportunistic cyber espionage by requiring enterprises and other entities to report any discovered vulnerabilities to the government within 2 days. The use of zero-day vulnerabilities by China-based threat actors has reportedly increased since these regulations were enacted.

Training Infrastructure: Cyber Ranges
A specific means of developing network weapons and network warfare talent that is discussed in authoritative sources is the use of network (cyber) ranges (网络靶场). These are virtual environments for training and testing cyber capabilities. The construction of network ranges is a focus area for China’s government, and they are considered national defense mobilization resources. In addition to defensive uses, their offense-oriented use is to examine new network warfare weapons and methods, research tactics, and conduct network confrontation exercises, according to SMS 2017 and SMS 2020. In particular, they can support simulations for “target scouting, information theft, network intrusion, information theft, information or service destruction, and other attack methods”, as well as for evaluating the “attack effects” of various attacks.

A July 2022 tender from a PLA entity, likely the Xinjiang Military District (新疆军区), offers a clear example of how cyber ranges are being used to develop network attack and defense skills for jamming enemy communications, infecting different operating systems, and possibly attacking critical infrastructure. The tender was for a “network attack and defense range” (网络攻防靶场) to support team-based combat training. A stated requirement was the capability to simulate communications systems, signal patterns, and anti-jamming methods of foreign military ultrashort wave and microwave communications equipment. The cyber range was also supposed to include “mobile communications network reconnaissance implanting software” (​​移动通信网侦察植入软件) that would support real-time precise interception of the calls and texts of 4G mobile phones, trojan implantation, traffic hijacking, tampering, and vulnerability analysis, among other functions. The range would further support roughly 200 virtual targets including operating systems, databases, and security equipment; around 100 common attack vectors such as vulnerability exploitation, cross-site scripting, and privilege escalation; proof of concept (PoC)-based automatic attacks (基于poc的自动攻击); and simulated scenarios such as standard enterprise structures in civil aviation, telecommunications, and transportation.

Network Reconnaissance

In line with the assessment that network penetration is a defining feature of the peacetime environment and Ye Zheng’s aforementioned call for constant preparation and mobilization, the newest versions of Science of Military Strategy assert that intelligence collection via cyberspace is “the most prominent form” of confrontation during times of peace. In advance of a Taiwan scenario, whether a joint landing campaign, joint blockade, or both, China would almost certainly seek to gather up-to-date intelligence from government, military, and other targets in Taiwan. In fact, China’s penetration of Taiwan’s networks for a range of purposes is likely near constant. As early as 2003, Taiwan’s government leaders reported that hackers in China had used 23 different trojans to infiltrate 10 technology companies, from which they infected 50 more companies and 30 government agencies.

SMS 2013 defines cyber-enabled intelligence collection, or network reconnaissance, as the use of nondestructive network exploitation to acquire private information for the purpose of preparing future network attack and defense operations. Network reconnaissance entails reconnoitering an adversary’s C4ISRK, electromagnetic, and weapons control systems through network penetration (called “network secrets theft” [网络窃密]) and the retrieval of physical information storage devices with the aid of spies, third-party sellers, and other means (called “media secrets theft” [介质窃密]). SMS 2017 and SMS 2020 provide additional insight as to the intelligence to be targeted for acquisition, specifying the need for information on the enemy’s network systems (including structure and configuration [配置]), information capabilities, critical nodes, vulnerabilities, strategic plans, forces, methods, and potential courses of action. Network reconnaissance, therefore, includes both technical investigation of the enemy’s systems and espionage, which itself is also a broader objective of network attack. Both technical reconnaissance and espionage are discussed in this section.

Tools of Reconnaissance
SMS 2013 emphasizes that although their goals are different, the methods of network attack and defense are the same as those for network reconnaissance at the technical level. Specific network reconnaissance tactics acknowledged in this textbook include password cracking, information interception, and the use of spyware to acquire locally stored information. SMS 2017 and SMS 2020 are more vague, asserting that network reconnaissance is carried out using “viruses, trojan horses, hacker software”.

A 2020 paper by authors affiliated with the AMS Warfare Research Institute (中国人民解放军军事科学院战争研究院) and PLA Unit 31003, which may be the Joint Staff Department Network-Electronic Bureau (联合参谋部网络电子局), identifies more than 20 “common network attack methods”. The paper is defense-oriented but likely reflects awareness within major Chinese military institutions of these options for probing the technical features of adversary networks. Other authors associated with AMS have explicitly advocated that some of the same tools, including sniffers and vulnerability scanners, be developed for network reconnaissance. Methods listed in the 2020 paper include:

  • Network sniffers (嗅探器), including for full text and account passwords
  • Network scanners (网络扫描), including for location, vulnerabilities, and services
  • Information service exploitation (信息服务利用), including Finger and LDAP services
  • Social engineering (社会工程)
  • Network interception (网络拦截) through various methods
  • Network phishing (网络欺骗), including through IP and DNS deception, ARP attack, and email phishing

Looking beyond theory, such tools are used by China-linked threat actor groups in the real world. In a 2020 indictment released by the US Department of Justice (DoJ), several cyber actors (including 2 of those involved with APT41) are alleged to have used commercially available network vulnerability scanning tools such as Acunetix and SQLMap. The indictment loosely links APT41 to the MSS. TA413 and TAG-22 (Earth Lusca) likewise use the open-source tool FScan. In addition to using off-the-shelf options, APT41-associated actors also use custom software and malware to understand their targets, such as the queryable social media repository SonarX and MESSAGETAP, which intercepts and analyzes mobile phone text messages.

Illuminating the link between China’s strategic interests and network scanning, in 2018, Recorded Future discovered an IP address from Tsinghua University that made over 1 million connections to companies and agencies in Alaska as part of a bulk port scanning operation that immediately followed an Alaskan government delegation to China. A goal of the delegation was to negotiate a potential Alaska-China gas pipeline, and scanned targets included the Alaska Department of Natural Resources, State of Alaska Government, and various Alaskan telecommunications companies. In Taiwan, the deputy director of the Cyber Security Investigation Office of the Investigation Bureau of the Ministry of Justice (台湾法务部调查局网络安全调查办公室), Liu Chia-zung (劉家宗), warned in 2020 of China's “omnipresent infiltration” efforts. He asserted that since 2018, “at least 10 government agencies and the email accounts of some 6,000 officials” had been targeted with the goal of acquiring “important government documents and data”.

Other tactics on the list above have also been observed in the wild. For instance, during the 2020 US presidential election, MSS-linked RedBravo (APT31/Zirconium) “targeted [Joe Biden and Donald Trump] campaign staffers’ personal emails with credential phishing emails and emails containing tracking links”. TA423 (APT40) has been observed using social engineering tactics, posing, for example, as journalists from “Australian Morning News” and using email subjects like “Sick Leave” and “Request Cooperation”. More broadly, over the past 3 years, RedAlpha has been “registering and weaponizing hundreds of domains spoofing organizations such as the International Federation for Human Rights (FIDH), Amnesty International, the Mercator Institute for China Studies (MERICS), Radio Free Asia (RFA), the American Institute in Taiwan (AIT)”. This activity is very likely in pursuit of establishing initial access to sources of intelligence in Taiwan and elsewhere.

Modes of Espionage
A prominent trend in China’s cyber espionage activities, which can support technical reconnaissance as well, is the exploitation of mid-level and upper-level telecommunications infrastructure from which threat actors can pivot to more specific targets. APT41’s MESSAGETAP, for example, was installed in the Short Message Service Center (SMSC) servers of network operators. Similarly, China-based threat actors target managed service providers (MSPs) globally, cloud computing infrastructure, and virtual private network (VPN) providers. According to a June 2022 advisory from the US Cybersecurity & Infrastructure Security Agency, China state-sponsored threat actors also target network devices like SOHO routers and network-attached storage (NAS) devices as midpoints from which to pivot attacks toward other entities. A non-telecommunications analogue of this supply chain-oriented cyber-enabled espionage activity is China’s targeting of law firms, where acquisition of their clients’ data is the intended objective.

An extreme example of the trend described above is the compromise of at least 30,000 organizations by the MSS and other China-linked groups exploiting a combination of zero-days in Microsoft Exchange. Beginning in late February 2021, thousands of attacks per day were launched to gain access to the email servers of Microsoft’s customers. While initially attributed to one threat activity group (HAFNIUM), multiple known and unknown China-based groups also acted on the vulnerabilities before a patch was made public, including APT27, Calypso, Websiic, and Tick Group. Tick Group has been tentatively identified as affiliated with PLA Unit 61419. Tonto Team, which is also reportedly affiliated with the PLA, began exploiting the vulnerability chain after the patch was issued. The Microsoft Exchange intrusion highlights another trend in China’s reconnaissance activity: rushing to exploit disclosed vulnerabilities before organizations can issue fixes, as also seen after the 2018 Tianfu Cup. The rapid exploitation of the Microsoft Exchange vulnerabilities by multiple groups, including those associated with the PLA and MSS, also lends further credence to the theory that a “digital quartermaster” ecosystem exists within China’s security apparatus to distribute shared capabilities.

Network Attack

Should China decide to apply its cyber capabilities in a Taiwan wartime scenario, the force building, weapons development, and ongoing network reconnaissance activities discussed above would almost certainly culminate in destructive cyber operations against vital government, military, and civilian targets on the island. This section explores how authoritative Chinese sources conceptualize network attack and understand target selection, with lessons for where China’s network forces might strike.

Attack Objectives
In addition to extracting intelligence (discussed in the Network Reconnaissance section), the various editions of Science of Military Strategy describe the principle purpose of network attack as impairing an adversary’s information systems. In language highly similar to the aforementioned details of Science of Campaigns, which identifies network attack as a type of information attack, SMS 2013 asserts the goal is to degrade system functions through sabotage. SMS 2017 and SMS 2020 likewise advocate destroying and paralyzing an enemy’s networks for command and control, communication, and the computer systems of their weapons equipment. A 2015 article in China Information Security argues there are 3 levels of attack with increasing severity: “reduced services”, “damaged applications”, and “paralyzed systems”.

Network attacks would almost certainly support China’s pursuit of information dominance in a Taiwan scenario, especially at the start of the conflict, with the goal being to cripple the island’s ability to accurately assess the battlespace and effectively mobilize resources against threats. Indeed, the 2001 version of Science of Military Strategy theorizes about an “electronic Pearl Harbor” scenario in which “a network-electromagnetic strike disables an adversary’s ability to engage in conventional warfare” by disrupting the enemy’s information flows through network attacks and other means. The aforementioned Ye Zheng has further argued for integrating network and conventional weapons “in the early stages of war” to strike “links in the enemy’s communications chain”.

At the tactical level, SMS 2013 describes using worms, trojans, and logic bombs, overtaxing or altering enemy information resources and networks, and transmitting false information to enemy networks. To the latter point, Science of Campaigns discusses altering command and control instructions, causing “deviations” in positioning and navigation systems, and targeting weapons systems directly. SMS 2017 and SMS 2020 identifies the “main shape” of network attack as the use of viruses to paralyze enemy systems, steal data, tamper with an enemy’s information materials, disrupt networks, and implant fake intelligence. These latest textbooks also reference “chip weapons” (芯片武器), though the meaning is not clear. Other sources like the aforementioned defense-oriented paper by authors affiliated with the AMS Warfare Research Institute and PLA Unit 31003 acknowledge more specific attack methods and typologies such as the use of malicious procedures and scripts (for example, ShellCode), authentication attacks, defense system vulnerabilities in defense systems (such as firewalls and UTM services), software, protocols, and operations, protocol flooding, DDoS, and DNS DDoS.

Although focus is placed on degrading or destroying information systems, various sources also discuss the role of cyber capabilities in manipulating perception, highlighting the relationship between cyber operations and the psychological and cognitive aspects of information warfare. For example, Science of Campaigns identifies “special technical warfare” as including actions to insert “manufactured broadcasts and images in the enemy’s radio and television stations”. In 2016, an AMS-affiliated author likewise argued that examples of network weishe include actions to penetrate the enemy’s communications networks, distribute propaganda via text messages to citizens, and broadcast propaganda via prime-time television. SMS 2017 and SMS 2020 also raise the example of how, prior to the 2003 Iraq War, thousands of Iraqi military and government personnel received emails from the US military urging surrender”. The link between cyber operations and psychological impact is further highlighted in discussions of target selection.

Attack Targets
According to SMS 2017 and SMS 2020, network-electromagnetic warfare “mainly targets the opposite side’s psychology, cognitive domain, and decision-making systems” as well as vital and politically sensitive information infrastructure. The objective is to cause a change in the decisions and actions of enemy leaders, thereby changing the “overall situation” of the conflict. Specific targets these textbooks name include ground, air, and space-based “infrastructure network equipment” as well as enemy armed forces, equipment systems, mobilization response mechanisms, and overall support systems. Other targets mentioned include “strategic warning systems” and “military information systems”.

The focus is not solely on the adversary’s military targets, but extends to civilian critical infrastructure. SMS 2017 and SMS 2020 assert that “major targets” of network warfare also include national decision-makers, as well as “the information systems of energy, transportation, and other national information infrastructure”. Without necessarily advocating this as an intentional approach to cyber operations, SMS 2017 and SMS 2020 further observe that network attacks can damage or cause the collapse of an economy, cause political, economic, and social chaos, and “even shake [the enemy’s] will to war”.

Other sources are more explicit in proposals to target some forms of critical infrastructure. The aforementioned 2016 article by an author affiliated with AMS suggests causing “short-period large-scale blackouts in important enemy cities” as a form of network weishe. Further, the procurement activities of Chinese government entities and state-owned enterprises, as well as research by analysts affiliated with the PLA and other organizations, demonstrate at least a defensive interest in Russia’s 2015 cyberattack against Ukraine’s power grid and follow-on attacks. Some of China’s cyber ranges with links to defense contractors and PLA academic institutions simulate industrial control systems as well.

If China’s network forces were able to successfully apply their capabilities in a Taiwan wartime context as described by the sources discussed above, the island’s telecommunications would very likely be degraded, transportation and energy networks (including the power grid) disrupted, government and military communications networks highly impaired or manipulated with false information, and citizens and warfighters subject to demoralizing propaganda regarding the conflict.

Incidents of Attack
Compared with real-world instances of reconnaissance and espionage, there are fewer concrete examples for China’s destructive cyber capability. This is not evidence that China lacks the requisite abilities, but that, as of this writing, authorities have chosen not to use them. That said, China’s network forces have indeed targeted an adversary’s critical infrastructure on multiple occasions. Several such incidents, including one in Taiwan, are outlined below:

  • During the mid-2020 border skirmishes between China and India, RedEcho targeted at least 4 Regional Load Despatch Centres and 2 State Load Despatch Centres in India, which are major elements of India’s electrical grids. They also targeted a high-voltage transmission substation and a coal-fired thermal power plant. This activity was likely a form of pre-positioning to support a potential future attack against this critical infrastructure or signal China’s capability.
  • Taiwan’s state-owned energy company CPC Corporation was targeted in a mid-2020 ransomware attack by individuals named in the aforementioned 2020 US DoJ indictment of APT41 that suggests loose links to the MSS. The attack followed President Tsai Ing-wen’s victory in Taiwan’s 2020 presidential elections. Although ransomware attacks are typically financially motivated, there is some evidence that no demand for payment was made and that the attack was intended to be destructive. The attack encrypted and deleted company files and, as a result, impaired customer’s payment options at CPC fuel pumps. We note that cyber threat actors likely connected to Russia and Iran have also reportedly used destructive malware posing as ransomware.
  • In late 2011 and late 2012, various unspecified China-linked threat actors and APT1, which is reportedly PLA Unit 61398 of the former General Staff Department Third Department, successfully breached 13 American natural gas pipeline operators and stole information related to a pipeline management system, likely in support of developing capabilities to “physically damage pipelines or disrupt pipeline operations”.

At the lower end of the coercive spectrum, China’s confrontations with both Taiwan and South Korea over issues of political and geostrategic concern have been marked by a similar pattern of cyber attacks from China-based threat actors to deface and degrade the functioning of foreign government and non-governmental organizations. With regard to Taiwan, China’s response to Nancy Pelosi’s August 2022 visit was accompanied by a wave of DDoS and defacement attacks against government and public venues as discussed above. This is highly similar to events following South Korea’s decision to accept a Terminal High Altitude Area Defense (THAAD) battery from the US in 2017. The South Korean Ministry of Foreign Affairs experienced a surge of DDoS and other cyberattacks and hacking attempts in the period before and after the decision. Websites belonging to the business that agreed to supply land for the THAAD deployment, Lotte Group, and its affiliates also suffered from DDoS and defacement attacks. At the time, a Wall Street Journal article published an interview with FireEye’s director of counterespionage analysis, who asserted that Tonto Team (reportedly PLA), APT10 (reportedly associated with the MSS), and patriotic hackers were behind a “variety of attacks against South Korea’s government [and] military, defense companies and a big conglomerate [almost certainly Lotte Group]”. The attacks against Taiwan have been assessed as likely the work of patriotic hackers.

Other potential patriotic hacktivism has also been observed in China’s maritime and territorial disputes with the Philippines and Vietnam in the South China Sea.

from_coercion_to_invasion_the_theory_and_execution_of_china_cyber_activity_figure_2a.png from_coercion_to_invasion_the_theory_and_execution_of_china_cyber_activity_figure_2b.png

Figure 2: Defacement attack carried out on public TV screens in response to Nancy Pelosi’s visit to Taiwan in August 2022. Top: Screen in a Taiwan Railways Administration station declares the visit a “serious challenge” to China’s sovereignty and warns that those who welcome Pelosi will be “judged by the people”. Bottom: Screens in 7-Eleven read “Warmonger Pelosi get the fuck out of Taiwan” (Source: Taiwan News)

Outlook

We recommend that cybersecurity organizations and military planners in Taiwan, the US, and other relevant countries heighten defenses against Chinese network reconnaissance and prepare for attacks during both peacetime and wartime. Peacetime Chinese cyber threat activity targeting Taiwan will very likely include coercive efforts intended to prevent perceived moves toward Taiwanese independence; wartime Chinese cyber threat activity will almost certainly include cyber warfare efforts intended to seize information dominance as part of broader joint landing or blockade campaigns against Taiwan. Regarding network reconnaissance, cybersecurity and military planners should prepare for Chinese network reconnaissance operations that use network scanning, phishing, domain spoofing, zero-days, and other tools in an effort to gather intelligence and prepare for future network attacks. Regarding network attacks, planners should prepare for threats that aim to disrupt, damage, or destroy the functions of military and civilian information systems as well as critical infrastructure. As part of their preparations, cybersecurity and military planners should monitor China’s whole-of-nation efforts to develop the network forces and weapons, as these efforts will affect the characteristics and effectiveness of Chinese network reconnaissance and attacks.

Related