(Bloomberg) — For years, the US government and American cybersecurity companies have alleged that China is behind brazen hacks that have pilfered troves of sensitive documents.
Chinese government officials have denied the claims and repeatedly accused the US of its own cyber-espionage, without providing evidence.
That changed in February, when a well connected Chinese cybersecurity firm went public with what it claimed was a US National Security Agency campaign aimed at computers in 45 countries and regions, including China. US officials didn’t respond to requests for comment at the time.
The disclosure suggested a more aggressive public response by China toward foreign hacking attempts. It also highlighted the growing clout of Qi An Xin Technology Group Inc., a Chinese technology firm established in 2014 that has ambitions of becoming a global cybersecurity giant.
The company, whose headquarters are a 10-minute drive from the Forbidden City, has been the beneficiary of a three-year plan, unveiled last year, to expand China’s cybersecurity industry to more than 250 billion yuan ($39.3 billion) by 2023 by increasing investments in the sector and streamlining regulation.
Qi An Xin was entrusted with handling cybersecurity at Tiananmen Square for the 70th anniversary of the Chinese Communist Party’s rule, and it oversaw network security for the Beijing Winter Games. In December, the Beijing city government selected Qi An Xin as one of 20 “invisible champions,” a designation given to companies that develop technology critical to China’s national strategy.
“Their talent is, without a doubt, top 10 globally, as far as companies are concerned,” said Dakota Cary, a consultant on China’s cyber capabilities at Krebs Stamos Group. “When there’s an issue at a provincial level or even at the central level, when the government needs a response team, it seems like Qi An Xin is the go-to.”
A representative for Qi An Xin declined to comment on this story.
China’s cyber industry accounts for less than 7% of the global market, compared to the U.S. at around 40%, according to a study last year from the International Institute of Strategic Studies.
Chinese cybersecurity companies have struggled to grow their business in the private commercial market because of low awareness about the risks of cyberattacks particularly within the small and medium-sized business community, said Cary and two other cybersecurity experts. Public reporting on threats or attacks is rare, so investing in cyber isn’t considered a critical business cost, according to multiple analysts with knowledge of China’s cyber industry.
That lack of demand for cyber protection among businesses and individuals in part explains Qi An Xin’s reliance on state clientele, said Cary. Its contracts with government, public security agencies and military clients comprise 52% of its revenue in 2019, according to the research firm Dongguan Securities.
Overall, Qi An Xin brought in 5.81 billion yuan ($871 million) in revenue in 2021, lagging behind some of the bigger Western cybersecurity firms. Palo Alto Networks Inc., for example, reported $4.3 billion in revenue during its fiscal year 2021.
But the company has ambitions to compete globally against U.S. cybersecurity firms and others in the West. Founder Qi Xiangdong told reporters he wants Qi An Xin to “walk out into the world” this year.
The company has some business outside the Chinese mainland that includes providing cybersecurity services for the overseas operations of Chinese companies and banks in places such as Southeast Asia, the Middle East and Africa, according to a report by Avic Securities.
It also holds contracts to provide cybersecurity infrastructure for governments including those in Indonesia, Algeria, Angola and Ethiopia, Avic analysts say.
China’s cyber industry is still mainly driven by compliance, so its security products are made to meet domestic regulatory requirements that may be at odds with needs outside of the country, said Vivien Pua, security industry analyst at market research firm Frost & Sullivan.
In addition, trust is more difficult for Chinese companies such as Qi An Xin to build in Western countries, said Niko Yang, a senior analyst at the Beijing-based investment research firm EqualOcean. Qi An Xin’s connections with the government may complicate any attempts to appear to be independent to potential clients overseas, a concern many Chinese-linked cyber services face.
“For this kind of critical infrastructure, it is hard for countries to be willing to completely hand things over to others,” he said. “It is the same in China’s domestic cybersecurity – they also won’t have foreign companies carry out the most critical security tasks.”
Those close ties to the government are indisputable.
Its founder, Qi Xiangdong, 57, worked for 17 years at Xinhua, the national media agency, where he ascended to the role of deputy of its communications technology bureau. He also serves as a delegate to a Beijing city government political advisory body.
Company president Wu Yunkun, meanwhile, serves as vice president of a working committee at the China Information Ministry Association, which is supervised by the Ministry of Civil Affairs. Vice President Yang Hongpeng, was also previously in the communications department of Xinhua. Board members Meng Yan, Xu Jianjun and Zhao Bingdi have had state-connected roles in finance and technology.
In February, a security team at Qi An Xin called Pangu Labs — known in China for exploiting vulnerabilities to access Apple Inc. iOS systems — issued a report saying that it had found malware in domestic IT systems that it claimed was created by a hacking group called “Equation.” That group is “generally believed” to be linked to the NSA, according to the researchers.
Malware was allegedly found within an unnamed Chinese agency in 2013 and 2015, which Pangu Labs claims was part of a 10-year campaign that infiltrated key institutions around the world, according to the report, which was covered by the Communist Party-backed Global Times.
The alleged espionage campaign occurred in 2013, and information about the malware had previously surfaced during leaks from former NSA contractor Edward Snowden, meaning other hacking groups could have also accessed the code. However the details of the hack were perhaps less significant than the fact they had been published at all, according to Cary, of Krebs Stamos Group.
“There’s something in the relationship between Qi An Xin and the government that has allowed them to publish something like this,” he said. “That’s part and parcel of why they have so many contracts.”
Pangu Labs previously told Bloomberg News it had waited nearly a decade to disclose details about the hack because it was analyzing the data in question.
Chinese cybersecurity firms have rarely directly shared details about foreign attacks.
In March 2020, Qihoo 360 Technology Co. Ltd., which was co-founded by Qi, blamed a group suspected to be associated with the CIA for alleged hacks against China. The US government added Qihoo 360 to its Entity List over national security concerns.
The state-owned China Electronics Corporation purchased a 23% stake in Qi An Xin in 2019, replacing Qihoo 360 as the second-largest shareholder behind Qi Xiangdong.
While outing the NSA could further endear Qi An Xin to the Chinese government, it may complicate its efforts to expand in the West. So could U.S. restrictions on some Chinese tech firms, and China’s own reluctance to integrate with the global talent pool, said Greg Austin, an IISS senior fellow for cyber, space and future conflict.
More stories like this are available on bloomberg.com
©2022 Bloomberg L.P.