In 2023, U.S. officials were deeply concerned after uncovering that Chinese state-backed hackers had successfully breached vital American infrastructure. This infiltration involved malicious code capable of crippling power grids, communication networks, and water systems. The gravity of the situation prompted C.I.A. Director William J. Burns to undertake a clandestine visit to Beijing, where he directly confronted his Chinese counterpart about the threat.
During this high-stakes, unrevealed meeting, Burns issued a stern warning: unleashing the discovered malware would lead to severe repercussions for Beijing. Despite the tense subject, the encounter was described as professional, suggesting the critical message was indeed conveyed.
However, since that meeting, which two former U.S. officials described anonymously due to the sensitive nature of the information, China’s digital intrusions have only intensified.
American and European authorities now identify China’s Ministry of State Security (M.S.S.), the country’s civilian spy agency, as the primary force behind Beijing’s most advanced and sophisticated cyber operations.
Recent revelations exposed another massive, years-long hacking campaign by a group known as Salt Typhoon. This operation may have compromised data concerning almost every American citizen and targeted numerous other nations. Countries affected by Salt Typhoon issued an unusual joint statement, warning that the stolen data could grant Chinese intelligence services the ability to “identify and track their targets’ communications and movements around the world.”
Experts note that this attack highlights the M.S.S.’s transformation into a formidable cyberespionage entity, capable of bold operations that can remain undetected for extended periods.
Historically, China has frequently employed contract hackers for network breaches, often resulting in a blend of espionage and commercial data theft, sometimes with sloppy tradecraft that exposed their presence. Yet, in the recent Salt Typhoon operation, intruders connected to the M.S.S. demonstrated remarkable proficiency, exploiting system vulnerabilities, embedding deep within networks, exfiltrating data, moving stealthily between compromised systems, and meticulously erasing their tracks.
“Salt Typhoon reveals a highly skilled and strategic dimension to M.S.S. cyber operations, one that has been overlooked due to past focus on lower-quality contract hackers,” commented Alex Joske, author of a book detailing the ministry’s activities.
For Washington, China’s escalating capabilities carry a clear implication: in any future conflict, American communications, power infrastructure, and essential services could be severely jeopardized.
Nigel Inkster, a senior adviser on cybersecurity and China at the International Institute for Strategic Studies in London and former director of operations and intelligence for MI6, stated that China’s largest hacking campaigns are “strategic operations” designed to intimidate and deter adversaries.
“If they manage to remain on these networks undetected, that could give them a significant advantage during a crisis,” Mr. Inkster explained. “Even if their presence is discovered—as it has been—it still sends a powerful deterrent message, essentially saying, ‘Look what we could do to you if we chose to.’”
The Ascendance of the M.S.S.
China’s progress in cyber capabilities is the result of decades of strategic investment aimed at matching, and eventually surpassing, agencies like the U.S. National Security Agency and Britain’s Government Communications Headquarters (GCHQ).
Established in 1983, the Ministry of State Security initially focused on monitoring dissidents and perceived threats to Communist Party rule. While involved in online espionage, it was long overshadowed by the more extensive cyberspying operations of the Chinese military.
After assuming leadership in China in 2012, Xi Jinping swiftly moved to reorganize the M.S.S. He appeared deeply concerned by the potential threat of U.S. surveillance to China’s national security, a sentiment he articulated in a 2013 speech referencing the revelations made by former U.S. intelligence contractor Edward J. Snowden.
Mr. Xi systematically purged the ministry of senior officials suspected of corruption and disloyalty. He scaled back the military’s hacking activities, elevating the M.S.S. to become the nation’s primary cyberespionage agency. He placed national security at the forefront of his agenda, enacting new legislation and establishing a new commission.
“Concurrently, the intelligence demands placed on the security apparatus began to escalate, as Xi sought to expand China’s influence both internationally and domestically,” noted Matthew Brazil, a senior analyst at BluePath Labs and co-author of a historical account of China’s espionage services.
Experts indicate that since approximately 2015, the M.S.S. has worked to centralize control over its numerous provincial offices. Chen Yixin, the current minister, has mandated that local state security branches adhere strictly and promptly to Beijing’s directives. During a recent inspection of China’s northeast, he emphasized that security officials must be both “red and expert”—demonstrating unwavering loyalty to the Party while also possessing advanced technological proficiency.
“This fundamentally means the Ministry of State Security now presides over a system that allows it to maneuver its assets strategically across the global landscape,” explained Edward Schwarck, an Oxford University researcher specializing in China’s state security.
Mr. Chen was indeed the official who met with Mr. Burns in May 2023. When confronted with the specifics of the cyber campaign, he remained impassive, merely stating he would inform his superiors of the U.S. concerns, according to former officials.
The Architect of China’s Cyber Power
The Ministry of State Security largely operates in secrecy, its officials rarely making public appearances or being named. One notable exception was Wu Shizhong, a high-ranking officer in Bureau 13, the ministry’s “technical reconnaissance” division.
Wu Shizhong held a surprisingly visible public profile, frequently attending meetings and conferences in his capacity as director of the China Information Technology Security Evaluation Center. Officially, this center evaluates digital software and hardware for security vulnerabilities before their deployment in China. Unofficially, foreign officials and experts assert that the center functions under M.S.S. control, serving as a direct conduit for intelligence on vulnerabilities and a source of hacking talent.
While Mr. Wu has never publicly acknowledged his service in the security ministry, a Chinese university website in 2005 identified him as a state security bureau head in a meeting notice. Furthermore, investigations by CrowdStrike and other cybersecurity firms have also corroborated his role within state security.
“Wu Shizhong is widely recognized as a pivotal figure in establishing the M.S.S.’s cyber capabilities,” Mr. Joske affirmed.
In 2013, Mr. Wu highlighted two crucial lessons for China: Edward Snowden’s revelations about American surveillance, and the U.S.’s use of a virus to disrupt Iran’s nuclear facilities. He emphasized that “the core of cyber offense and defense capabilities is technical prowess,” underlining the necessity to control technologies and exploit their weaknesses. China, he contended, should establish “a national cyber offense and defense apparatus.”
In the ensuing years, China’s commercial tech sector flourished. State security officials adeptly learned to leverage domestic companies and contractors to identify and exploit vulnerabilities and weak points in computer systems, according to several cybersecurity experts. While the U.S. National Security Agency has similarly hoarded knowledge of software flaws for its own use, China benefits from an additional advantage: the ability to compel its own tech companies to provide the state with intelligence.
“The M.S.S. successfully enhanced its talent pipeline and increased the number of skilled offensive hackers it could contract,” stated Dakota Cary, a SentinelOne researcher who studies China’s hacking development. “This provides them with a substantial source for offensive tools.”
The Chinese government also implemented regulations mandating that all newly discovered software vulnerabilities be reported first to a database that analysts believe is managed by the M.S.S., thereby granting security officials privileged early access. Other policies offer financial incentives to tech firms that meet monthly quotas for identifying and submitting system flaws to this state security-controlled database.
“It’s a matter of prestige and beneficial for a company’s reputation,” remarked Mei Danowski, co-founder of Natto Thoughts, a firm advising clients on cyber threats, in reference to this arrangement. “These business professionals don’t perceive their actions as wrong; they believe they are contributing to their country.”