How China Spies on Nations Throughout Western Hemisphere

Mateo Haydar / Colin Agostisi /

A federal court in Virginia recently granted Microsoft the authority to seize websites used by a Chinese state-linked hacking group.

Known as Nickel, the group has successfully committed cyberattacks in up to 29 countries, including the United States,and 16 Latin American and Caribbean nations.

Microsoft has tracked ongoing Nickel operations since 2016, but analysts cite roughly 12 years of cyberespionage activity on Nickel’s part. Microsoft’s Threat Intelligence Center has identified Nickel’s targets as comprising government agencies, diplomatic entities, and civil society groups, including think tanks, universities, and human rights-related nongovernmental organizations.  

Since December, Microsoft’s Digital Crimes Unit has seized 42 U.S.-based websites targeted by Nickel. Tom Burt, Microsoft’s vice president for customer security and trust, assessed that Nickel used the websites to target the 29 reported countries.

According to Burt, the disruption won’t impede Nickel from continuing its hacking activities, but it does remove critical infrastructure used by the group to act globally. It also sheds light on the mechanisms used to extract sensitive information.

In a July 2020 report, Nickel was said to engage in surveillance campaigns against Uyghur Muslims and other minorities, including Tibetans and Muslims outside of China.

Nickel is identified in related cases by other names, including APT 15, KeChang, Mirage, Vixen Panda, Royal APT, and Playful Dragon. In effect, the same malware identified by Microsoft provides intelligence capacity for China’s genocidal human rights violations.

The report revealed this through GPS tracking of malware linked to Nickel. The monitoring shows that the first devices infected by the malware were all found near the offices of Xi’an Tian He Defense Technology, a large defense contractor in China with direct ties to the Chinese Communist Party.

The analysts assert that these initial infections were likely for the malware’s early development phase, meaning the malware was tested by the Chinese defense contractor.

Burt observes that “there is often a correlation between Nickel’s targets and China’s geopolitical interests.” Among those targets in the most recent case, Latin American and Caribbean nations make up a troubling majority. 

Along with the U.S., the Nickel-targeted nations include Argentina, Barbados, Brazil, Chile, Colombia, the Dominican Republic, Ecuador, El Salvador, Guatemala, Honduras, Jamaica, Mexico, Panama, Peru, Trinidad and Tobago, and Venezuela—roughly half of all Western Hemisphere countries.

Much of Latin America and the Caribbean is seen as a recurring target, given prolonged vulnerabilities in cyber infrastructure and a shortage of cybersecurity professionals.

Cyberattacks in the region traced back to China are not new. In 2019, the website of the Inter-American Development Bank—which remains the leading source of multilateral financing for 26 countries in the region and has both the U.S. and China as non-borrowing members—was inundated with requests from more than 15,000 internet users from China, intermittently crashing parts of the bank’s website.

The attack came on the heels of the election of Inter-American Development Bank President Mauricio Claver-Carone, who has signaled consideration of Taiwan as a non-borrowing member.

 Nickel itself has targeted the region in the past. In 2017, analysts found that Nickel used related malware to infect diplomatic missions in Brazil, Chile, and Guatemala, along with Slovakia and Belgium.

Guatemala remains one of the few countries that recognizes Taiwan, even as several of its neighbors have switched their allegiance to Beijing between 2017 and 2018. Chile and Brazil may not be of concern to China regarding Taiwan—both recognize Beijing—but the two present critical opportunities for economic and military interests, given their resources, fairly sizable militaries, and strategic locations for ports and other maritime advantages.

According to a 2019 study of Chinese and Russian cyber operations in the region, Chinese military services increasingly use cyber means to execute intelligence operations against their counterparts in the hemisphere, including Brazil, Chile, Argentina, and Mexico.

The report also highlights repeated accusations against Chinese government entities of cyberespionage in the region favoring Chinese companies, often state-owned or state affiliated. Cyber-intelligence enables access to critical market information, coercion of local officials, intellectual-property theft against competitors, and influence operations aimed at decreasing local resistance to China.

While tracking the locations where cyberattacks originate from can be a less precise measurement of state activity, China remains a leading source of cyberattacks in the region. More worrisome is the nature and purpose of its operations, and the connections between the malware and China’s state-affiliated firms and geopolitical interests. Likewise, its scope of operations has grown, and with it, opportunities for coercion and manipulation of narratives.

Both the Biden administration and other governments of the region have been “radio silent” about the Nickel case and China’s growing cyber-intelligence offensive.

The White House blamed China for a similar case of espionage compromising Microsoft email servers in July, but it has failed to impose repercussions on China or individuals identified as being behind Nickel.

At a Senate hearing in July into the Colonial Pipeline hacking case, Sen. Ted Cruz, R-Texas, was met with deafening silence when asking administration officials why China had not been sanctioned for repeated cyberattacks.

Despite small wins in individual cases, these attacks are likely to continue. China has dramatically improved its cyberespionage capabilities, and its operations will increasingly reflect that.

Whether the United States and the other governments of the region understand that as threatening to their sovereignty, national security, and free markets—and respond accordingly—remains to be seen.

Have an opinion about this article? To sound off, please email [email protected] and we’ll consider publishing your edited remarks in our regular “We Hear You” feature. Remember to include the url or headline of the article plus your name and town and/or state.