Between 2010 and 2012, the CIA’s spy network in China experienced one of the worst intelligence breaches in modern history, leading Beijing to reportedly execute more than 30 U.S. sources.
While the exact cause of the breach is still debated, one theory contends that Iran was at the center. At the time, Iran was investigating how a mole in the Natanz nuclear facility enabled Stuxnet, a piece of malware created by the U.S. and Israel, to cause extensive physical damage to Natanz’s uranium enrichment technology. Iran reportedly discovered the CIA’s use of innocuous websites to communicate and shared that intelligence with China, where the CIA used the same system.
The repercussions of another American and Israeli operation against Iran are playing out right now. On February 28, the U.S. and Israel used human and cyber intelligence to kill supreme leader Ayatollah Khamenei and other top Iranian officials. As the war drags on, we can speculate as to what the ripple effects on China’s counterintelligence apparatus might be. But Beijing will likely react by doing more of the same, experts told Domino Theory: anti-corruption purges, tech stack autarky and offensive cyber operations like Salt Typhoon.
“[N]ational security, or state security, has been a consistent priority of the Xi administration since he came into office,” said Emile Dirks, a senior research associate at the Citizen Lab in the University of Toronto’s Munk School of Global Affairs and Public Policy. “I don’t think the fact that this is going on is fundamentally changing the risk calculus of Xi Jinping (習近平) when it comes to the problem of foreign spies or domestic unrest.”
When Xi became China’s leader in 2012, he instituted wide-reaching reforms to preserve the security of the Chinese Communist Party. He was “trying to discipline the party itself, trying to discipline Chinese society and adopting a much more broad vision of what constitutes national security,” said Dirks. What has followed includes a perpetual and sweeping campaign to root out corruption, targeting individuals from state-owned enterprises to the People’s Liberation Army. Beginning around 2016 to 2017, Beijing also instituted centralizing reforms to the Ministry of State Security, China’s main civilian intelligence, counterintelligence and security agency, to prevent state security work from being subordinated to local party bosses’ interests.
Corruption was not just a broad political or economic problem for China, it also had ramifications for regime security, said Dirks. In the 2000s, corruption and low pay across China’s party-state system, including within the security apparatus, “opened up doors for American intelligence agencies to bribe people to participate in American espionage activities in China.”
To be sure, the CIA is now trying to leverage feelings of fear or mistrust amid ongoing purges to publicly recruit assets for the U.S. The agency published a propaganda video just weeks after the high-profile purge of China’s top general, Zhang Youxia (張又俠), in January. “Anyone with leadership qualities is bound to be subject to suspicion and ruthlessly eliminated,” an actor playing a PLA officer says in the video.
These days, what we know about China’s counterintelligence capabilities is mainly due to leaks that have exposed China’s surveillance activities, particularly in Xinjiang. There’s no question these surveillance capabilities are significant, said Ja Ian Chong, a political science professor at the National University of Singapore. “You’re keeping watch over 1.4 billion people, so you should be able to process [that surveillance]. But beyond that, I’m not sure anything in the public domain gets you any fidelity.”
The recent decapitations in Iran and Venezuela might have an effect on China’s counterintelligence approach. “There will be some effort to tighten up processes, as is common in these kinds of situations, anywhere,” said Chong. But these developments will likely not be observable from the outside. And information about the movements of China’s leaders, which was key to the U.S. and Israel’s recent decapitation strikes, is already tightly controlled.
Other high-profile intelligence breaches in recent years, like the explosion of thousands of wireless pagers used by Hezbollah in September 2024, also touched on concerns that China had already been addressing. In this case, it was the risk of foreign interference in vulnerable supply chains, Chong said. For example, while the Chinese government had for a long time been using Microsoft Windows as its operating system, over the past decade and a half or so, it has been transitioning to an internally developed mimic of that software.
China also has offensive means with which to deepen its cyber-enabled counterintelligence efforts. For example, operations like Volt Typhoon, a PLA-linked group that infiltrates critical infrastructure, have exposed American naval logistics in the Pacific, said Ahana Datta Fasel, a cyber expert who worked as a cyber leader in the U.K. government and as cyber chief for the Financial Times. In reaction to the decapitation strike against Iran, the Ministry of State Security may also “choose to capitalize on existing long-term cyber operations like the ongoing Salt Typhoon to ramp up its counterintelligence efforts,” Fasel said. Dating back to at least 2018, Salt Typhoon infiltrates telecommunications infrastructure to gather intelligence and help the ministry counter foreign intrusions.
In terms of the U.S. and Israel’s cyberintelligence capabilities on display in the Iran conflict, including the hacking of CCTV cameras and prayer apps, Beijing probably wasn’t hugely surprised by anything it witnessed. “All the kinds of capabilities that we’re seeing now, they’ve been demonstrated by Israel post October 7,” said Fasel. When it comes to the U.S.’s deployment of cyberwarfare in Iran, such as wiper malware and phone bugging, these kinds of methodologies “are not hugely sophisticated.”
Whether Iran and China will share intelligence that proves mutually beneficial in countering the U.S., as might have happened around 2010, it is too early to tell. Some recent reporting suggests that China has been sharing targeting coordinates for U.S. troops and equipment with Iran.
Importantly, the China-Iran relationship is different from traditional, long-term security relationships like the Five Eyes because it’s based on “opportunistic tendencies, where this kind of lack of known formal intelligence relationship means that they have quite a bit of flexibility,” Fasel said. Intelligence sharing is currently more likely to happen between Iran and Russia than Iran and China. It is also difficult to tell how the relationship will evolve now that several members of Iran’s former intelligence leadership have been killed.
“Once we have a bit more about the replacement, then it’ll be easier to speculate a bit more,” Fasel said.
Leave a Reply