Hackers with alleged ties to Chinese intelligence agencies were still advertising new recruits to work on cyber espionage, even after the FBI indicted the perpetrators in an attempt to disrupt their business.
Hainan Tengyuan, a Chinese technology company, was actively recruiting English-language translators in March according to job postings seen by the Financial Times – nine months after US law enforcement accused Beijing of setting up such companies as “front” for espionage operations against the West. targets.
Hainan Tengyuan is also part of a wider network of companies that have ties, including joint contact details and employees, with another tech company Hainan Xiandun, which was exposed by the FBI in an indictment in 2021 as a cover for Chinese hacking group APT40.
APT40 is accused of cyber espionage targeting scientific research on Ebola, HIV and Mers, as well as maritime industries and naval defense contractors in the United States and Europe. Western agencies also said the group was responsible for a hacking campaign against Cambodian opposition MPs, political institutions and NGOs ahead of the country’s 2018 national elections.
Dmitry Alperovitch, co-founder of security group CrowdStrike and now head of think tank Silverado Policy Accelerator, said the fact that shell companies continued to advertise even after the FBI exposure was proof that indictments against Chinese government personnel were becoming less effective.
While the first round of indictments against the People’s Liberation Army cyber units in 2014 sent “shockwaves through the Chinese system”, he said, such public accusations were become less of a deterrent as the repercussions for state officials tend to be minimal.
It is common for intelligence services such as the American CIA or the British signals intelligence agency GCHQ to actively recruit potential spies during their university studies and by posting job offers publicly. But China’s use of front companies to conceal their work means some candidates are being unwittingly drawn into a life of espionage.
An FT investigation this week found that Hainan Xiandun was seeking to recruit foreign language students from public universities across China to help identify intelligence targets and translate sensitive documents.
Many were foreign language students from universities on the tropical island of Hainan in southern China, seeking employment after graduation.
A candidate student had previously led a workshop titled “The Fine Tradition of CCP Secrecy” at a local university. Another candidate had a summer job as a translator for foreign and Chinese executives at a golf resort.
Hainan Xiandun sought to take advantage of students’ language skills in its search for cheap translators, but its announcements did not disclose the nature of the work or its ties to the Ministry of State Security.
In contrast, Hainan Tengyuan’s March job advertisement, posted on the Chinese version of the Indeed recruitment site, appeared to be looking for more experienced staff.
It called for applications from translators with at least five years of professional experience, offering a monthly salary of around $2,000, more than double the amount Hainan Xiandun offered new graduates. Still, involvement in hacking activities has not been clearly established.
A security official in the region said “several” Chinese hacking groups were known to recruit from universities, not only for linguists but also for computer science students.
“They advertise positions and sponsorships in front companies at local universities and encourage students to engage in offensive trespassing activities labeled as hacking competitions,” the official said. The official added that the ongoing nature of this recruitment would have “personal ramifications” for the students themselves.
Nicholas Eftimiades, an expert in Chinese intelligence operations and a former FBI agent, said that while intelligence communities around the world have relationships with universities, “what is unique in China is the use of front companies who recruit students without their knowledge”.
He added: “It adds another layer of coverage for the MSS, both from their citizens but also from foreign governments. It also provides a steady stream of cheap labor that doesn’t require security clearances. »
The links between Hainan Xiandun and Hainan Tengyuan were revealed two years ago by a group of anonymous researchers called “Intrusion Truth”, which focused on the work of the Chinese hacking group APT40 – also known as ” Bronze” and “Leviathan”.
Researchers scoured recruitment advertisements posted by self-proclaimed technology companies in Hainan and found links between five companies, including Hainan Xiandun and Hainan Tengyuan, which had company descriptions, mailing addresses, contact details and employees who were overlapping.
According to company records, CEO and major shareholder of Hainan Tengyuan, Qiu Chuiqiang, operates three restaurants in Hainan, one popular for its Cantonese grilled meat. Efforts were made to contact Hainan Tengyuan and Qiu Chuiqiang, but they could not be reached for comment.
Western intelligence officials have stepped up their warnings about the risk of “large-scale” Chinese cyber operations aimed at stealing adversaries’ data and intellectual property.
FBI Director Christopher Wray recently said the agency opens a new China-focused counterintelligence investigation every 12 hours and that China has a bigger hacking program than all other countries combined.
James Mulvenon, an expert in cyber espionage and Chinese industrial espionage, said it was clear that regional offices, such as those in Hainan, tended to be “much more enterprising in terms of targets” than major centers of intelligence. Shanghai and Beijing.
Alperovitch of the Silverado Policy Accelerator said Chinese hackers who work as contractors fear prosecution more than state security officials. These hackers have “a history of downsizing after being named and humiliated” because they have an interest in accessing Western business opportunities and traveling overseas, he said.
MSS and Hainan University did not respond to requests for comment.
Additional reporting by Demetri Sevastopulo in Washington