nytimes.com
By Chris Buckley and Adam Goldman
Sept. 28, 2025
Fears of U.S. surveillance drove Xi Jinping, China’s leader, to elevate the agency and put it at the center of his cyber ambitions.
American officials were alarmed in 2023 when they discovered that Chinese state-controlled hackers had infiltrated critical U.S. infrastructure with malicious code that could wreck power grids, communications systems and water supplies. The threat was serious enough that William J. Burns, the director of the C.I.A., made a secret trip to Beijing to confront his Chinese counterpart.
He warned China’s minister of state security that there would be “serious consequences” for Beijing if it unleashed the malware. The tone of the meeting, details of which have not been previously reported, was professional and it appeared the message was delivered.
But since that meeting, which was described by two former U.S. officials, China’s intrusions have only escalated. (The former officials spoke on the condition of anonymity because they were not authorized to speak publicly about the sensitive meeting.)
American and European officials say China’s Ministry of State Security, the civilian spy agency often called the M.S.S., in particular, has emerged as the driving force behind China’s most sophisticated cyber operations.
In recent disclosures, officials revealed another immense, yearslong intrusion by hackers who have been collectively called Salt Typhoon, one that may have stolen information about nearly every American and targeted dozens of other countries. Some countries hit by Salt Typhoon warned in an unusual statement that the data stolen could provide Chinese intelligence services with the capability to “identify and track their targets’ communications and movements around the world.”
The attack underscored how the Ministry of State Security has evolved into a formidable cyberespionage agency capable of audacious operations that can evade detection for years, experts said.
For decades, China has used for-hire hackers to break into computer networks and systems. These operatives sometimes mixed espionage with commercial data theft or were sloppy, exposing their presence. In the recent operation by Salt Typhoon, however, intruders linked to the M.S.S. found weaknesses in systems, burrowed into networks, spirited out data, hopped between compromised systems and erased traces of their presence.
“Salt Typhoon shows a highly skilled and strategic side to M.S.S. cyber operations that has been missed with the attention on lower-quality contract hackers,” said Alex Joske, the author of a book on the ministry.
For Washington, the implication of China’s growing capability is clear: In a future conflict, China could put U.S. communications, power and infrastructure at risk.
China’s biggest hacking campaigns have been “strategic operations” intended to intimidate and deter rivals, said Nigel Inkster, a senior adviser for cybersecurity and China at the International Institute for Strategic Studies in London.
“If they succeed in remaining on these networks undiscovered, that potentially gives them a significant advantage in the event of a crisis,” said Mr. Inkster, formerly director of operations and intelligence in the British Secret Intelligence Service, MI6. “If their presence is — as it has been — discovered, it still exercises a very significant deterrent effect; as in, ‘Look what we could do to you if we wanted.’”
The Rise of the M.S.S.
China’s cyber advances reflect decades of investment to try to match, and eventually rival, the U.S. National Security Agency and Britain’s Government Communications Headquarters, or GCHQ.
China’s leaders founded the Ministry of State Security in 1983 mainly to track dissidents and perceived foes of Communist Party rule. The ministry engaged in online espionage but was long overshadowed by the Chinese military, which ran extensive cyberspying operations.
After taking power as China’s top leader in 2012, Xi Jinping moved quickly to reshape the M.S.S. He seemed unsettled by the threat of U.S. surveillance to China’s security, and in a 2013 speech pointed to the revelations of Edward J. Snowden, the former U.S. intelligence contractor.
Mr. Xi purged the ministry of senior officials accused of corruption and disloyalty. He reined in the hacking role of the Chinese military, elevating the ministry as the country’s primary cyberespionage agency. He put national security at the core of his agenda with new laws and by establishing a new commission.
“At this same time, the intelligence requirements imposed on the security apparatus start to multiply, because Xi wanted to do more things abroad and at home,” said Matthew Brazil, a senior analyst at BluePath Labs who has co-written a history of China’s espionage services.
Since around 2015, the M.S.S. has moved to bring its far-flung provincial offices under tighter central control, said experts. Chen Yixin, the current minister, has demanded that local state security offices follow Beijing’s orders without delay. Security officials, he said on a recent inspection of the northeast, must be both “red and expert” — absolutely loyal to the party while also adept in technology.
“It all essentially means that the Ministry of State Security now sits atop a system in which it can move its pieces all around the chessboard,” said Edward Schwarck, a researcher at the University of Oxford who is writing a dissertation on China’s state security.
Mr. Chen was the official who met with Mr. Burns in May 2023. He gave nothing away when confronted with the details of the cyber campaign, telling Mr. Burns he would let his superiors know about the U.S. concerns, the former officials said.
The Architect of China’s Cyber Power
The Ministry of State Security operates largely in the shadows, its officials rarely seen or named in public. There was one exception: Wu Shizhong, who was a senior official in Bureau 13, the “technical reconnaissance” arm of the ministry.
Mr. Wu was unusually visible, turning up at meetings and conferences in his other role as director of the China Information Technology Security Evaluation Center. Officially, the center vets digital software and hardware for security vulnerabilities before it can be used in China. Unofficially, foreign officials and experts say, the center comes under the control of the M.S.S. and provided a direct pipeline of information about vulnerabilities and hacking talent.
Mr. Wu has not publicly said he served in the security ministry, but a Chinese university website in 2005 described him as a state security bureau head in a notice about a meeting, and investigations by Crowd Strike and other cybersecurity firms have also described his state security role.
“Wu Shizhong is widely recognized as a leading figure in the creation of M.S.S. cyber capabilities,” said Mr. Joske.
In 2013, Mr. Wu pointed to two lessons for China: Mr. Snowden’s disclosures about American surveillance and the use by the United States of a virus to sabotage Iran’s nuclear facilities. “The core of cyber offense and defense capabilities is technical prowess,” he said, stressing the need to control technologies and exploit their weaknesses. China, he added, should create “a national cyber offense and defense apparatus.”
China’s commercial tech sector boomed in the years that followed, and state security officials learned how to put domestic companies and contractors to work, spotting and exploiting flaws and weak spots in computer systems, several cybersecurity experts said. The U.S. National Security Agency has also hoarded knowledge of software flaws for its own use. But China has an added advantage: It can tap its own tech companies to feed information to the state.
“M.S.S. was successful at improving the talent pipeline and the volume of good offensive hackers they could contract to,” said Dakota Cary, a researcher who focuses on China’s efforts to develop its hacking capabilities at SentinelOne. “This gives them a significant pipeline for offensive tools.”
The Chinese government also imposed rules requiring that any newly found software vulnerabilities be reported first to a database that analysts say is operated by the M.S.S., giving security officials early access. Other policies reward tech firms with payments if they meet monthly quotas of finding flaws in computer systems and submitting them to the state security-controlled database.
“It’s a prestige thing and it’s good for a company’s reputation,” Mei Danowski, the co-founder of Natto Thoughts, a company that advises clients on cyber threats, said of the arrangement. “These business people don’t feel like they are doing something wrong. They feel like they are doing something for their country.”
techcrunch.com
Lorenzo Franceschi-Bicchierai
9:11 AM PDT · September 2, 2025
The Israeli spyware maker now faces the dilemma of whether to continue its relationship with U.S. Immigration and Customs Enforcement and help fuel its mass deportations program.
U.S. Immigration and Customs Enforcement (ICE) signed a contract last year with Israeli spyware maker Paragon worth $2 million.
Shortly after, the Biden administration put the contract under review, issuing a “stop work order,” to determine whether the contract complied with an executive order on commercial spyware, which restricts U.S. government agencies from using spyware that could violate human rights or target Americans abroad.
Almost a year later, when it looked like the contract would just run out and never become active, ICE lifted the stop work order, according to public records.
“This contract is for a fully configured proprietary solution including license, hardware, warranty, maintenance, and training. This modification is to lift the stop work order,” read an update dated August 30 on the U.S. government’s Federal Procurement Data System, a database of government contracts.
Independent journalist Jack Poulson was the first to report the news in his newsletter.
Paragon has for years cultivated the image of being an “ethical” and responsible spyware maker, in contrast with controversial spyware purveyors such as Hacking Team, Intellexa, and NSO Group. On its official website, Paragon claims to provide its customers with “ethically based tools, teams, and insights.”
The spyware maker faces an ethical dilemma. Now that the contract with ICE’s Information Technology Division is active, it’s up to Paragon to decide whether it wants to continue its relationship with ICE, an agency that has dramatically ramped up mass deportations and expanded its surveillance powers since Donald Trump took over the White House.
Emily Horne, a spokesperson for Paragon, as well as executive chairman John Fleming, did not respond to a request for comment.
In an attempt to show its good faith, in February of this year, Fleming told TechCrunch that the company only sells to the U.S. government and other unspecified allied countries.
Paragon has already had to face a thorny ethical dilemma. In January, WhatsApp revealed that around 90 of its users, including journalists and human rights workers, had been targeted with Paragon’s spyware, called Graphite. In the following days and weeks, Italian journalist Francesco Cancellato and several local pro-immigration activists came forward saying they were among the victims.
In response to this scandal, Paragon cut ties with the Italian government, which had in the meantime launched an inquiry to determine what happened. Then, in June, digital rights research group Citizen Lab confirmed that two other journalists, an unnamed European and a colleague of Cancellato, had been hacked with Paragon’s spyware.
An Italian parliament committee concluded that the spying of the pro-immigration activists was legal, but it also claimed that there was no evidence that Italy’s intelligence agencies, former Paragon customers, had targeted Cancellato.
John Scott-Railton, a senior researcher at Citizen Lab, who has investigated cases of spyware abuse for more than a decade, told TechCrunch that “these tools were designed for dictatorships, not democracies built on liberty and protection of individual rights.”
The researcher said that even spyware is “corrupting,” which is why “there’s a growing pile of spyware scandals in democracies, including with Paragon’s Graphite. Worse, Paragon is still shielding spyware abusers. Just look at the still-unexplained hacks of Italian journalists.”
uk.news.yahoo.com - Records show hundreds of data breaches involving HMRC staff
HM Revenue and Customs (HMRC) has revealed that hundreds of staff have accessed the records of taxpayers without permission or breached security in other ways. HMRC dismissed 50 members of staff last year for accessing or risking the exposure of taxpayers’ records, according to The Telegraph.
354 tax employees have been disciplined for data security breaches since 2022, of whom 186 have been fired - and some were dismissed for accessing confidential information. HMRC holds sensitive data including salary and earnings, which staff cannot access without a good reason.
In an email to staff, the line manager of the claimant wrote: “There have been more incidents of this recently.”
John Hood, of accountants Moore Kingston Smith, said: “Any HMRC employee foolish enough to look up personal information that is not part of their usual responsibilities faces a ticking time bomb as most searches are tracked. As an additional security, some parts of the system are restricted so that only specifically authorised personnel can access them, such as the departments dealing with MPs and civil servants.”
HMRC’s annual report shows there were six incidents last year of employees changing customer records without permission, and two of staff losing inadequately protected devices.
A spokesman for HMRC said: “Instances of improper access are extremely rare, and we take firm action when it does happen, helping prevent a recurrence. We take the security of customers’ data extremely seriously and we have robust systems to ensure staff only access records when there is a legitimate business need.”
Threat actors sponsored by China “compromised” government networks over the past five years and collected valuable information, says a new report from Canada’s cyber spy agency.
The Department of Homeland Security knows which countries SS7 attacks are primarily originating from. Others include countries in Europe, Africa, and the Middle East.
Serbian authorities are using spyware and Cellebrite forensic extraction tools to hack journalists and activists in a surveillance campaign.
Amnesty said it found NoviSpy, an Android spyware linked to Serbian intelligence, on the phones of several members of Serbian civil society following police stops.
Chinese government cyberspies Volt Typhoon reportedly breached Singapore Telecommunications over the summer as part of their ongoing attacks against critical infrastructure operators.
The digital break-in was discovered in June, according to Bloomberg, citing "two people familiar with the matter" who told the news outlet that the Singtel breach was "a test run by China for further hacks against US telecommunications companies."
North Korean hackers have conducted a global cyber espionage campaign in efforts to steal classified military secrets to support Pyongyang's banned nuclear weapons programme, the United States, Britain and South Korea said in a joint advisory on Thursday.
The hackers, dubbed Anadriel or APT45 by cybersecurity researchers, are believed to be part of North Korea's intelligence agency known as the Reconnaissance General Bureau, an entity sanctioned by the U.S. in 2015.
An operation labeled TAG-100 by Insikt Group researchers deploys two types of backdoor malware — SparkRAT and Pantegana — that have only been spotted in limited ways previously.
Intelligence officials suspect Wirecard COO Jan Marsalek of colluding with the far-right Freedom Party on Moscow’s behalf.
A CISA official breaks with the government narrative and tells the FCC that SS7 and similar networks and protocols have been used to track people in the U.S. in recent years.
A Chinese spy who is now on Australian soil has revealed his incredible story to Four Corners.
Aerospace and defense company Northrop Grumman is working with SpaceX, the space venture of billionaire entrepreneur Elon Musk, on a classified spy satellite project already capturing high-resolution imagery of the Earth, according to people familiar with the program.
Exclusive: Yossi Sariel unmasked as head of Unit 8200 and architect of AI strategy after book written under pen name reveals his Google account
SpaceX’s dominance in the satellite internet market has given Musk enormous power in matters of war and geopolitics
Insikt Group has observed TAG-70 leveraging cross-site scripting (XSS) vulnerabilities against Roundcube webmail servers in Europe, targeting government, military, and national infrastructure.
Chinese state-backed cyber spies gained access to a Dutch military network last year, Dutch intelligence agencies said on Tuesday, calling it part of a trend of Chinese political espionage against the Netherlands and its allies.
Spy agency argues the practice is entirely legal — until a US court says otherwise
A Chinese hacking group exploited a bug in Microsoft’s cloud email service to spy on two-dozen organizations, including some government agencies, the tech giant said late Tuesday.
