How to trace a hack to China
Image: Oscar Nord / Protocol

How to trace a hack to China

Protocol China

Good morning. It's not spring yet, but China's annual Party meetings — the Two Sessions, held this week in Beijing — signal we're close. This week in Protocol | China: how to attribute big hacks, an AI boom on Chinese university campuses and what it's like to get vaccinated in China.

(Was this email forwarded to you?Sign up here.)

The Big Story

Proving who hacked whom

Microsoft announced last week that its email and calendar Exchange Server had been the victim of a sophisticated attack by a China-based group the company calls Hafnium. Over 250,000 targets could be compromised.

Microsoft laid out its suspicion of China, describing Hafnium as a "group assessed to be state-sponsored" and "a highly skilled and sophisticated actor."

  • The company said its assessment was based on "observed victimology, tactics and procedures."
  • According to Microsoft, Hafnium targets entities in the U.S. for "the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs."

China's response: Lean in to the "attribution problem." The nation's Ministry of Foreign Affairs said this was a "complex technical issue" and decried "groundless accusations" from the press and the private sector.

  • Sound familiar? Chinese diplomats have used nearly identical responses to many state hacking accusations over the past decade.

But don't assume the left hand knows what the right hand is doing. MFA spokespeople are probably telling the (albeit self-serving) truth when they say they aren't aware of state hacking attempts.

  • The MFA isn't in charge of global cyber espionage and probably isn't told about it. China's government is far less centralized than most outsiders think.
  • Chinese state-linked groups like Hafnium are just that — quasi-independent groups that enjoy the plausible deniability of operating outside of Beijing's direct control.

Allocation of blame is as much about norms as tech. Not least because it's all but impossible to produce ironclad proof of who hacked whom — although Microsoft delved into detail here, offering a detailed forensic look of Hafnium's handiwork.

  • Absent complete proof, companies such as Microsoft are reluctant to finger an actor as powerful as China — ditto for a lot of governments.
  • It's undeniable that China's taken advantage of these ambiguities. What's really needed is an agreed framework to arbitrate which governments are likely responsible for which cyber intrusions — although actors like China and Russia are almost certain to resist it.

On Protocol | China

  • China's building the smart homes of the future. Lax privacy standards plus low-cost manufacturing equals a total tech takeover of the home. Smartphone maker Xiaomi pivoted into the sector early, and now combines IKEA-like value with the network effects of 1,500-odd smart devices working off a single app. Zeyi Yang interviews one fanboy.
  • Can China change the way the world shops? Ecommerce in China is already 30% social, thanks in large part to the massive influence of livestreaming. In the U.S., that number's just 3%. Can the trends birthed on Douyin, Kuaishou and Taobao Live take root in the U.S? Shen Lu investigates.
  • Everything you need to know about the Zhihu IPO. China's Quora, founded by a former journalist, is going public on the NYSE. It's been a gathering space for elite intellectuals, but monetization has posed a challenge. Can Zhihu expand enough to make money while keeping quality high?

Big Brother Beijing

  • The AI boom hits Chinese campuses. A Monday analysis of Ministry of Education data by web outlet NetEase showed 130 Chinese universities added an artificial intelligence major in 2020, making it top among new areas of study. (Second place: intelligent manufacturing engineering, at 86 new majors.) It's a response to the Ministry's request to establish 50 artificial intelligence colleges, research institutes or cross-sectional research centers by the end of last year.
  • LinkedIn suspended new sign-ups to its China service. The Microsoft-owned platform, with over 40 million users in China, said it was "pausing" new member sign ups due to the need to "work to ensure we remain in compliance with local law." (The company told Protocol's Zeyi Yang that its statement is "the entirety of what we're sharing right now.") LinkedIn has generally bent over backwards to please Beijing, censoring content including the (later un-blocked) profile of a Tiananmen dissident.
  • Shanghai's STAR market may become more focused on hard tech. Bloomberg reports today that China's securities regulator is considering making it harder for firms like Ant Financial to list on the young, tech-focused stock exchange by emphasizing "hardcore technology and innovation."

On Our Radar

  • An investigation into illegal talent poaching. Taiwan investigators descended on local offices of Beijing-based Bitmain on Tuesday on suspicion the crypto-mining company recruited local chip talent without the required approvals. Bloomberg reports Bitmain's suspected of illegally recruiting "hundreds" of Taiwanese engineers over several years. Chinese companies are looking abroad for talent to help it achieve semiconductor self-sufficiency, and Taiwanese engineers who speak fluent Chinese are at the top of the list.
  • Speaking of which: How much dumb money is chasing domestic chip investment? Last week, tech blogger Kevin Xu published this vivid report on HSMC, a company he calls China's "semiconductor Theranos." He described an elaborate but brazen fraud at HSMC that duped investors and, he claims, even fooled legendary chip executive Chiang Shang-Yi — founding CTO of TSMC — into being its CEO. Xu cites a Caixin report that claims investment in native chip capacity is skyrocketing, growing from $949 million in 2019 to $8.46 billion in the first half of 2020, part of an effort to end reliance on U.S. chipmakers. But this con has "permanently damag[ed] the prospect of other semiconductor upstarts" in China, Xu writes.

Straight From China's Web

  • DiDi might be charging iPhone users more. In an instantly viral study, Professor Sun Jinyun at Shanghai's prestigious Fudan University found that DiDi users with iPhones were three times more likely than Android users to be assigned a luxury car, effectively jacking up the price.
  • What it's like to (try to) get vaccinated in China. Getting the jab Stateside involves constantly refreshing a dizzying array of websites that vary from state to state. In China, it's all done via app. Otherwise, it's about the same. On Monday, PingWest's Du Chen described a process that was "generally pleasant but a bit techno-chaotic," involving multiple "mini-apps" within WeChat, data re-entry, unannounced appointment cancellations and slips of paper where apps wouldn't do.

One Company You Should Know

Exoskeletons: Made in China, worn everywhere

IDG-backed Chinese Fourier Intelligence (傅利叶智能) makes exoskeletons for people who cannot move without them, and has just closed a series C+ funding round. Reportedly contributing "tens of millions of yuan," or millions of dollars, is the Shanghai Artificial Intelligence Industry Investment Fund, backed by a consortium of state-owned enterprises as well as private equity firms. According to Deal Street Asia, Fourier is eyeing a global expansion and U.S. listing in the next few years.

China Goes Global

  • China took a first crack at a global vaccine passport. On Monday, China launched an International Travel Health Certificate, showing the bearer's vaccination records and COVID-19 test results. Chinese citizens can access the certificate through WeChat. Clearly inspired by China's domestic pandemic response, the "passport" is a QR code assigned to every individual. In a Sunday press conference, Foreign Minister Wang Yi said Beijing will offer this tool to other countries. Don't expect quick yesses from Western nations wary of Chinese data-sharing practices.
  • U.S. employees have fled the drone maker DJI. The Shenzhen-based market leader is reportedly struggling after having been added to the U.S. Commerce Department's dreaded Entity List in December. Reuters reported that current and former employees said about one-third of DJI's 200-person team in North America was laid off or resigned in 2020.
  • ByteDance rakes in global app store cash. Guess that India ban isn't hurting too much: Sensor Tower data shows ByteDance-owned Douyin and international equivalent TikTok collectively earned more than $110 million worldwide in February via the App Store and Google Play. That's nearly double their rake in the same period last year, and enough to rank ByteDance top for non-gaming mobile app revenue worldwide. YouTube came second on the list with over $82 million.

One More Thing

How many "likes" is too many?

Websites generally crave engagement, but a man bombarded DianPing with what it says are excessive "likes" and ended up getting his power user status docked. Now the two are hashing it out in a Shanghai court. The Yelp-like site reprimanded him after he liked so many posts so quickly that he was clocking 37,000 likes per day in late 2020, including one particularly impressive hour in which he generated 4,888, or one every 0.75 seconds. Dianping insists only a machine could "like" so quickly; the man says he's disabled, and spends much of his day lying in bed surfing the web. "I'll like what I want to like," he's argued, accusing Dianping of lacking a standard to determine how many likes are truly "too many."

Recent Issues