The cyber ecosystem sponsored by the Chinese government remains the subject of significant analysis and discoveries. In line with the numerous revelations of the last few years—detailed investigations by Intrusion Truth research group, the leak from the tech company i-Soon, the tracking of the EagleMsgSpy monitoring tool, and disclosures about the Great Firewall—a recent analysis has shed light on the activities of two tech companies allegedly linked to the Ministry of State Security (MSS).

BIETA and its subsidiary CIII would be involved in providing technological support to the MSS and Chinese intelligence organizations, offering them, among other things, advanced solutions based on steganography.

The close ties between front companies, government agencies, and universities

BIETA (Beijing Institute of Electronics Technology and Application) and CIII (Beijing Sanxin Times Technology Co., Ltd.) are reportedly front companies involved in modernizing Beijing’s security apparatus, particularly the MSS.

BIETA is headquartered in a complex adjacent to the one housing the MSS headquarters in Beijing and corresponds to the “First Research Institute” of the Ministry. The Institute, known as the “National Cybersecurity Team,” is the entity that designed and implemented the mass surveillance system Skynet, in collaboration with the Public Security Department of the Xinjiang Uyghur Autonomous Region.

Four senior figures at BIETA have held official or advisory roles for Chinese government bodies. Notably, You Xingang, who headed the company from 2008 to 2013, was also a researcher at the First Research Institute of the MSS. Additionally, Zhou Linna, who worked there from 1999 to 2017, is a professor at the University of International Relations (UIR), an institution affiliated with the MSS and openly linked to the tech company.

CIII describes itself on its website as a company “owned by the entire people,” engaged in various activities, including maintaining platforms enabled for Beidou satellite navigation and providing services related to network environment simulation, penetration testing, and modeling of military equipment and operations. In some of its activities, the company has reportedly received positive evaluations from the China Information Technology Security Evaluation Centre, which performs various functions, including managing the national vulnerability database (CNNVD) and directly overseeing APT groups. Finally, CIII claims to support the People’s Liberation Army with its solutions and services.

Steganography: a technology imported and implemented for APTs

Both CIII and BIETA would be involved in the development and sale of forensic investigation and counter-surveillance equipment. Additionally, one would be an importer of foreign-made steganographic technologies, while the other would develop new steganography-based methods. CIII has also secured copyrights for software related to this technique, such as a “deep analysis system for converting audiovisual secrets to voice” and a “forensic differentiation method for JPEG images based on feature optimization,” both registered in 2017.

The numbers provide a clear picture of their commitment. By conducting a keyword search in titles and abstracts, it emerged that out of 87 academic publications with at least one author affiliated with the BIETA—dating from 1991 to 2023—at least 40 (corresponding to 46% of the total) are related to steganography. Furthermore, BIETA has received funding from the National Natural Science Foundation, the 973 Program, and the 863 Program for research in this area. To wrap it up, it appears that interns from the UIR have worked on steganography-related issues within the company.

The use of steganographic methods in state-sponsored attacks has been documented for years, both by Russian and North Korean threat actors. Recently, a Brazilian group known as Caminho Loader employed Least Significant Bit (LSB) steganography to hide .NET payloads within image files. As for Chinese groups, one can go back to at least a 2013 analysis of APT1 (Unit 61338 of the People’s Liberation Army), which mentions this technique among the adversary’s TTPs. Additionally, Mirage used steganography to distribute malware, and Leviathan to transmit stolen trade secrets and proprietary hydroacoustic data through innocuous images. In 2022, Pirate Panda and its sub-group Witchetty used steganography to encode the TClinet and Stegmap backdoors within image files.

BIETA’s research involves not only JPG files but also MP3 (audio) and MP4 (video) to covertly transmit information.

To get a sense of these companies’ innovative capabilities, one can consider that in 2019, during a conference on steganography and artificial intelligence, a BIETA researcher presented a project on Generative Adversarial Networks (GAN), suggesting this as an additional research area for the organization.

TS-Intelligence

The information reported is the result of the collection and analysis work carried out by the specialists of Telsy’s Threat Intelligence & Response team with the support of the TS-Intelligence platform, a proprietary, flexible, and customizable solution that provides organizations with a detailed risk landscape.

It is available as a web-based and full-API platform, designed to be integrated into the organization’s systems and defensive infrastructures, with the goal of enhancing protection against complex cyber threats.

The platform’s continuous research and analysis on threat actors and emerging online threats—whether APTs or cybercrime—produces a constant stream of exclusive intelligence, delivered in real time and structured into technical, strategic, and executive reports.

Discover more about our Intelligence services.