China: Cyber Activities Probably Prelude to Election Espionage
A redacted CIA World Intelligence Review article assesses Chinese cyber collection against U.S. presidential campaigns and other election-related targets in 2020.
The article assesses that China was probing a presidential campaign to tailor intelligence collection and obtain insight into policy positions on U.S.-China issues.
“China is probing the presidential campaign for opportunities to tailor collection and gather insight on policy positions on US-Chinese issues.”
The Intelligence Community reported direct targeting of the former vice president’s presidential campaign, probably to collect intelligence useful for later operations. It assessed at the time that China did not intend to covertly sway the election outcome, while warning that the activity could enable such operations if Beijing later chose them.
“the IC has detected Chinese state-sponsored cyber actors targeting the former Vice President’s presidential campaign, probably to gather intelligence that could enable future operations”
“The IC assesses that China does not currently intend to covertly interfere to try to sway the outcome of the election, although this activity could enable such operations, if Beijing made a decision to do so.”
The article reports that APT31 sent tracking-link spear-phishing emails to campaign staff Gmail accounts by 20 May. It also notes Google’s public statement that the attempts were unsuccessful and says Google and the FBI briefed campaign officials.
“As of 20 May, APT31 actors had sent spear-phishing e-mails containing tracking links to the G-mail accounts of staffers associated with a presidential campaign”
The article says Chinese cyber actors had collected election-related information from voter databases and a range of political, polling, fundraising, nonprofit, and campaign-advisory organizations during the preceding year.
“During the past year, Chinese cyber actors have collected US election-related information from US voter databases, a polling data company, political and nonprofit organizations, fundraisers, and advisory organizations for political campaigns”
The continuation explains that opening a message containing a tracking link could confirm that an account was active even if the recipient did not click a link, helping narrow targets for later operations.
“If a target opened a spear-phishing e-mail with a tracking link—even without clicking on any links—it would confirm an active account for the cyber actors, potentially narrowing the target set for future operations.”