Report: 'Highly Sophisticated Cyber Espionage' Group Linked to Chinese Intelligence


A report issued by private cyber-security firms claims to have unveiled a sophisticated hacking outfit sponsored by the Chinese government. The cyber threat, named “Axiom” in the report, is said to have targeted everything from government offices to NGOs and media outlets in a global campaign over the past six years. A PDF of the full report, titled ““Operation SMN: Axiom Threat Actor Group Report” can be accessed here.

The findings come from “Operation SMN,” a joint effort among private cyber-security companies to identify and counter “a sophisticated advanced threat actor group.” The effort was led by Novetta; other public partners included Cisco and FireEye (author of its own reports about Chinese cyberspying), with additional cooperation from Microsoft and Symantec.

The key finding of the report is as follows:

Enjoying this article? Click here to subscribe for full access. Just $5 a month.

Axiom is responsible for directing highly sophisticated cyber espionage operations against numerous Fortune 500 companies, journalists, environmental groups, pro-democracy groups, software companies, academic institutions, and government agencies worldwide for at least the last six years.

The report expressed “moderate to high confidence that the organization tasking Axiom is a part of [the] Chinese Intelligence Apparatus.” This allegation was further supported by an FBI flash alleging that the cyber activity Novetta associated with Axiom is connected to the Chinese government.

According to the report, Axiom has targeted “pro-democracy non-governmental organizations (NGO) and other groups and individuals that would be perceive as a potential threat to the stability of the Chinese state.” Other targets include media outlets, academic institutions, and organizations “of strategic economic interest, that influence environmental and energy policy, and that develop cutting edge information technology.” Both government organizations and private enterprises were subject to attacks from Axiom. The report notes that Axiom’s targets “fit in particularly well with China’s strategic interests and with their most recent Five Year Plans accepted in 2006 and 2011.” The researchers concluded:

The fact that the primary beneficiary of information stolen in these campaigns is not military or directly financial, but rather intelligence benefiting Chinese domestic and international policies, is highly telling and implies the Chinese Intelligence Apparatus could be behind such attack.

The joint task force claims to have removed “over 43,000 separate installations of Axiom-related tools” from computers around the world. A map included in the report shows three clear areas of focus for cyber attacks attributed to Axiom: North America, Europe, and East and Southeast Asia. Axiom is also believed to have targeted Chinese domestic groups and individuals (including attacks on computers in Hong Kong). Overseas Chinese dissidents were also a focus of Axiom activities, according to the report.

The report suggests that Axiom may have been responsible for several high-profile cyber attacks previously attributed to Chinese state actors. The report found similarities between Axiom’s methods and several previously reported attacks, including this summer’s cyber attack on U.S. think tanks dealing with Middle East policy and the 2010 hacking attempts targeting Google.

Other Chinese hacking groups have been identified by previous reports, with the most famous being Unit 61398, a PLA unit allegedly devoted to hacking activities. However, this report notes that Axiom appears to be more sophisticated than Unit 61398 and other known groups. For one thing, researchers have been able to identify members of Unit 61398 based on social media activity or email accounts. “In contrast, there have been no identified mistakes in operational security on the part of Axiom operators to date,” the report notes. This suggests that Axiom operators follow tighter security measures and may operate using a separate infrastructure.

The timing of the report is particularly interesting. In February 2013, cyber security firm Mandiant released its report on Unit 61398. That catapulted cyber issues to the forefront of U.S.-China relations; they were a major topic of discussion during Xi Jinping and Barack Obama’s “shirtsleeves summit” at Sunnylands in June 2013. The new report on Axiom comes a mere two weeks before Obama and Xi are set to hold “Sunnylands 2.0” in China. That all but ensures that cyberspace will be high on Obama’s agenda. Meanwhile, China has refused to hold substantial discussion on the issue since the U.S. Department of Justice indicted five members of Unit 61398 on cyber espionage charges earlier this year.

China consistently denies the existence of any state-sponsored hacking initiatives. Responding to the Axiom report, Geng Shuang, the spokesperson for China’s embassy in the U.S., told the Washington Post that “these kinds of reports or allegations are usually fictitious.” He also emphasized that “China is a victim of these kinds of attacks, according to the Snowden revelations.”

Sign up for our weekly newsletter
The Diplomat Brief