China pushes misleading US hacking narrative - SentinelLabs analysis

In the western media and cybersecurity industry in general, we have become familiar with regular reports of nation-state espionage activities often attributed to China or Chinese-linked threat groups. Such reports rest their credibility on the level of meticulous technical detail and evidence-based claims contained therein.

In contrast, claims of espionage and cyber intrusion attributed to western nation-state agencies emanating out of China’s Ministry of State Security and Chinese cybersecurity firms are notably lacking in the same kind of technical detail or evidential proof.

Between the first reports establishing US involvement in Stuxnet and the summer of 2021, China’s most prominent actors in the cybersecurity industry never independently established attribution of hacking inside the PRC to any US-affiliated APTs, nor did the analysis of US-nexus hacking extend beyond tools and exploits.

China’s cybersecurity companies also never published the underlying technical data that is considered table stakes for non-Chinese companies. The companies only regurgitated information from foreign vendors or leaked US intelligence documents. This was a matter of policy, not capability. Such reports were likely written and held back from external publication since at least 2016.


Key findings:

  • China launched an offensive media strategy to push narratives around US hacking operations following a joint statement by the US, UK, and EU in July 2021 about China’s irresponsible behaviour in cyberspace.
  • Some PRC cybersecurity companies now coordinate report publication with government agencies and state media to amplify their impact.
  • Allegations of US hacking operations by China lack crucial technical analysis to validate their claims. Until 2023, these reports recycled old, leaked US intelligence documents. After mid-2023, the PRC dropped the pretence of technical validation and only released allegations in state media.
  • The cyber-focused media campaign preceded the 2023 efforts of China’s Ministry of State Security to disclose accounts of western spying in the PRC.


China has not yet published the detailed accounts that analysts have come to expect from cybersecurity firms. Accepting this asymmetry in data sharing benefits China, allowing the country to publish claims of foreign hacking without the requisite information. If analysts do not actively challenge the CCP’s claims, the government can lie with impunity.

Repeating China’s allegations helps the PRC shape global public opinion of the US. China wants to see the world recognise the US as the “empire of hacking.” But outright ignoring China’s claims undermines public knowledge and discourse. The fact that China is lodging allegations of US espionage operations is still notable, providing insight into the relationship between the US and China, even if China does not support its claims. CTI analysts and intelligence consumers would be wise to differentiate between the claims made by China across domains, however.

To date, China has provided no reasonable evidence to support any of its claims besides wantonly recycling leaked US intelligence. In western cybersecurity industry circles, claims of US hacking without supporting technical evidence are derided—and rightfully so.