Undeterred by recent indictments alleging widespread cyberespionage against American agencies, journalists and infrastructure targets, Chinese hackers are hitting a wider range of targets and battling harder to stay inside once detected, seven current and former U.S. officials said in interviews.

Hacks from suspected Chinese government actors detected by security firm CrowdStrike more than doubled from 2023 to more than 330 last year and continued to climb as the new administration took over, the company said. Bursts of espionage are typical with each new president, the officials said, and major staff cuts at the Cybersecurity and Infrastructure Security Agency have disrupted some response coordination.

“The U.S. is absolutely facing the most serious Chinese hacking ever. We are in China’s golden age of hacking,” said China expert Dakota Cary of security company SentinelOne.

Although the various Chinese hacking campaigns seem to be led by different government agencies and have different goals, all benefit from new techniques and from Beijing’s introduction of a less constrained system for cyber offense, the officials and outside researchers told The Washington Post.

Chinese intelligence, military and security agencies previously selected targets and tasked their own employees with breaking in, they said. But the Chinese government decided to take a more aggressive approach by allowing private industry to conduct cyberattacks and hacking campaigns on their own, U.S. officials said.

The companies are recruiting top hackers who discover previously unknown, or “zero-day,” flaws in software widely used in the United States. Then the companies search for where the vulnerable programs are installed, hack a great many of them at once, and then sell access to multiple Chinese government customers and other security companies.

That hacking-for-hire approach creates hundreds of U.S. victims instead of a few, making it hard to block attacks and to decide which were China’s key targets and which were unintentionally caught in the hacks, an FBI official said, speaking on the condition of anonymity because he was not authorized to comment publicly.

“They’ll find a zero-day, scan for anything vulnerable, and then try to broker access — and now we have, scale-wise, a significantly larger problem,” the official said. “The result of that incentive structure is that there is significantly more hacking.”

An indictment unsealed last week accused a Chinese man arrested in Italy of hacking at a company called Shanghai Powerock Network Co., which prosecutors described as “one of many ‘enabling’ companies in the PRC that conducted hacking for the PRC government.”

Several former officials said that though China had been deterred in the past by such U.S. indictments, public condemnations and sanctions, that seemed to no longer be the case.

“Cyberspace is where China and Xi’s confidence are on full display. It’s the domain where China has been willing to accept a lot of political risk with the U.S.,” said Laura Galante, a principal at WestExec Advisors and the head of cyberthreat analysis at the Office of the Director of National Intelligence during the Biden administration.

China has mastered the ability to move undetected through networks of compromised U.S. devices, so that the final connection to a target appears to be an ordinary domestic connection. That makes it easy to get around technology that blocks overseas links and puts it outside the purview of the NSA, which by law must avoid scrutinizing most domestic transmissions.

Beijing is increasingly focused on hacking software and security vendors that provide access to many customers at once, the FBI official said. Once access is obtained, the hackers typically add new email and collaboration accounts that look legitimate.

“Cyberspace continues to be a critical front for malicious nation-state and affiliated actors, including those associated with the People’s Republic of China, who seek to compromise U.S. critical infrastructure,” CISA spokesperson Marci McCarthy said. “CISA has observed a persistent and evolving threat pattern, which underscores the importance of maintaining heightened vigilance across all critical infrastructure sectors.”

McCarthy rejected concerns about disruptions in defensive coordination, saying “We continue to work closely with our partners across the interagency and with the private sector to ensure a unified, whole-of-nation approach to securing our infrastructure against the rapidly evolving cyberthreat landscape.”

“Chinese hackers are bigger, better and more sophisticated than they were just a few years ago,” said Crowell & Moring attorney Matthew F. Ferraro, a senior adviser to the secretary of Homeland Security under Biden. “It used to be they would come from a Shanghai network and work on Chinese time, and you would see them coming. That’s not the case anymore. They’re everywhere.” China’s intensified hacking strategy came to light last year in highly unusual leaked files from iSoon, a security contractor that works with the Chinese military, national ministries and local police.

The trove described contracts and targets in 20 countries, with booty including Indian immigration data, logs of calls in South Korea, and detailed information on roads in Taiwan. It also detailed prices for some services, such as $25,000 for promised remote access to an iPhone, payment disputes with government customers and employee gripes about long hours.

Eight iSoon employees and two Ministry of State Security officials were named in a U.S. federal indictment unsealed this March, which described the company as “a key player in the [Chinese government’s] hacker-for-hire ecosystem.” ISoon representatives could not be reached for comment. They have not responded previously to the accusations.

Beyond the increased government collaboration with China’s private security sector is occasional collaborating with criminal groups, said Ken Dunham, an analyst at security firm Qualys. U.S. and private experts have previously reported that corporate files were encrypted with ransomware that demanded extortion payments to unlock at American companies penetrated by Chinese government teams. U.S. security companies SentinelOne and Recorded Future have also reported ransomware being used in India and Brazil by Chinese groups looking to create plausible deniability for the government.

“China loves creating blurred lines of hacker attribution,” Dunham said.

Chinese Embassy spokesperson Liu Pengyu called the accusations “groundless and unreasonable. … In fact, the United States has carried out long-term, systematic and large-scale cyberattacks on China, and China has repeatedly expressed its concerns and opposition to this.”

He pointed to a March report backed by the Chinese government alleging the U.S. had penetrated Chinese cellular networks, SIM cards and devices. While declining to comment on specific campaigns, U.S. officials have previously acknowledged they have sought to penetrate Chinese networks for intelligence.

The biggest Chinese espionage campaigns are evolving in different ways.

Last August, The Post reported that Chinese hackers had penetrated major U.S. telecommunications carriers in a wildly successful espionage campaign that allowed them to intercept communications of top politicians.

That penetration is still not fully contained, according to the current and former officials.

The group behind it, linked by the U.S. State and Treasury Departments to China’s Ministry of State Security and known under Microsoft’s nomenclature as Salt Typhoon, has more recently shown up inside core communications infrastructure in Europe, according to John Carlin, a former top national security official in the Justice Department who represents some U.S. victims of the group.

Salt Typhoon has also been blamed for a breach at satellite communications provider Viasat, and on June 19 Canadian authorities warned that Salt Typhoon had exploited a known flaw in Cisco routers to breach communications carriers there beginning in February.

As in the U.S., Canadian officials said the eventual targets were individual users whose calls and text messages could be intercepted. And they echoed U.S. warnings that by establishing persistent access to cloud service providers and others that work with infected communications companies, Salt Typhoon could spread its reach and reinfect targets after being forced out.

A June memo from the Department of Homeland Security, first reported by NBC News, warned that Salt Typhoon had also penetrated multiple state agencies, including one state’s National Guard. DHS said the hackers took administrator credentials and system specifications that could help them break into related entities, including those providing cyber defenses.

Another hacker group, Volt Typhoon, suspected by U.S. officials of being run by China’s People’s Liberation Army, continues to alarm national security officials by penetrating electric and water facilities with no espionage value. U.S. intelligence leaders and members of Congress have concluded that the object is to be prepared to cause chaos during any direct conflict over Taiwan. The FBI and allies spotted a covert network of compromised machines the group was using to reach its targets and disrupted it last year. But Volt Typhoon has created a new one and has moved far beyond the Pacific ports where they were first detected, officials and researchers said.

One researcher found in June that many peer-reviewed studies by Chinese academics closely analyzed U.S. electric grids from the perspective of potential attackers, simulating targeted failures and “modeling how to trigger cascading blackouts to destroy the power grid.”

Less widely understood is a campaign by a third organization, which Microsoft calls Silk Typhoon. Likely affiliated with the Ministry of State Security as well, the techniques of this group are some of the hardest to detect in the world, officials and researchers said.

It was initially known for stealing trade secrets for use by Chinese companies, and it continues to target Western and Asian industry, researchers said.

But it is also in hot pursuit of strategic and diplomatic secrets, which it sought through massive exploitation of a flaw in Microsoft’s Exchange email programs in 2021.

Past victims include multiple U.S. government agencies, officials said, and a recently unsealed 2023 indictment against accused Silk Typhoon participant Yin Kecheng and another man they said had hacked into a U.S. defense contractor, a think tank and a communication service provider.

Silk Typhoon has been seeking unpatched or misconfigured software and using zero-days in routers and security appliances that are hard to monitor.

“Based on what we are seeing, what we are hearing from third-party operators and conversations with law enforcement, their tempo seems up,” said former national security prosecutor Carlin, now a partner at the law firm Paul, Weiss, Rifkind, Wharton & Garrison.

A Silk Typhoon run dating to December has netted about 100 known victims, according to researchers tracking its methods. Among them are government ministries in Spain and Finland, according to a person close to the investigations, and media companies in Japan, South Korea and the United States - including The Washington Post - according to Che Chang, an analyst with the Taiwan-based cybersecurity firm TeamT5.

Chang said his company had obtained a copy of the malicious software wielded by the group and scanned the internet looking for other infections. A machine at The Post responded both in April and late May, suggesting that it was infected for at least a month. In The Post’s case, reported earlier by the Wall Street Journal, the hackers obtained email from several reporters on China and other topics.

A Post spokesperson declined to respond to questions about the incident.

As hard as it is to discover a breach, that is only half of the battle. Google’s Mandiant Consulting arm said that in responding to 2024 security incidents, Silk Typhoon was the espionage actor it encountered the most often. It is adept at moving within a company’s networks, erasing logs that would show its movement from one machine to another and finding new places to hide, said Charles Carmakal, chief technology officer at Google’s Mandiant Consulting arm. “Few really understand how clever they are and how well hide back doors” for reentry, he said.

Once expelled, Silk Typhoon sometimes tries to get back in “almost immediately,” the FBI official said. Katrina Northrop in Taipei contributed to this report.