Chinese hackers target family members to surveil hard targets

When American prosecutors unsealed an indictment Monday describing a sprawling Chinese hacking campaign, they revealed that when Beijing’s hackers are determined to infiltrate a person’s digital life, few targets are off the table — including family members.

According to the indictment, between 2015 and 2024, a Chinese hacking group known as APT 31 that is linked to China’s Ministry of State Security targeted thousands of U.S. and Western politicians, foreign policy experts, academics, journalists and democracy activists. In many cases, the group focused its efforts on politicians that the Chinese government “perceived as being critical of PRC government policies.”

These are generally individuals who are aware of the risk that China will try to surveil them using digital means and have tried to lock down their digital systems in response. But the same cannot always be said of their family members, and according to Monday’s indictment, the APT 31 hackers used malicious email messages sent to family members of their actual targets as a reconnaissance tool.  

These emails were not necessarily laced with harmful malware or used in traditional phishing attacks; rather, they included tracking links that, if clicked, revealed a host of information about the target user, including their location, browser and operating system, the device they used, their IP address and schematic details for their network. The hackers used this reconnaissance to enable what the indictment describes as “more direct and sophisticated” targeting of devices such as routers belonging to high-ranking U.S. government officials, politicians and campaign staff. 

According to Michael Raggi, a principal analyst at Mandiant and Google Cloud, this kind of targeting is not unheard of but still relatively rare.

“I would say from my experience, targeting the families of political individuals in the West by actors like APT 31 is not something that I have seen with regularity in the threat landscape,” Raggi said.

Chinese efforts to control speech abroad increasingly relies on manipulating family relationships in creative ways. 

Last year, the U.S. Department of Justice indicted more than 40 individuals who were allegedly part of a scheme by the Chinese Ministry of Public Security to use thousands of fictitious social media personas to attack and harass Chinese nationals living in the United States who had criticized the Chinese government. 

Dakota Cary, a nonresident fellow at the Atlantic Council’s Global China Hub, placed this kind of targeting into two buckets. The first is when China goes after dissident groups with family in and around China. In that case, the family members may be both a means to reach their ultimate target and a target in their own right for harassment or intimidation.

The second bucket is “people who have incredibly high security awareness” and would otherwise count as hard security targets. This would include government officials, politicians and other groups like those targeted by APT 31. In this instance, going after members of the family or home networks may be an easier pathway to compromise than trying to hack the individual or their telecommunications provider.

“I think it’s clear to see that family is explicitly on the table for China, whether that’s to get through the family to a specific target or go after the family themselves,” Cary, who is also a China-focused consultant for the cybersecurity firm SentinelOne, told CyberScoop.

This strategy was detailed in a report last year by the U.S.-China Economic and Security Review Commission, which describes broader efforts by the Chinese government to conduct “coercion-by-proxy” of both internal and external critics through “harassment, hacking, attempted kidnapping, online disinformation campaigns” of family members living abroad.

Raggi cautioned that the APT 31 operations described in Monday’s indictment are distinct from broader efforts by Beijing to intimidate or coerce critics abroad. Raggi described the use of tracking links as likely “the first step in a more technical attack chain targeting a politically exposed individual.” 

The tracking links used by APT 31 are the same kind that legitimate organizations, such as marketing agencies, might use to track engagement with their emailed content, Raggi added. A user’s click wouldn’t convey the kind of information that would necessarily make it easier to compromise a target’s home router or help them pivot to gain access to a victim’s email.

Targeting family members represents just one of the creative ways that the Chinese government targets high-value individuals. According to Monday’s indictment, in some cases APT 31 operators posed as prominent journalists from CNN, Vox and other media outlets to send emails to U.S. government officials that purported to contain excerpts and links to legitimate news articles that were in fact tracking links. 

Other close associates, like employees and staff, can also provide an easier pathway to compromising an individual. Stewart McDonald, one of three members of British Parliament targeted by APT 31, noted in a press conference this week that a hacking group linked to Russia was able to gain access to his email account last year by first breaking into the personal email account of one of his staffers and using it in a phishing attack.

 “That doesn’t get talked about enough,” McDonald said.