Security Experts:

Connect with us

Hi, what are you looking for?



CIA Hackers Targeted China in Decade-Long Campaign: Chinese Security Firm

A report published on Monday by Chinese cybersecurity firm Qihoo 360 claims that the U.S. Central Intelligence Agency (CIA) conducted an 11-year-long cyberespionage operation aimed at China’s critical industries.

A report published on Monday by Chinese cybersecurity firm Qihoo 360 claims that the U.S. Central Intelligence Agency (CIA) conducted an 11-year-long cyberespionage operation aimed at China’s critical industries.

Qihoo’s research revolves around the Vault 7 files published in 2017 by WikiLeaks. The Vault 7 files include exploits and tools used by the CIA to target computers, routers, mobile devices, and IoT systems.

Other cybersecurity firms previously linked these tools and exploits to attacks launched by a threat group tracked as “Longhorn” and “The Lamberts” against entities in Europe, Asia and Africa. Qihoo said its own analysis revealed that many of the Vault 7 tools had been used to target Chinese organizations, even before the files were made public by WikiLeaks.

The targeted Chinese entities are said to include government agencies, scientific research institutions, internet companies, the petroleum sector, and aviation-related organizations, particularly in Beijing, Guangdong and Zhejiang. The Chinese company claims it’s aware of attacks launched by the CIA between September 2008 and June 2019.

Chinese regions targeted by CIA hackers

“In the CIA’s attack against Chinese aviation organizations and scientific research institutions, we found that attackers mainly targeted system developers in these sectors to carry out the campaigns,” Qihoo said in an English-language blog post. “These developers are mainly engaged in works like information technology of civil aviation, such as flight control system, freight information services, settlement and distribution services, passenger information system, etc.”

The company added, “We speculate that in the past eleven years of infiltration attacks, CIA may have already grasped the most classified business information of China, even of many other countries in the world. It does not even rule out the possibility that now CIA is able to track down the real-time global flight status, passenger information, trade freight and other related information. If the guess is true, what unexpected things will CIA do if it has such confidential and important information? Get important figures‘ travel itinerary, and then pose political threats, or military suppression?”

The threat actor linked by Qihoo to the CIA — the company tracks it as APT-C-39 — reportedly used many of the tools contained in the Vault 7 leaks in its attacks, even before they were made public. The company said some of the “attack weapons” used by APT-C-39 are associated with the U.S. National Security Agency (NSA), which reportedly assisted the CIA in developing cyber weapons.

Another piece of evidence suggesting that the attacks were launched by hackers in the United States is related to the fact that the hacking tools were compiled during North American business hours.

Qihoo said its research showed that former CIA employee Joshua Adam Schulte created many of the agency’s “important hacking tools.”

Schulte worked for a CIA group that develops spying tools, but he left the agency on poor terms just months before the Vault 7 files were released. He has been charged by U.S. authorities for allegedly sharing many of the agency’s hacking tools with WikiLeaks. At the end of his trial on Monday, prosecutors portrayed Schulte as vindictive, but the defense denied the accusations and said the man had been scapegoated.

China has often been accused of conducting cyber operations, but Qihoo says it has discovered over 40 sophisticated hacking groups, including ones sponsored by nation states, targeting China. The company claims that its research actually shows that “China is one of the main victims of APT attacks.”

Related: The United States and China – A Different Kind of Cyberwar

Related: US Hacked Chinese Mobile Operators, Tsinghua University: Snowden

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...