For decades, China has been considered a rising power. In cyberspace, however, China has already risen. As it has developed stronger cyber capabilities, People’s Liberation Army (PLA) cyber operations have become bolder. This can be seen, for example, in the actions of Volt Typhoon, a group of government hackers who were found pre-positioning themselves within US digital infrastructure, prepared to wreak havoc in case of a conflict.
As China has increased its offensive cyber operations, it has naturally become the target of increasing numbers of attributions from adversaries. And just as China’s approach to cyber operations has developed, so has its counter-attribution strategy.
While the West and its partners have ramped up their offensive cyber capabilities to counter Chinese cyber operations (among others), they have done little to adjust their cyber attribution strategies. It’s time for them to catch up here too.
Counter-attribution strategy
Chinese strategy in countering Western and allied attributions today is defined by four characteristics: consistent denial of involvement in cyber operations; responses that vary depending on the accuser; a significant expansion of resources devoted to shaping attribution narratives; and, beyond simple denial, the production of disinformation about cyber activities.
Historically, China, like Iran and Russia, has simply pointed to a lack of evidence when being confronted with attribution claims. To give an example, when the Tokyo Metropolitan Police Department accused the PLA of breaching the Japanese Aerospace Exploration Agency and 200 other Japanese entities in 2016 and 2017, Chinese Ministry of Foreign Affairs spokesperson Wang Wenbin retorted that the attribution lacked evidence and that Japan was ‘throw[ing]mud at China]’.
In other official statements, largely aimed at English and Chinese speaking audiences, China has deflected, characterising itself as a law-abiding country that cracks down on criminals and claiming the actual threat is the US. These Chinese statements are taken from the standard playbook of cyberstatecraft: deny any involvement. But this is changing.
Since 2021, Beijing has gradually moved from a defensive to an offensive stance regarding attribution, a trend that has accelerated in the last couple of years. The Volt Typhoon case is illustrative. In 2023, Microsoft and a variety of US and Five Eyes agencies and officials accused the Chinese state-linked Volt Typhoon threat actor of pre-positioning in US critical infrastructure. In response to these accusations, the China Emergency Computer Virus Response Center (CVERC) published the usual series of reports denying the accusations, but with a new disinformation component.
One report from April 2024 misrepresented threat intelligence reports from US companies ThreatMon and Trellix to claim that Volt Typhoon was an invention of Western intelligence and that any actual attacks had been conducted by a criminal ransomware group, rather than one affiliated with a government. The claim was repeated by China’s representative to the UN open-ended working group on international cybersecurity in July 2024.
A few months later, the CVERC released another report on the topic, accusing ‘US government agencies of [hyping] up “Volt Typhoon” false narrative for swindling more budgets from the congress’. Tellingly, this was the first CVERC report ever to be translated into German, Japanese, and French, showcasing their desire to reach a wider audience. Various state-run organisations and media, such as the Global Times and CGTN, have further amplified the argument that Volt Typhoon is a ransomware group not linked to the government.
Notably, when countries like Taiwan, Japan, or Germany attribute alone, China continues with its older pattern of ignoring or simply denying accusations. This was the case in 2020, when Taiwan accused China, and, in particular, threat actors BlackTech and Taidoor, of accessing government email accounts. This approach changes, however, when countries such as these attribute together with the US. When this happens, China launches counter-accusatory campaigns.
Why would this be the case? It might be because China thinks that accusing the US, which is known for its prolific offensive cyber operations, could weaken the overall accusatory credibility of Western partners. This was the case during the Microsoft Exchange Hack in 2021, carried out by the China-linked group Hafnium. When a number of countries, including members of the EU, coordinated their attribution with the United States, China rebuked them for failing to represent the broader international community and sought to redirect attention toward US cyber operations – such as an alleged CIA campaign targeting China’s aerospace sector, internet companies, and government institutions.
So how can Western countries and their allies adapt?
By expanding their attribution partners and their audiences, as well as pre-empting Chinese arguments, Western countries and their partners can ensure a continually effective attribution strategy.
Countries that have historically led in attribution, such as Germany, Taiwan, Japan, and the US, should engage with countries beyond their traditional collaboration partners in issuing joint attributions and advisories.
One potential partner might be India, which is already hawkish towards the Chinese state and has a considerable threat exposure to China. Another could be the Philippines, which already attributes hostile maritime actions to China. While Manila’s maritime attributions are mostly done independently, the Philippines could work with Western countries to jointly attribute Chinese cyber operations and so more strongly highlight China’s malicious activities.
In addition, Western countries and partners need to expand the audience they want to reach with their attributions. For now, their primary audience is the Chinese government. But this is insufficient. They should issue attribution statements in more languages and distribute them via foreign ministries, embassies, and media engagement. This would help broaden audiences in Africa, Southeast Asia, and Latin America, where China has been engaging in considerable media offensives to improve its image. By exposing audiences in these regions to news about malicious Chinese activities, Chinese propaganda could be at least partially mitigated.
Finally, Western countries and partners should anticipate China’s usual arguments against attribution statements, for instance via public policies of only attributing when there is no doubt. When China uses technical evidence to sow disinformation, as in the case of Volt Typhoon, attributors need to respond immediately, rectifying China’s false claims. The rectification of wrong information does not have to be a major announcement, which could propel the disinformation even further, but a simple statement to allow interested parties to get a clear view of Chinese disinformation campaigns.
China has substantially changed its approach to attribution statements, developing counter-narratives to shield its malicious cyber actors. Western countries and allies must update their strategies in turn.
This article is based on a longer paper, ‘China’s Expanding Cyber Playbook: Espionage, Fear, and Influence in East Asia’, written by Dr. Chung-Kuan Chen, research director at the Taiwanese Cycraft Technology Corp, and Dr. Valentin Weber, senior research fellow at the German Council on Foreign Relations (DGAP). The paper was published by the Friedrich Naumann Foundation.
