CNCERT has alleged that U.S. intelligence agencies are targeting Chinese military-industrial entities.

Since mid-2022, Chinese military-industrial networks have been subjected to highly sophisticated cyber intrusions attributed to US intelligence agencies. These campaigns exploited previously unknown vulnerabilities to install stealthy malware, maintain prolonged access, and exfiltrate sensitive defence data. The initial identification of these intrusions followed an NSA breach at Northwestern Polytechnical University, with subsequent incidents uncovered by CNCERT highlighting a relentless focus on China’s defence manufacturing and research establishments. Emerging in July 2022, the primary malware family exploited a zero-day flaw in Microsoft Exchange servers. Attackers breached an email system within a major military contractor, establishing persistence for nearly a year. By leveraging an internal domain controller as a springboard, the intrusion team performed lateral movement to compromise over fifty core hosts. CNCERT analysts noted that the operators deployed obfuscated payloads, tunnelling via WebSocket-wrapped SSH sessions, and routing traffic through relay nodes in Germany and Finland to evade network monitoring.

In a second wave between July and November 2024, adversaries targeted an electronic file system vulnerability across over 300 devices in a supplier’s production environment. Through compromised Romanian and Dutch IP addresses, they manipulated Tomcat service filters to implant Trojanised upgrade packages. These bespoke Trojans executed keyword searches for “secret work” and “core network,” harvesting proprietary architectural diagrams and protocol specifications. CNCERT researchers identified hallmark stealth techniques in this campaign, including dynamic log wiping and active reconnaissance of defence-specific intrusion detection systems. Following these disclosures, recent discussions between the Cyberspace Administration of China and Nvidia underscored the critical importance of supply-chain security. Authorities emphasised the risks associated with reliance on foreign-sourced hardware and software components that may carry pre-installed backdoors. A defining characteristic of the Exchange-based intrusions is the custom WebSocket over SSH covert channel, enabling bidirectional command and control without triggering typical alerts.