Chinese Hackers

[kyonides]

Chinese hackers and user lapses turn smartphones into a ‘mobile security crisis’

Cybersecurity investigators noticed a highly unusual software crash — it was affecting a small number of smartphones belonging to people who worked in government, politics, tech and journalism.

The crashes, which began late last year and carried into 2025, were the tipoff to a sophisticated cyberattack that may have allowed hackers to infiltrate a phone without a single click from the user.

The attackers left no clues about their identities, but investigators at the cybersecurity firm iVerify noticed that the victims all had something in common: They worked in fields of interest to China’s government and had been targeted by Chinese hackers in the past.

Foreign hackers have increasingly identified smartphones, other mobile devices and the apps they use as a weak link in U.S. cyberdefenses. Groups linked to China’s military and intelligence service have targeted the smartphones of prominent Americans and burrowed deep into telecommunication networks, according to national security and tech experts.

It shows how vulnerable mobile devices and apps are and the risk that security failures could expose sensitive information or leave American interests open to cyberattack, those experts say.

“The world is in a mobile security crisis right now,” said Rocky Cole, a former cybersecurity expert at the National Security Agency and Google and now chief operations officer at iVerify. “No one is watching the phones.”

US zeroes in on China as a threat, and Beijing levels its own accusations

U.S. authorities warned in December of a sprawling Chinese hacking campaign designed to gain access to the texts and phone conversations of an unknown number of Americans.

“They were able to listen in on phone calls in real time and able to read text messages,” said Rep. Raja Krishnamoorthi of Illinois. He is a member of the House Intelligence Committee and the senior Democrat on the Committee on the Chinese Communist Party, created to study the geopolitical threat from China.

Chinese hackers also sought access to phones used by Donald Trump and running mate JD Vance during the 2024 campaign.

The Chinese government has denied allegations of cyberespionage, and accused the U.S. of mounting its own cyberoperations. It says America cites national security as an excuse to issue sanctions against Chinese organizations and keep Chinese technology companies from the global market.

“The U.S. has long been using all kinds of despicable methods to steal other countries’ secrets,” Lin Jian, a spokesman for China’s foreign ministry, said at a recent press conference in response to questions about a CIA push to recruit Chinese informants.

U.S. intelligence officials have said China poses a significant, persistent threat to U.S. economic and political interests, and it has harnessed the tools of digital conflict: online propaganda and disinformation, artificial intelligence and cyber surveillance and espionage designed to deliver a significant advantage in any military conflict.

Mobile networks are a top concern. The U.S. and many of its closest allies have banned Chinese telecom companies from their networks. Other countries, including Germany, are phasing out Chinese involvement because of security concerns. But Chinese tech firms remain a big part of the systems in many nations, giving state-controlled companies a global footprint they could exploit for cyberattacks, experts say.

Over 70 Organizations Across Multiple Sectors Targeted by China-Linked Cyber Espionage Group

The reconnaissance activity targeting American cybersecurity company SentinelOne was part of a broader set of partially-related intrusions into several targets between July 2024 and March 2025.

"The victimology includes a South Asian government entity, a European media organization, and more than 70 organizations across a wide range of sectors," SentinelOne security researchers Aleksandar Milenkoski and Tom Hegel said in a report published today.

Some of the targeted sectors include manufacturing, government, finance, telecommunications, and research. Also present among the victims was an IT services and logistics company that was managing hardware logistics for SentinelOne employees at the time of the breach in early 2025.

The malicious activity has been attributed with high confidence to China-nexus threat actors, with some of the attacks tied to a threat cluster dubbed PurpleHaze, which, in turn, overlaps with Chinese cyber espionage groups publicly reported as APT15 and UNC5174.

In late April 2024, SentinelOne first disclosed PurpleHaze-related reconnaissance activity targeting some of its servers that were deliberately accessible over the internet by "virtue of their functionality."

"The threat actor's activities were limited to mapping and evaluating the availability of select internet-facing servers, likely in preparation for potential future actions," the researchers said.

It's currently not known if the attackers' intent was to just target the IT logistics organization or if they planned to expand their focus to downstream organizations as well. Further investigation into the attacks has uncovered six different activity clusters (named to A to F) that date back to June 2024 with the compromise of an unnamed South Asian government entity.

Report: Chinese Hackers Breached U.S. Telecoms Earlier than Previously Known

Corporate investigators have reportedly discovered evidence that Chinese hackers infiltrated an American telecommunications company in the summer of 2023, suggesting that China’s attackers penetrated the U.S. communications system far earlier than publicly known.

Bloomberg reports that corporate investigators working for an unnamed U.S. telecommunications firm have uncovered that Chinese state-backed hackers had breached the company’s systems in the summer of 2023, nearly a year before the publicly disclosed Salt Typhoon espionage campaign targeting multiple US telecom providers. The discovery, which has not been previously reported, raises questions about the timeline of China’s foothold in the American communications industry.

According to two people familiar with the matter and an unclassified report seen by Bloomberg News, the investigators found that malware used by Chinese state-backed hacking groups had been present on the company’s systems for seven months, starting in the summer of 2023. The report, sent to Western intelligence agencies, does not name the compromised telecommunications company.

The 2023 intrusion predates the well-publicized Salt Typhoon campaign, which the US government has attributed to Chinese state-backed hackers. In the Salt Typhoon breaches, hackers infiltrated multiple major US telecommunications companies, including AT&T and Verizon Communications, siphoning personal data of millions of Americans and targeting the phones of high-profile individuals such as then-presidential candidate Donald Trump, his running mate JD Vance, and then-Vice President Kamala Harris.

The malware used in the 2023 breach, known as Demodex, is a rootkit that provides hackers with deep and secretive access to infected machines. Several cybersecurity companies have linked Demodex to Chinese hacking groups targeting telecommunications companies and governments in Southeast Asia. The malware has also been tied to the Salt Typhoon attackers and other hacking groups.

In the 2023 breach, hackers gained access to the computers of IT administrators at the targeted U.S. telecommunications company. The investigation revealed that the malware remained on the firm’s systems until late winter of 2024. Demodex is designed to leave few digital traces, making it challenging to determine the full extent of the hackers’ activities once inside the breached machines.

The Chinese government embassy in Washington emphasized the difficulty of determining the origins of hacks and accused the US and its allies of being responsible for cyberattacks on China. The embassy spokesperson, Liu Pengyu, called on the relevant party to “stop using cybersecurity to smear and slander China, and stop spreading all kinds of disinformation about the so-called Chinese hacking threats.”

MORE CHINESE CYBER ATTACKS OR HACKS?

Washington Post’s China reporters among journalists targeted in cyberattack

A cyberattack on The Washington Post compromised the email accounts of several journalists and was most likely the work of a foreign government, The Wall Street Journal reported on Sunday.

Matt Murray, The Washington Post’s executive editor, said in an internal memo that the breach was discovered on Thursday and an investigation had been initiated, The Wall Street Journal reported.

Staff at The Washington Post were told the intrusions compromised journalists’ Microsoft accounts and could have granted the intruder access to work emails, The Wall Street Journal reported, citing people familiar with the situation.

The reporters whose emails were targeted included members of the national security and economic policy teams, including some who write about China, the report added.

The Washington Post did not immediately respond to Reuters’ request for comment. In 2022, News Corp, which publishes The Wall Street Journal, was breached by digital intruders.

The email accounts and data of an unspecified number of journalists were compromised in that incident.

M&S hackers sent abuse and ransom demand directly to CEO

The Marks & Spencer hackers sent an abuse-filled email directly to the retailer's boss gloating about what they had done and demanding payment, BBC News has learnt.

The message to M&S CEO Stuart Machin - which was in broken English - was sent on the 23 April from the hacker group DragonForce using an employee email account.

The email confirms for the first time that M&S has been hacked by the ransomware group – something that M&S has so far refused to acknowledge.

"We have marched the ways from China all the way to the UK and have mercilessly raped your company and encrypted all the servers," the hackers wrote.

"The dragon wants to speak to you so please head over to [our darknet website]."

The cyber attack has been hugely damaging for M&S, costing it an estimated £300m. More than six weeks on, it is still unable to take online orders

The extortion email was shown to the BBC by a cyber-security expert.

The message, which includes a racist term, was sent to the M&S CEO and seven other executives.

As well as bragging about installing ransomware across the M&S IT system to render it useless, the hackers say they have stolen the private data of millions of customers.

Nearly three weeks later customers were informed by the company that their data may have been stolen.

The email was sent apparently using the account of an employee from the Indian IT giant Tata Consultancy Services (TCS) - which has provided IT services to M&S for over a decade.

The Indian IT worker based in London has an M&S email address but is a paid TCS employee.

It appears as though he himself was hacked in the attack.

TCS has previously said it is investigating whether it was the gateway for the cyber-attack.

The company has told the BBC that the email was not sent from its system and that it has nothing to do with the breach at M&S.

M&S has declined to comment entirely.

'We can both help each other'
A darknet link shared in the extortion email connects to a portal for DragonForce victims to begin negotiating the ransom fee. This is further indication that the email is authentic.

Sharing the link – the hackers wrote: "let's get the party started. Message us, we will make this fast and easy for us."

The criminals also appear to have details about the company's cyber-insurance policy too saying "we know we can both help each other handsomely : ))".

The M&S CEO has refused to say if the company has paid a ransom to the hackers.

DragonForce ended the email with an image of a dragon breathing fire.