Chinese hackers, allegedly linked to the state, attempted to infiltrate the U.S. networks during sensitive trade discussions earlier this year by impersonating a sitting congressman, according to a report in The Wall Street Journal.
In July, as Washington and Beijing prepared for high-level trade negotiations in Sweden, targeted emails were sent to American trade groups, law firms, and federal agencies. The messages, appearing to come from Representative John Moolenaar — chairman of the House committee on U.S.–China strategic competition — urged recipients to review draft sanctions legislation. The attachment, however, contained spyware, the Journal reported.
Investigators later attributed the activity to APT41, a hacking group long suspected of ties to China’s Ministry of State Security. Cyber analysts told the Journal that if opened, the attachment could have given attackers deep access to victim systems, enabling them to extract sensitive documents and monitor ongoing negotiations.
The FBI confirmed it was investigating. “We are working with our partners to identify and pursue those responsible,” an FBI spokesperson told the newspaper. Capitol Police declined to comment.
Moolenaar condemned the operation, calling it “another example of China’s offensive cyber operations designed to steal American strategy and leverage it.” He added, “We will not be intimidated.”
Beijing rejected the allegations, with a Chinese Embassy statement insisting that the country “firmly opposes and combats all forms of cyber attacks and cyber crime” and warning against “smearing others without solid evidence.”
APT41’s Technical Playbook
APT41, also tracked under aliases such as Double Dragon and Barium, is one of China’s most versatile state-sponsored groups. Analysts told the Journal that the group’s hallmark is its dual-use capability — conducting espionage on behalf of the state while also engaging in financially motivated cybercrime.
The group has a long history of using spear-phishing and watering-hole attacks, often impersonating trusted figures or exploiting zero-day vulnerabilities. Its malware arsenal includes ShadowPad, a modular backdoor frequently used in Chinese espionage campaigns, and other custom loaders designed to maintain persistence.
Also read: Chinese Hackers Targeted Taiwanese Research Institute with ShadowPad and Cobalt Strike
APT41 also makes heavy use of publicly available exploits. Past alerts from U.S. agencies note the group’s exploitation of vulnerabilities in Citrix, Atlassian Confluence, and Microsoft Exchange. Analysts believe the spyware used in the Moolenaar impersonation likely followed a familiar playbook: reconnaissance, credential harvesting, lateral movement, and long-term surveillance.
A Track Record of Global Intrusions
The campaign described by the Journal is not an isolated incident. In 2020, the U.S. Department of Justice indicted five Chinese nationals linked to APT41 on charges of hacking more than 100 companies worldwide. Victims included software firms, universities, telecom providers, and even non-profit organizations. Prosecutors alleged the group stole source code, proprietary business information, and intellectual property on a massive scale.
Beyond espionage, APT41 has been tied to cybercrime for profit. Researchers have documented its role in stealing digital gaming currency and selling access to compromised servers. The group’s ability to switch seamlessly between state-directed intelligence operations and financially motivated crime sets it apart from many other advanced persistent threat (APT) groups.
More recently, APT41 has been implicated in targeting the healthcare sector, with reports of attempted intrusions into hospitals and pharmaceutical firms during the COVID-19 pandemic. Security analysts say such activity aligns with Beijing’s interest in gaining access to sensitive medical research and health data.
Espionage Pattern
The phishing campaign took place just days before negotiators agreed to extend a tariff truce and resume discussions on a possible summit between President Trump and Chinese President Xi Jinping. Experts noted that compromising advisory groups or law firms tied to the talks would allow Beijing to anticipate U.S. positions and adjust its strategy.
Mandiant told the Journal that the spyware in this case could have burrowed deep into networks, enabling long-term monitoring. For adversaries like APT41, analysts said, such access is more valuable than short-term disruption — it provides leverage in negotiations and insights into political decision-making.
Earlier this year, hackers impersonated Secretary of State Marco Rubio using AI-generated content, while phishing attempts targeted White House staff, including Chief of Staff Susie Wiles, the Journal reported. Together, these incidents point to an intensifying focus on U.S. political leadership and policy processes.
The attempt to compromise U.S. trade stakeholders shows how cyber operations increasingly run parallel to geopolitical negotiations. Experts said that while military maneuvers often capture headlines, cyber espionage has become a quieter but equally potent front.
As tensions over technology, tariffs, and national security continue to define U.S.–China relations, espionage campaigns exploiting trust, urgency, and political credibility are likely to remain central to Beijing’s toolkit.
