WashingtonA single China operator targeted governments and dissidents in 1 campaign.
One strand collected intelligence from Asian defense and government networks; the other surveilled Tibetan, Uyghur, and Hong Kong diaspora overseas.
3 democracies sanctioned China-linked actors the same week.
Sources: The Diplomat
THE FUSION DOCTRINE
Western intelligence services traditionally separate foreign espionage from domestic surveillance — different agencies, different legal authorities, different targets. China's Ministry of State Security fuses both: the same operator who steals defense secrets in Manila may also be tasked with monitoring a Uyghur activist in Berlin.
THE CONTRACTOR ECOSYSTEM
Most Chinese cyber operations are not run by uniformed officers. The MSS and PLA contract out to private firms — the i-Soon leak in 2024 exposed a Shanghai-based contractor whose price list quoted $55,000 to access an email account at a foreign ministry and $278,000 for a year of social-media surveillance on a target.
THE DIASPORA TARGETS
Tibetan, Uyghur, and Hong Kong communities abroad are surveilled because Beijing treats them as continuations of domestic dissent, not foreign actors. The legal fiction is that all ethnic Chinese remain subjects of the state regardless of citizenship — a doctrine the FBI has called transnational repression.
THE APT NUMBERING
Mandiant began numbering Chinese intrusion sets as APT1, APT3, APT10 in the 2010s — each tied to a specific MSS bureau or PLA unit. APT1 was traced to PLA Unit 61398 in a Shanghai office tower; the 2014 indictments named five officers by face and rank, the first time Washington publicly identified serving Chinese officers as hackers.
THE COORDINATED-SANCTIONS PATTERN
Western capitals increasingly publish attributions on the same day. The Five Eyes plus EU partners coordinate timing because a single-country sanction is easy for Beijing to dismiss as bilateral friction; a synchronized announcement frames the conduct as a violation of international norms.
WHAT GETS STOLEN
The 2015 OPM breach exfiltrated 21.5 million US security clearance files — every applicant's fingerprints, foreign contacts, and psychological evaluations. Chinese services now hold a counterintelligence database deep enough to identify likely undercover American officers a generation forward.