China conducts political and corporate espionage to access the networks of financial, defense and technology companies and research institutions in the United States. Email attachments attempting to enter the networks of US companies and organizations exploit security weaknesses in software. In 2019, CNN reported that China had created an extensive infrastructure charged with cyber espionage over the past two decades. A previous FBI head of counterintelligence said that "the Chinese have tens of thousands of young kids—like our MIT's or Stanford's best—hacking against the US." Some hackers work full-time and others work part-time. In January 2010,
Google reported "a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google." According to investigators, the Google
cyber-attack targeted the
Gmail accounts of Chinese human-rights activists. Chinese cyber-attacks seem to target strategic industries in which China lags; However, on September 28, 2020, the ban was temporarily blocked by a federal judge. In September 2022, it was reported during Congressional testimony that the FBI had informed
Twitter of at least one MSS agent on its payroll. In January 2024, US authorities stated that they disrupted an operation by the Chinese state's advanced persistent threat called
Volt Typhoon to target US critical infrastructure. In September 2024,
Salt Typhoon, an advanced persistent threat (APT) affiliated with the MSS, was publicly reported to have gained access to multiple
internet service providers in the U.S. and attempted to gain access to the phones of staff of the
Kamala Harris 2024 presidential campaign as well as those of
Donald Trump and
JD Vance. In October 2024,
The Washington Post reported that the US federal government formed a multi-agency team to address a 2024 hack of US telecommunications companies, conducted by
Salt Typhoon, which affected systems that track federal wiretap requests. In September 2025, Phantum Taurus was identified as a new China-backed group that engages in espionage attacks, targeting foreign governments and militaries across Asia, Africa, and the Middle East.
Cyber cases In 2007, the computer security company
McAfee alleged that China was actively involved in cyberwarfare, accusing the country of
cyber-attacks on India, Germany and the United States; China denied knowledge of these attacks. In September 2007, former senior US
information security official Paul Strassmann said that 735,598 computers in the US were "infested with Chinese
zombies"; computers infected in this manner can theoretically form a
botnet capable of carrying out unsophisticated yet potentially dangerous
denial-of-service attacks. A cyber spying network known as
GhostNet, using servers primarily based in China, was reported as tapping into the classified documents of government and private organizations in 103 countries (including
Tibetan exiles); China denied the claim. In a July 2021 joint statement with
NATO, the
EU, and other
Western nations, the US accused the Ministry of State Security of perpetrating several cyberattacks, most notably the
2021 Microsoft Exchange Server data breach.
APT 1 In December 2009 and January 2010, a cyberattack, known as Operation Aurora, was launched from China on Google and over 20 other companies. Google said that the attacks originated from China, and it would "review the feasibility" of its business operations in China as a result of the incident. According to Google, at least 20 other companies in a variety of sectors were also targeted by the attacks. According to McAfee, "this is the highest profile attack of its kind that we have seen in recent memory." In May 2014, a US federal
grand jury indicted five Chinese military officers for cyber espionage and stealing trade secrets. Although the indictments have been called relatively meaningless, they could limit travel by the officers due to the US extradition treaties.
APT 3 In November 2017, the
Department of Justice charged three Chinese employees of Guangzhou Bo Yu Information Technology Company Limited with hacking into corporate entities in the United States, including
Siemens AG,
Moody's Analytics, and
Trimble Inc.
APT 10 Since at least 2013, a Chinese espionage group called TEMP.Periscope by
FireEye is reported to have been engaged in espionage against maritime-related subjects. FireEye reported that the information targeted was likely of commercial and economic importance. Chinese hackers have stolen information on the Patriot missile system, the
F-35 Joint Strike Fighter, and the
US Navy's new littoral combat ship. These blueprints of US weapon and control systems were stolen to advance the development of Chinese weaponry. The protection of the South China Sea is highly important to the US because a Chinese Cyber Unit has already succeeded in an intrusion into the Philippine's government and military networks. Military documents, internal communications, and other sensitive materials related to the dispute were lost due to the cyber invasion. In January and February 2018, Chinese state cyber actors reportedly stole 614 gigabytes of data from a
Naval Undersea Warfare Center-affiliated contractor. The compromised material reportedly included information on a project dubbed "Sea Dragon", as well as
United States Navy submarine cryptographic systems and
electronic warfare. According to the cybersecurity firm Area 1, hackers working for the
People's Liberation Army Strategic Support Force compromised the networks of the
AFL–CIO in order to gain information on negotiations for the
Trans-Pacific Partnership. As part of a campaign called Cloudhopper, hackers working for the Ministry of State Security compromised the networks of
IBM and
Hewlett Packard Enterprise, and used that access to compromise those companies' clients. The Cloudhopper attacks began no later than 2014, and included targets in Brazil, Germany, India, Japan, the United Arab Emirates, the United Kingdom, and the United States. In October 2018,
Bloomberg Businessweek published a story which alleged that
Supermicro's contractors in China had been
compromised by the People's Liberation Army in an operation to implant microchips with
hardware backdoors in its servers. The report was widely disputed by the sources and companies who were named therein. In March 2019, reported that Chinese hackers had launched cyberattacks on dozens of academic institutions in an attempt to gain information on technology being developed for the United States Navy. Some of the targets included the
University of Hawaii, the
University of Washington, the
Massachusetts Institute of Technology, and
Woods Hole Oceanographic Institution. known as "Coldface" or "ZHOU," for their roles in a years-long cyber intrusion campaign attributed to the advanced persistent threat group APT27, also known as "Emissary Panda," "Bronze Union," and "Silk Typhoon." The indictments allege that the defendants conducted sophisticated computer intrusions targeting U.S.-based defense contractors, technology firms, government agencies, and other institutions for financial gain. Both individuals are said to have ties to the Chinese government, specifically the
Ministry of Public Security (MPS) and the
Ministry of State Security (MSS), which allegedly directed or supported the hackers' activities. The criminal conduct spans from at least 2011 to 2024 and includes charges such as conspiracy, wire fraud, aggravated identity theft, money laundering, and violations of the
Computer Fraud and Abuse Act (CFAA). According to U.S. authorities, Yin and Zhou gained unauthorized access to victim networks by exploiting vulnerabilities, installing persistent malware, and exfiltrating sensitive data. Zhou allegedly brokered stolen data and access to compromised networks to third parties, some of whom were connected to the PRC government or military. The scheme also involved the use of
virtual private servers (VPS) and internet domains to mask operations and facilitate data theft. The Hafnium campaign, attributed to the APT40 group, exemplified the group's capacity for large-scale, indiscriminate cyberattacks, targeting over 60,000 U.S. entities and compromising more than 12,700 victims. The campaign underscored the persistent risks posed by state-sponsored hacking and the challenges of attribution and remediation in the global cybersecurity landscape.
Indictments In July 2025, the
United States Department of Justice unsealed a nine-count indictment in the Southern District of Texas against Xu Zewei and Zhang Yu, both Chinese nationals, for their roles in these intrusions. The charges included conspiracy to commit wire fraud, wire fraud, unauthorized access to protected computers, intentional damage to protected computers, and aggravated identity theft. Xu was arrested in Italy and faced extradition, while Zhang remained at large. The indictment highlighted use of a network of private contractors to obscure state involvement and maximize the scope of cyber-espionage operations.
APT 41 In July 2024,
Mandiant reported a major resurgence in malware attacks by
APT 41, a notorious hacking group backed by the Chinese government. The group was found targeting organizations in the shipping, logistics, technology, and automotive industries across Europe and Asia. In September 2020, the US Department of Justice (DOJ) had charged Chinese hackers Zhang Haoran, Tan Dailin, Jiang Lizhi, Qian Chuan, and Fu Qiang with breaching more than 100 companies, think tanks, universities and government agencies around the world. The DOJ linked them to APT 41 hacking activities. == Indictments ==