News

Chinese hackers kept up hiring drive despite FBI indictment

Hackers with suspected links to China’s intelligence agencies were still advertising for new recruits to work on cyber espionage, even after the FBI indicted the perpetrators in an effort to disrupt their activities.

Hainan Tengyuan, a Chinese technology company, was actively recruiting English language translators in March according to job adverts seen by the Financial Times — nine months after US law enforcement agencies accused Beijing of setting up such companies as a “front” for spying operations against western targets.

Hainan Tengyuan is also part of a wider network of companies that has links, including common contact details and employees, with another tech firm Hainan Xiandun, which was exposed by the FBI in a 2021 indictment as a cover for the Chinese hacking group APT40.

APT40 is accused of cyber espionage targeting scientific research into Ebola, HIV, and Mers, as well as maritime industries and naval defence contractors across the US and Europe. Western agencies have also said the group was responsible for a hacking campaign against Cambodian opposition MPs, political institutions, and NGOs in the run-up to the country’s 2018 national elections.

Dmitri Alperovitch, co-founder of security group CrowdStrike and now head of the Silverado Policy Accelerator think-tank, said the fact that the front companies were continuing to advertise even after FBI exposure was evidence that indictments against Chinese government personnel are becoming less effective.

While the first round of indictments against People’s Liberation Army cyber units in 2014 had sent “shockwaves through the Chinese system”, he said, such public accusations had become less of a deterrent given that repercussions for state officials tend to be minimal.

It is common for intelligence services such as the US’s CIA or the UK’s GCHQ signals intelligence agency to actively recruit prospective spies while at university and through advertising jobs publicly. But China’s use of front companies to disguise their work means some applicants are being drawn unwittingly into a life of espionage.

An FT investigation this week revealed that Hainan Xiandun sought to recruit foreign language students from public universities across China to help identify intelligence targets and translate sensitive documents.

Many were female foreign language students from universities on the tropical island of Hainan in southern China, seeking employment after graduation.

One student applicant had previously led a workshop entitled “The Fine Tradition of Secrecy of the CCP” at a local university. Another applicant had a summer job as a translator for foreign and Chinese executives at a golf resort.

Hainan Xiandun sought to leverage students’ language skills in its search for cheap translators, but its adverts did not divulge the nature of the work nor its links to the Ministry of State Security.

By contrast, Hainan Tengyuan’s job advert from March, posted on the Chinese language version of the recruitment website Indeed, appeared to be looking for more experienced staff.

It asked for applications from translators with at least five years of work experience, offering a monthly salary of around $2,000, more than twice the amount Hainan Xiandun offered the new graduates. Still, involvement in hacking activity was not made clear.

One security official in the region said that “multiple” Chinese hacking groups were known to recruit from universities, not only for linguists but also computer science students.

“They advertise positions and sponsorships within the front companies at local universities, and encourage students to engage in offensive intrusion activity badged as hacking competitions,” the official said. The official added that the ongoing nature of this recruitment would have “personal ramifications” for the students themselves.

Nicholas Eftimiades, an expert on Chinese intelligence operations and a former FBI agent, said that while intelligence communities around the world cultivate relationships with universities, “what is unique in China is the use of front companies that recruit students without their knowledge.” 

He added: “It adds another layer of cover for the MSS, both from their citizens but also from foreign governments. It also provides a steady flow of cheap labour that doesn’t require security clearances.”

Links between Hainan Xiandun and Hainan Tengyuan were exposed two years ago by a group of anonymous researchers called ‘Intrusion Truth’, who have focused on the work of the Chinese hacking group APT40 — also known by the names ‘Bronze’ and ‘Leviathan’.

The researchers trawled through recruitment adverts posted by self-described technology companies in Hainan and found links between five companies, including Hainan Xiandun and Hainan Tengyuan, which had overlapping company descriptions, postal addresses, contact details and employees.

According to corporate records, Hainan Tengyuan’s chief executive officer and largest shareholder Qiu Chuiqiang operates three restaurants in Hainan, one popular for its Cantonese-style barbecued meat. Efforts were made to contact Hainan Tengyuan and Qiu Chuiqiang, but they could not be reached for comment.

Western intelligence officials have intensified their warnings about the risk of “large-scale” Chinese cyber operations aimed at stealing data and intellectual property from adversaries.

FBI director Christopher Wray recently said the agency opens a new China-focused counter-intelligence investigation every 12 hours and that China has a bigger hacking programme than every other country combined.

James Mulvenon, an expert on Chinese cyber and industrial espionage, said it was clear that the regional bureaus, such as those in Hainan, tended to be “much more entrepreneurial in terms of targets” than bigger centres in Shanghai and Beijing.

Alperovitch from the Silverado Policy Accelerator said Chinese hackers who work as contractors fear being indicted more than state security officials do. Such hackers have “a history of curtailing activities after being named and shamed” because they have an interest in accessing western commercial opportunities and travelling overseas, he said.

The MSS and Hainan University did not respond to requests for comment.

Additional reporting by Demetri Sevastopulo in Washington