News Analysis
For more than a decade, cybersecurity experts across the government and private sectors have sounded the alarm about the increasing risks posed by technology products manufactured in China.
The United States’ longstanding dependency on Chinese-made devices has been repeatedly exploited as part of a state-backed effort by China’s ruling communist regime to undermine the strategic interests and national security of the United States, from preinstalled malware on consumer devices to sabotage operations in critical infrastructure.
While not every Chinese-made device poses such a risk, the growing catalog of cyberattacks exploiting Chinese hardware underscores the need for vigilance when purchasing or using such products, and suggests the U.S. government may need to do more to curb its reliance on China for a broad array of devices.
Here’s a look at some of the most egregious documented uses of Chinese devices in cyberattacks from the last decade.
Chinese Malware Preinstalled on US Government-Funded Phones
Sending Americans’ most sensitive personal information directly to China probably wasn’t what the Federal Communications Commission had in mind when it decided to subsidize affordable mobile phones for millions of low-income Americans.
That’s exactly what happened, however.
Beginning in 2015, a wide range of budget Android phones manufactured by American company BLU in China were systematically preloaded with malware by suspected Chinese state-backed actors.
Those phones were found by cybersecurity company Kryptowire to have been preloaded with malicious software by the Shanghai Adups Technology Company, an opaque IT services company established in China in 2012, with which BLU had contracted to provide service updates for its devices.
The Adups malware operated at the most foundational level of the phones, including in the wireless update and settings apps, meaning that the malware could not be removed without rendering the phones unusable.
For years, Adups collected granular location data, contact lists, logs for calls and texts, and even the full contents of texts from Americans’ phones. Some of the phones even allowed remote actors believed to be based in China to take screenshots or otherwise seize control of the devices.
To make matters worse, all that data were encrypted and sent back to a server in China, where Chinese Communist Party (CCP) law mandates that information is a national resource, effectively transferring Americans’ most personal data directly to the regime.
The malign activity was able to bypass detection for some time because the malware was embedded in the software of the phone and therefore automatically whitelisted by most malware detection tools, which were programmed to assume that a product’s rudimentary software and firmware would not be malicious.
It’s still unclear just how many Americans were caught up in the operation. Adups claimed on its website in 2016 to have a worldwide presence with more than 700 million active users, and that it also produced firmware integrated into mobile phones, semiconductors, wearable devices, cars, and televisions.
In 2017, the Federal Trade Commission reached a settlement with BLU, finding that the company had knowingly misled its customers about the extent of data that could be collected by Adups.
Yet Adups emerged again in 2020, when cybersecurity firm Malwarebytes found that the company had preinstalled malware on budget mobile phones offered by Virgin Mobile’s Assurance Wireless program, another government-subsidized effort to make mobile phones available for low-income Americans.
Mystery Routers Hidden in US Ports
A congressional probe revealed in 2024 that Chinese-made routers used in U.S. ports could facilitate cyber espionage and sabotage.
The report revealed that giant ship-to-shore cranes, which are used to unload cargo throughout the United States’ largest ports, had been equipped with Chinese-manufactured modems with no known function.
Investigators warned that the technology embedded in the devices could allow unauthorized access to sensitive U.S. port operations and that some of the modems were also found to have active connections to the operational components of the cranes, suggesting they could be remotely controlled by a device no one previously knew existed.
All of the cranes in question were manufactured in China by Shanghai Zhenhua Heavy Industries, a subsidiary of the state-owned China Communications Construction Co.
U.S. lawmakers noted at the time that Zhenhua’s manufacturing facility was located adjacent to China’s most advanced ship-making facility, where the regime builds its aircraft carriers and houses advanced intelligence capabilities.
In a letter dated Feb. 29, 2024, addressed to the president and chairman of Zhenhua, the lawmakers demanded to know the purpose of the cellular modems discovered on crane components and in a U.S. seaport’s server room that houses firewall and networking equipment.
U.S. Coast Guard Rear Adm. John Vann, who led the Coast Guard’s Cyber Command at the time, said there were more than 200 China-manufactured cranes operating across U.S. ports and other regulated facilities, less than half of which had been thoroughly inspected for the Chinese devices.
Exploitation of Chinese Routers, Cameras
Chinese state-sponsored cyber actors have also been found exploiting vulnerabilities in network devices such as home routers, storage devices, and security cameras.
These devices, often manufactured in China, have been targeted to serve as additional access points for conducting network intrusions on other entities, effectively leveraging vulnerabilities inherent in certain Chinese-made devices to gain a foothold in American networks, according to the Cybersecurity and Infrastructure Security Agency.
In one such major incident in 2016, Dahua Technology, a leading Chinese manufacturer of surveillance equipment, was linked to a distributed denial-of-service (DDoS) attack and, again in 2021, security researchers found a flaw in Dahua’s software that allowed hackers to bypass authentication protocols and seize control of the devices.
In that incident, more than a million devices were exploited and used to create two botnets, which were then used to target the website of a cybersecurity journalist in a DDoS and extortion campaign.
Chinese state-sponsored cyber actors have continued to extensively target these and similar vulnerabilities in Chinese-made security cameras and webcams in the years since.
In February of this year, the Department of Homeland Security distributed a bulletin warning that innumerable such cameras were still being used throughout U.S. infrastructure sites, including in the electrical grid and ports.
That bulletin warned that Chinese-manufactured devices were especially likely to be exploited in cyber attacks and that tens of thousands of the devices had already been used to that end.
Read the rest here...
