Cyberwarfare / Nation-State Attacks,
Fraud Management & Cybercrime
Foundations of Chinese Hacking: The Influence of Early Hacktivists
Chinese state-sponsored hackers exhibit significant collaborative behaviors, utilizing similar tools and overlapping techniques. Recent analysis of these cyber operations points to a network of contractors and businesses that support initiatives like the Salt Typhoon campaign, which targeted U.S. telecommunications.
There exists a foundational reason for the recurring methods observed in Beijing-linked cyber operations. A study by Eugenio Benincasa, a senior security researcher at ETH Zurich, suggests that the influence of a cohort known as the “Red 40,” comprising 40 hackers who emerged from the patriotism-driven hacking culture of the late 1990s and early 2000s, has shaped China’s cybersecurity landscape.
The Red 40 includes key players in significant Chinese tech firms and cybersecurity startups, with origins traced back to three prominent grassroots hacking groups: Green Army, Xfocus, and 0x557. These groups initially focused on retaliating against Western targets through website defacements and denial-of-service assaults.
Some members of the Red 40 have transitioned into startups specializing in advanced detection and cybercrime intelligence. Notable examples include Nanjing Hanhaiyuan, dubbed “China’s FireEye,” along with Anluo Technology and Tencent Xuanwu Lab, both of which have garnered accolades in international hacking competitions. Among the Red 40 alumni is Zhou Shuai, alias “Coldface,” who was indicted by the U.S. Department of Justice for his alleged involvement in the Silk Typhoon campaign, particularly an incursion into the Department of Treasury noted in late 2024.
Furthermore, individuals from Green Army have established private hacking firms, such as iSoon and Integrity Tech. A significant breach of trust occurred when an iSoon employee leaked internal documents in February 2024, exposing the close ties between the Chinese Ministry of State Security and private-sector hacking operations. Wu Haibo, also known as “Shutdown,” a Red 40 associate from iSoon, was indicted for his alleged role in these activities.
Recurring malware like PlugX and ShadowPad, associated with both personal and research projects by Red 40 hackers, have surfaced in various state-sponsored attacks attributed to groups identified as APT3, APT41, GALLIUM, and Winnti. The utribution of these tools to iSoon further complicates the landscape, as the firm has been implicated in espionage targeting ethnic minorities in Asia.
Benincasa’s findings align with a “digital quartermaster” theory, positing that a centralized entity within the Chinese government coordinates the distribution of cyber exploits across various hacking collectives and contractors. This observation aligns with the patterns of overlapping capabilities and recurrent malware in Chinese cyber operations, suggesting both informal and structured connections among Red 40 members in state-sponsored activities.
In this context, the MITRE ATT&CK framework is particularly relevant for understanding the tactics employed in these attacks, such as initial access, persistence, and privilege escalation. Tools developed by the Red 40, including Htran and X-Scan, and the viruses PlugX and ShadowPad exemplify the sophisticated arsenal available to these cyber operatives. China’s evolving cyber scene underscores crucial insights into the transformation of decentralized hacker collectives into institutionalized entities that significantly fashion the cybersecurity landscape.
