The Operational Reality of China’s Information Warfare Doctrine

TLDR: Recent research into the People’s Liberation Army (PLA) Strategic Support Force (SSF) reveals a shift toward "Information Operations" that prioritize pre-positioning in critical infrastructure. By leveraging living-off-the-land techniques and compromised edge devices, these actors aim to establish persistent access before a conflict even begins. Pentesters should focus on auditing edge-facing hardware and monitoring for anomalous outbound traffic patterns that suggest the use of reverse proxies for command-and-control.

Security researchers often get bogged down in the minutiae of specific exploits, but the real danger lies in how those exploits are integrated into a broader strategic framework. The recent analysis of China’s military cyber operations, specifically the role of the Strategic Support Force (SSF), demonstrates that we are no longer just dealing with opportunistic espionage. We are looking at a highly organized, modular system designed for the "Operational Preparation of the Environment."

This is not about a single zero-day. It is about the systematic compromise of critical infrastructure—electric grids, water systems, and satellite networks—to ensure that if a kinetic conflict erupts, the adversary has already secured the high ground in cyberspace.

The Mechanics of Pre-Positioning

The core of this doctrine is the "Small Core, Big Periphery" model. The SSF acts as the central command, but the actual execution is distributed across a massive, modular network of civilian and military actors. This structure allows the state to maintain plausible deniability while scaling operations far beyond what a traditional, centralized military unit could achieve.

For a pentester, the most critical takeaway is the reliance on living-off-the-land (LotL) techniques. These actors are not burning expensive zero-days on every target. Instead, they are compromising edge devices—specifically small office and home office (SOHO) routers—to build a multi-hop anonymity network. By chaining these compromised devices, they create a command-and-control (C2) infrastructure that is incredibly difficult to attribute or block.

When investigating these environments, look for the use of tools like fast-reverse-proxy. This tool is frequently used to create covert tunnels, allowing an attacker to bypass firewalls and maintain persistent access to internal segments. If you see an edge router initiating outbound connections to an unknown IP on a non-standard port, do not assume it is just a misconfigured device. It is a potential node in a larger, hostile C2 network.

The Role of Supply Chain and Edge Compromise

The targeting of critical infrastructure is not accidental. It is a deliberate choice to maximize leverage. By compromising the supply chain—often through the exploitation of vulnerabilities in network appliances—these actors gain a foothold that is nearly impossible to evict without replacing the hardware entirely.

Consider the Volt Typhoon campaign. The attackers did not just drop a payload and leave. They performed extensive pre-compromise reconnaissance, mapping out the target’s network topology and identifying the most critical assets. They used legitimate administrative tools to blend in with normal network traffic, making detection via traditional signature-based systems almost impossible.

If you are conducting a red team engagement, stop focusing solely on the web application layer. Start looking at the network perimeter from the perspective of an attacker who has already compromised the gateway. How would you move laterally from a router to the industrial control system (ICS) or the SCADA network? The answer to that question is exactly what these actors are testing every day.

Defensive Realities for the Modern Network

Defending against this level of sophistication requires a move away from perimeter-based security. You cannot rely on a firewall to keep these actors out when they are already living inside your edge devices.

Blue teams must implement strict egress filtering. If your router does not need to talk to a random IP in a foreign country, block that traffic. Furthermore, implement robust logging for all administrative actions on network appliances. If you are not monitoring for the execution of built-in scripting interpreters like PowerShell or Bash on your network hardware, you are effectively blind to the most common LotL techniques.

The OWASP Top 10 remains a useful baseline, but it does not cover the reality of an adversary who has already bypassed the authentication layer by compromising the underlying infrastructure. You need to assume breach and focus on detecting the behavioral indicators of lateral movement and C2 communication.

What Comes Next

The integration of civilian and military cyber capabilities is a force multiplier that we are only beginning to understand. The "Information Operations" doctrine is not a theoretical exercise; it is a live, ongoing campaign to reshape the geopolitical landscape.

For those of us in the trenches, the challenge is to stop treating these incidents as isolated events. They are part of a larger, coordinated effort to gain strategic dominance. Start auditing your edge infrastructure today. If you find a device that you cannot account for, or if you see traffic patterns that don't make sense, dig deeper. The next major incident will likely start with a device you thought was secure.