Front Company or Real Business in China’s Cyber Operations
Distinguishing whether entities are front companies or real businesses can help us understand the strategy, scalability, and persistency of Chinese state-sponsored cyber operations.
The Natto Team’s previous post about Intrusion Truth questioned the pattern Intrusion Truth identified in Chinese Ministry of State Security (MSS) cyber operations. Intrusion Truth described the pattern thus: “a regional office of the MSS (Ministry of State Security) creates a company, hires a team of hackers and attacks Western targets.” In this telling, the MSS creates a company which is commonly known as a front company. However, the i-SOON leaks confirm Natto Team’s previous assessments that the pattern is more nuanced. The MSS not only creates companies that are purely front companies, but also works with existing companies such as i-SOON, which are real businesses. The Natto Team assesses it is important to distinguish whether entities involved in cyber operations are front companies or real businesses.1 This nuance can help understanding the strategy, scalability, and persistency of China’s state-sponsored cyber operations.
Front Company Definition
According to Collins Dictionary, a front company is an entity that “acts as the face of another organization or group, for example a crime group or intelligence agency, in order to conceal the activities of that organization or group.” This means front companies are set up as a façade to disguise the origin of the activities they conduct. “Unlike standard businesses, front companies may engage in regular commercial operations, but their primary purpose isn't profit-making in the traditional sense. Instead, they serve as a smokescreen for activities such as money laundering, tax evasion, or illegal trade,” Tookitaki, a Singapore based financial crime detection and prevention company, explains. “The key characteristic of a front company is its dual nature: a legitimate business appearance combined with hidden illegal operations. The distinction between a front company and a legitimate business lies in the intent and transparency of operations. Legitimate businesses operate with the primary goal of providing goods or services, maintaining transparency in their financial and operational dealings. While front companies may conduct some real business activities, these are often secondary to their hidden agendas.”
Taking this explanation into the context of Chinese cyber operations, state agencies establish front companies to disguise their cyber activities. These front companies appear to be legitimate businesses such as information technology companies, but their goal is not to make profits by providing goods or services. Rather, they pursue a hidden agenda: to conduct cyber operations to serve the Chinese state’s objectives.
Front Companies Operated by the Chinese State in Cyber Operations
Over the years, researchers’ reports and US Department of Justice (DoJ) indictments have identified quite a few front companies that the Chinese Ministry of State Security (MSS) established as disguises for its cyber operations. For example, the following front companies are allegedly associated with Chinese Advanced Persistent Threat (APT) groups APT10, APT40 and APT31, respectively:
Tianjin Huaying Haitai Science and Technology Development Company ( 天津华盈海泰科技发展有限公司) (Tianjin Huaying Haitai), established in 2010, was allegedly associated with APT10, a threat group operated by the MSS’s Tianjin State Security Bureau.
Hainan Xiandun Technology Development Co., Ltd. (海南仙盾科技开发有限公司)(Hainan Xiandun), established in 2011, was allegedly associated with APT40, a threat group operated by the MSS ‘s Hainan State Security Department, a provincial state security bureau.
Wuhan Xiaoruizhi Science and Technology Company (武汉晓睿智科技有限公司) (Wuhan XRZ), established in 2010, was allegedly associated with APT31, a threat group operated by the MSS’s Hubei State Security Department.
Besides their alleged direct association with the MSS, these front companies share several common characteristics that the Natto Team has identified through examining reports and DoJ indictments:
they have a limited digital footprint.
they are registered to provide information technology services but do not show much business activity.
they have fewer than 10 employees.
their entries in business registries show no records of legal or operating risks.
they often have registered no intellectual property in patent or copyright databases.
The US DoJ indictments of APT40 and APT31 explicitly identified Hainan Xiandun and Wuhan XRZ as front companies that were created by Hainan State Security Department and Hubei State Security Department, respectively. The US Treasury and State Departments and the UK Foreign Office also referred to Wuhan XRZ as a front company.
The case of Tianjin Huaying Haitai is more complex. In its August 15, 2018 investigation of APT10, Intrusion Truth characterized Tianjin Huaying Haitai as an MSS front company, basing this assessment on Uber receipts associated with one APT10 actor who frequently traveled to the Tianjin State Security Bureau. In contrast, when the US DoJ indicted APT10 members in December 2018, the indictment did not use the words “front company.” Rather, it merely indicated that the alleged APT actors “worked for” Tianjin Huaying Haitai and “acted in association with the Chinese Ministry of State Security’s Tianjin State Security Bureau.” In 2020, Tianjin Huaying Haitai was on several sanction lists: French Freezing of Assets, European Union Financial Sanctions Files, United Kingdom HMT/OFSI Consolidated List of Targets and Belgian Financial Sanctions.
A Product of Their Time?
One interesting observation of these three front companies is that they were established in the 2010 and 2011 timeframe when China’s cybersecurity industry was in its early developing period. The MSS likely had few companies from the cybersecurity industry to choose and work with. At that time, the MSS might have seen the need to create front companies as a means of identifying talent and having direct control over cyber operations. In the APT 40 and Hainan Xiandun cases, Hainan State Security reached out to local universities to assist with recruitment and used a university professor of information security as the front company’s contact person. However, the MSS directly orchestrated the operations that employees of these companies undertook.
After the DoJ unsealed the indictments, the business status of these three front companies in the Chinese business registration database changed. Tianjin Huaying Haitai was “deregistered” (注销) and Hainan Xiandun was “suspended” (吊销). Only Wuhan XRZ was listed as “operating” (在营) as of May 21, 2024. Since Wuhan XRZ’s indictment was unsealed less than two months as of this writing, it is understandable if the business is still in operation.
Real Businesses Involved in State-sponsored Cyber Operations
The leaked internal documents of i-SOON, a Chinese information security company which the Natto Team has discussed multiple times since October 2023, depicted the complex network of China’s information security companies and their precarious relationship with their “clients” – various level offices of the MSS, the Ministry of Public Security, other government agencies and the Chinese People’s Liberation Army (PLA). Unlike front companies such as Hainan Xiandun or Wuhan XRZ, companies like i-SOON are ultimately businesses that provide goods or services for profit.
In addition to i-SOON, companies that might initially appear to be mere front companies but instead have the characteristics of real businesses include Boyusec, associated with the threat group APT3, and Chengdu 404, associated with the threat group APT41 (case study discussed below). These companies have wide-ranging digital footprints. Their slick company websites openly brag about the companies’ accomplishments; their involvement in community activities such as providing scholarships to university students or supporting local poverty relief projects; and companies’ certifications.
Case Study of a Real Business: APT41 and Chengdu 404
Another example of legitimate businesses conducting state-sponsored cyber operations is the infamous APT41 and its associated company, Chengdu 404 Network Technology Company (Chengdu 404). Some reports have characterized it as a front company. However, by all the criteria listed above – broad digital footprint, wide range of business, and supporting local university students – Chengdu 404 stands out as a real business rather than a front company.
On September 16, 2020, the US Department of Justice (DOJ) released a report detailing three separate indictments. Two of these indictments, one originally filed in August 2019 and the other in August 2020, charged five Chinese individuals with computer intrusions against more than one hundred companies located in the United States and abroad. The indictments attributed the intrusions to APT41 (aka BARIUM), a cyber threat group that security companies have tracked under various names. Three of the five individuals the indictments named—Jiang Lizhi, Qian Chuan, and Fu Qiang—were leaders of Chengdu 404, a network security company based in Chengdu, Sichuan province. Within Chengdu 404, Qian Chuan was president, Jiang Lizhi served as vice president for the Technical Department, and Fu Qiang served as manager for Big Data Development.
Examination of the company’s website and business registration information shows that Chengdu 404’s business resembled the role of a red team or an offensive security team. Established in May 2014, Chengdu 404 claimed its services included penetration testing, APT attack monitoring, firmware trojan detection, mobile device forensics, research and products related to password recovery and anonymous proxy. The business partners listed in Chengdu 404’s website included state-owned enterprises, universities, and government agencies related to information security.
According to its website, Chengdu 404 appears to be one of the top cyber security companies in Sichuan Province. The Chengdu Information Network Security Association, a local industry association, named the company one of the outstanding companies in 2019. In December 2019, the Sichuan Bureau of the National Administration of State Secrets Protection awarded the Class B qualification of software development for confidential information system to Chengdu 404 which allowed the company to engage in classified state projects. Chengdu 404 also demonstrated its capabilities by developing proprietary software and patents. According to Chengdu 404’s business registration information, the company owns four patents and 39 proprietary software products. The most recent patent, a platform for processing dark net intelligence, was registered on July 10, 2020. The most recent proprietary software products were issued in 2022, including a vulnerability assessment management system and a distributed process management system.
Three indicted hackers from Chengdu 404 had appeared in local media as technologists with visions and patriotic spirit. In October 2018, Sichuan Economic Daily, a provincial government newspaper, published an interview with key personnel of Chengdu 404. The interview explained these hackers were “not typical hackers,” but “hidden Chengdu white hats who take things seriously.” The hackers claimed they were not crass “businessmen,” but gentlemanly “entrepreneurs.” and they alluded to the classical Chinese saying about “certain things that a gentleman would do, or not do (君子有所为有所不为).” They appeared to hold themselves to a high standard, aspiring to contribute to society and national security while also making their own technological dreams come true.
After the DOJ’s disclosure of APT41’s indictments, Chengdu 404 did not stop its operations. The company’s hiring posts continued appearing at various Chinese recruitment platforms.
It is very clear that Chengdu 404 operated as a real business, doing what a business normally does to achieve its business goals – making profit by providing products and services.
China’s Cyber Operation Strategy: Working Through a Front Company or a Real Business
The three front companies in the cases mentioned previously were established in the 2010 and 2011 timeframe when China’s cybersecurity industry was in its early developing period and the MSS had few companies with which to partner. However, in the past 10 years, China’s cybersecurity industry has seen tremendous growth at a compound annual growth rate of about 12.4 percent. In the meantime, the growing cybersecurity industry has nurtured many skilled cyber experts. Private cyber security companies are where the talent and innovation are. These companies develop valuable tools for the state and local authorities to use, such as the products and services that i-SOON and its partner companies offer. These companies diligently discover vulnerabilities and develop exploits to improve their own efficiency so they can expand their business.
In this context, it makes sense that the Chinese government utilizes resources from the private cyber security companies to conduct cyber operations. Of course, the Chinese MSS may not likely give up creating front companies for cyber operations soon, particularly in cases for which the MSS sees direct involvement as necessary. However, incorporating private sector companies into China’s cyber warfare forces has been a central pillar of the country’s national strategy since the early 2000s. Compared with creating front companies for cyber operations, using private companies or real businesses for China’s cyber operations has at least two advantages: scalability and persistency.
Scalability
The scalability of a nation state’s cyber capability is important to its overall cyber power. China’s growing cybersecurity industry has provided much-needed resources for the country. Incorporating private sector resources into building cyber power accelerates the process and expands the scale. The 2017 Military-Civil Fusion Strategy is one of the government policies that promoted cyber security companies’ participation in the building of China’s cyber capability.
Under the civil-military fusion strategy, many cyber security companies were recruited or actively participated in projects that had military applications. Companies such as Antiy Technology Group Co., Ltd. (安天科技), were named as part of the national team of cyber security. A PLA unit recognized Antiy for providing technical support and network security services during a satellite launch. In addition, leading cyber security companies such as Qihoo 360 Technology Co. Ltd, Beijing Zhidaochuangyu Information Technology Co. Ltd, NSFOCUS Technologies Group Co. Ltd , QiAn Xin Technology Group Inc , and Topsec Technologies Group Inc have military-civil fusion centers or participate in projects related to China’s military-civil fusion strategy.
Persistency
Real businesses provide persistency for China’s cyber operations. In the cases of i-SOON and Chengdu 404, we have observed real businesses are driven by the profit motive and work diligently to make profits. The i-SOON leak showed that Chinese information security companies have cultivated their own ecosystem, navigating the complexities of engaging with diverse government entities and operating both collaboratively and independently. In some instances, these companies engaged in fierce competition, actively recruiting talent from one another, while in others, they collaborated to manipulate government contract bidding processes. These companies considered government clients to be one of their important revenue sources. While companies keep pursuing those business opportunities, the state-sponsored cyber operations will likely maintain their persistency.
Well, no matter whether they use a front company or real business, China’s intelligence services need to get the job done.
In a different context the Natto Team has attempted to elucidate whether certain Russian hacktivist personas are fabricated front entities or real people whom Russian state actors have coopted.
Stunning work as per usual.