For years, Washington has accused Beijing of instigating cyberattacks against the US and its allies. Now, a Chinese cybersecurity firm says it has identified hacking within China by a group linked to the National Security Agency, hinting at a rethink of how Beijing handles its geopolitical rival.

Chinese officials and companies like Huawei Technologies Co have often responded to US accusations in the past by declaring America the worst cyber-offender of all, pointing in particular to Edward Snowden’s revelations about US espionage.

But this week, Pangu Lab said it discovered US-sponsored hacking activity on Chinese soil. It said it found malware in domestic IT systems it claims was created by hacking group Equation, which is “generally believed” to be linked to the US National Security Agency. In a report issued Feb 23 and covered by the Communist Party-backed Global Times, Pangu Lab said the malware, called Bvp47, had been discovered within “a key Chinese department” in 2013 and 2015. Pangu Lab claimed the malware infiltrated systems to monitor and track key institutions in 45 countries around the world, including US allies, in a campaign that lasted 10 years.

The report marked a departure from Beijing’s typical stance. Faced with allegations of hacking, China has routinely denied the behaviour and labelled the US an “empire of hackers”. Beijing responded to recent reporting that Chinese spies used Huawei to hack an Australian telecommunications network by calling the accusations an “arbitrary smear”, “groundless” and “irresponsible”.

But the effectiveness of that approach has been questioned, including by former Global Times editor-in-chief Hu Xijin. In a recent WeChat post, the widely followed journalist said Chinese officials have been unwilling to provoke its geopolitical rivals and their tactic of relying heavily on statistics was ineffective.

“It is dry,” he wrote on Feb 21. “When have you ever seen a fresh face in China, facing the camera and angrily scolding Washington: The cyber hackers you support attacked our computer system!”

That might be about to change. Since late last year, China has been rethinking its communications strategies as tensions between Washington and Beijing persist, said Josef Gregory Mahoney, a professor of politics and international relations at East China Normal University in Shanghai.

“What we are seeing with this report may well be an early example of a new strategy at work, but one that is also confident it can reassure the Chinese public it has matters under control,” he said.

Pangu Lab is part of Shanghai-based Pwnzen Infotech Ltd, according to its website. That company’s founder, Han Zhengguang, is a cybersecurity veteran who previously worked for Fortinet Inc, as well as a Chinese online media outlet that specialised in cyber issues. Pangu Lab has worked with a subsidiary of Qi An Xin, one of the country’s largest cybersecurity firms, on digital forensics and with police and judicial authorities.

Representatives for the US Embassy in Beijing didn’t respond immediately to requests for comment. On why Pangu Lab was releasing a report this month on a 2013 exploit, a spokesperson said it took a long time to analyse the data.

Asked about the report on Thursday, Chinese foreign ministry spokesperson Hua Chunying called for the US to provide an explanation and said that China would take necessary measures, without elaborating.

“We express great concern over the irresponsible, malicious cyber activity exposed by the report,” Hua told a news briefing. “China will take necessary measures to protect China’s cybersecurity and interests.”

It’s not clear whether the new approach will work, and some cyber-experts have already poked holes in Pangu Lab’s findings.

Robert Potter, co-CEO of cybersecurity firm Internet 2.0, which counts the Australian government among its clients, said there should be scepticism regarding the use of the exploit because it has been used widely for years.

In 2016, an outfit known as the Shadow Brokers leaked Equation’s hacking tools, which according to experts at the time were exploited by hackers including from North Korea, in attacks such as the 2017 WannaCry ransomware attack. EternalBlue, another exploit derived from the toolkit, was used by Russian actors in the 2017 NotPetya campaign. Experts say the same toolkit has been used by Chinese state-sponsored hackers as well.

“Hacking for espionage is well understood to be within the norms of cyber between superpowers and it doesn’t violate any agreements between the US and China, which apply to the stealing of intellectual property and economic espionage,” Potter added.

Taiwanese cybersecurity firm TeamT5 said that while Pangu Lab’s report was “one of the most detailed and in-depth forensic investigations published by Chinese cybersecurity firms”, it was curious that they chose a decade-old case to dissect.

“In the future, we think there will be more and more similar attribution reports by Chinese cybersecurity firms being leveraged by the Chinese state media to conduct propaganda campaigns,” analysts at TeamT5 wrote.

 - Bloomberg