Cyber Threat Actor: Ministry of State Security
| Actor Type | Location | Known Incidents |
Nation State
|
China
|
7 incidents |
|---|
Profile
The threat actor is known by several aliases including MSS, Chinese Ministry of State Security, Ministry of State Security and Guoanbu, and is based in China. It has been observed targeting a broad range of sectors such as government institutions, trade delegations, news media outlets, defense contractors, hospitality companies, health insurers and security clearance databases. Geographically, its activity has been reported in Belgium, Australia, the United States and within China itself. Publicly cited strategic objectives involve espionage aimed at collecting political correspondence, policy documents, proprietary technical data, personal identifiers for counterintelligence and recruitment, and ideological operations seeking to assert dominance over information through message manipulation, denial of service and data alteration. No explicit financial motive is described in the available reporting, with the focus remaining on intelligence gathering and information control.
The actor’s tactics, techniques and procedures include the deployment of high‑volume bot‑driven traffic to overwhelm targets, attempts to install spyware for credential and data theft, and the use of honey‑pot environments to analyse attack methods. It has employed message manipulation, denial of service and data manipulation against news sites, and conducted exfiltration from both end hosts and broader network infrastructure. Intrusions have sometimes remained undetected for years, as seen in the compromise of hotel reservation systems, and have leveraged access to contractor networks supporting military research. Attribution to the Chinese Ministry of State Security has been made publicly by Belgian authorities, Australian intelligence, U.S. investigators and independent researchers such as Citizen Lab, although the Chinese government consistently denies involvement. Representative operations cited in open sources include the 2019 bot attack on a Belgian trade mission in China, the 2019 breach of Australia’s national parliament and major political parties, the 2017 intrusion against the China Digital Times news outlet, the 2015 theft of submarine warfare data from a U.S. Navy contractor, and the 2014 compromise of a major hotel chain that exposed the personal data of approximately five hundred million guests.
