In a recent development, China’s National Computer Network Emergency Response Technical Team (CNCERT) has accused the United States of orchestrating a sophisticated cyberattack against a leading Chinese encryption service provider. The alleged intrusion, which reportedly took place in 2024, is said to have compromised critical cryptographic research and led to the exfiltration of substantial volumes of confidential business and governmental information.
Exploitation of CRM System Vulnerability
According to CNCERT’s detailed report, the attackers exploited an undisclosed vulnerability within the company’s Customer Relationship Management (CRM) system to gain initial access. The breach commenced with the unauthorized uploading of arbitrary files, followed by the systematic deletion of log records to erase evidence of the intrusion.
On March 5, 2024, the perpetrators implanted a specialized Trojan horse program at the path /crm/WxxxxApp/xxxxxx/xxx.php within the CRM system. This malware enabled the execution of arbitrary network commands and employed advanced techniques to evade detection, including full communication encryption, string encoding, data compression, and complex cryptographic methods.
CNCERT’s analysis highlighted that the Trojan exhibited clear similarities with offensive tools previously associated with U.S. intelligence agency operations. The malware facilitated lateral movement within the network, allowing attackers to progressively navigate through the system post-initial breach in search of key data and assets.
Data Exfiltration and Scope of the Breach
Between March and September 2024, the attackers accessed the CRM system using 14 overseas proxy IP addresses, resulting in the theft of approximately 950 megabytes of data. The compromised information included details of over 600 registered users, more than 8,000 customer profiles, and over 10,000 contract orders, many of which were related to government entities and sensitive institutions.
The attack expanded on May 20, 2024, when the perpetrators employed lateral movement techniques to infiltrate the company’s product code and project management systems. From May to July 2024, the attackers targeted the source code management system using three additional proxy IPs, extracting approximately 6.2 gigabytes of data. This data encompassed password-protected source code for three research and development projects managed by 44 users.
Sophisticated Attack Patterns and Evasion Techniques
CNCERT’s forensic analysis revealed distinctive attack patterns. The cyberattacks primarily occurred between 10:00 PM and 8:00 AM Beijing time, corresponding to 10:00 AM to 8:00 PM U.S. Eastern time. Activity predominantly took place from Monday through Friday and paused during major holidays.
The attackers demonstrated advanced anti-tracking capabilities, utilizing 17 unique attack IPs that could dynamically change within seconds. These addresses were distributed across various countries, including the Netherlands, Germany, and South Korea. The operation showcased sophisticated evasion techniques, such as the extensive use of open-source or generic tools to obfuscate analysis, temporary implantation of common web Trojans in compromised systems, and systematic deletion of logs and malicious files to hinder detection and response efforts.
Context of Ongoing Cybersecurity Tensions
This disclosure comes amid escalating tensions between the U.S. and China over cybersecurity issues. In recent years, both nations have accused each other of state-sponsored cyber espionage and attacks. For instance, in December 2024, China’s national internet emergency response center reported detecting and addressing two incidents of U.S. cyberattacks targeting major Chinese technology firms since May 2023, aiming to steal trade secrets. ([reuters.com](https://www.reuters.com/world/china/chinas-internet-emergency-center-says-it-dealt-with-two-us-cyber-attacks-against-2024-12-18/?utm_source=openai))
Conversely, the U.S. has accused Chinese state-backed hackers of launching attacks against its critical infrastructure and government bodies. In June 2023, the U.S. Department of the Treasury alleged that Chinese government-backed hackers had breached the department’s computer security, gaining access to some unclassified documents. China’s Foreign Ministry dismissed these claims as groundless and politically motivated. ([news.cgtn.com](https://news.cgtn.com/news/2024-12-31/China-slams-groundless-accusations-of-a-cyberattack-on-the-U-S–1zMvSepZTpK/p.html?utm_source=openai))
The ongoing exchange of cyberattack allegations underscores the complex and contentious nature of U.S.-China relations in the digital domain. Both nations continue to invest heavily in cybersecurity measures and cyber capabilities, leading to a persistent cycle of accusations and denials.
Implications for Global Cybersecurity
The alleged cyberattack on China’s encryption provider highlights the vulnerabilities inherent in critical information infrastructure and the potential for significant data breaches. It also raises concerns about the security of sensitive data and the need for robust cybersecurity measures to protect against sophisticated state-sponsored attacks.
As cyber threats continue to evolve, it is imperative for nations to engage in dialogue and cooperation to establish norms and frameworks that promote cybersecurity and prevent the escalation of cyber conflicts. The international community must work together to address the challenges posed by cyber espionage and cyberattacks, ensuring the stability and security of the global digital landscape.
