The Global Times, a Chinese state-run newspaper, published an article titled “US intelligence uses Microsoft Exchange zero-day vulnerabilities to attack Chinese military-industrial enterprise’s email servers.” The article claims that U.S. intelligence agencies exploited vulnerabilities in Microsoft Exchange and an electronic document system to conduct cyberattacks and espionage against China’s key industries.
Summary of Claims
The Global Times article, citing a release by the Cyber Security Association of China (CSAC), makes the following key claims:
U.S. Cyberattacks on Chinese Industries: U.S. intelligence agencies conducted cyberattacks targeting China’s military-industrial enterprises by exploiting a zero-day vulnerability in the Microsoft Exchange email system.
Espionage via Document Systems: A separate attack exploited a flaw in an unspecified electronic document system to target Chinese industries.
Security Alerts Issued: The CSAC issued warnings for critical sectors in response to these alleged U.S. cyberattacks.
Broader Context of U.S. Aggression: The article frames these cyberattacks as part of a pattern of U.S. hostility toward China, referencing U.S. sanctions and visa policy shifts affecting Chinese students.
Fact-Checking Analysis
Claim 1: U.S. Cyberattacks via Microsoft Exchange Zero-Day Vulnerabilities
Verification: The claim that U.S. intelligence agencies exploited zero-day vulnerabilities in Microsoft Exchange to target Chinese military-industrial enterprises lacks specific, verifiable evidence in the article. Zero-day vulnerabilities, by definition, are previously unknown software flaws exploited before patches are available. Microsoft Exchange has a history of such vulnerabilities, notably the 2021 Hafnium attacks, where Chinese state-sponsored actors were implicated in exploiting Exchange Server flaws to target global organizations. However, no credible, independent reports confirm U.S. intelligence agencies using similar vulnerabilities against Chinese targets in 2025.
The Global Times cites the CSAC, a Chinese government-affiliated organization, but provides no technical details, such as the specific vulnerability, affected systems, or evidence of U.S. attribution. In contrast, cybersecurity reports from firms like CrowdStrike and FireEye often provide detailed indicators of compromise (IOCs) or attribution evidence, which are absent here. Without corroboration from neutral sources, this claim appears speculative.
Assessment: Unverified. The lack of specific evidence and reliance on a state-affiliated source undermines the claim’s credibility. Historical context suggests Chinese actors have exploited Microsoft Exchange vulnerabilities, which may indicate projection or misdirection.
Claim 2: Espionage via Electronic Document System
Verification: The article’s mention of a flaw in an electronic document system is vague, lacking details about the system, the nature of the flaw, or evidence linking the attack to U.S. intelligence. Cybersecurity incidents typically involve detailed reports on the exploited software, attack vectors, or forensic evidence, as seen in reports from organizations like the Cybersecurity and Infrastructure Security Agency (CISA). The absence of such details and reliance on CSAC’s statement without independent verification raises doubts.
Moreover, the claim aligns with a pattern of Chinese state media alleging Western cyberattacks without substantiation. For example, a 2022 Chinese report claimed U.S. cyberattacks on Northwestern Polytechnical University, but no evidence was provided beyond government statements. The lack of transparency in the Global Times article mirrors this approach.
Assessment: Unverified. The claim is too vague to confirm, and no independent sources support it. The absence of technical details suggests it may serve a narrative purpose rather than reflect a documented incident.
Claim 3: CSAC Security Alerts
Verification: The CSAC, a Chinese government-linked entity, is a plausible source for issuing cybersecurity alerts within China. However, its role in attributing attacks to the U.S. is questionable due to its lack of independence. Globally recognized cybersecurity organizations, such as MITRE or the European Union Agency for Cybersecurity (ENISA), typically collaborate with international partners to validate claims of state-sponsored cyberattacks. No such collaboration is mentioned, and no Western or neutral cybersecurity firms have reported similar alerts about U.S. actions in 2025.
Assessment: Partially Credible but Biased. While the CSAC may issue alerts, the attribution to the U.S. lacks independent confirmation, suggesting a potential agenda to frame the U.S. as an aggressor.
Claim 4: Broader U.S. Hostility
Verification: The article connects the alleged cyberattacks to other U.S. actions, such as visa restrictions for Chinese students and sanctions, to portray a pattern of hostility. The visa policy claim aligns with reports of tightened U.S. visa scrutiny under the Trump administration, with visa interviews suspended on May 27, 2025, and resumed on June 18, 2025. However, these policies are unrelated to cyberattacks and reflect broader U.S.-China tensions over trade, technology, and geopolitics. The article’s framing conflates distinct issues to amplify a narrative of U.S. aggression.
Assessment: Partially Accurate but Misleading. The visa policy changes are documented, but linking them to cyberattacks is a rhetorical tactic rather than a factual connection.
Propaganda and Framing Elements
The Global Times, under the People’s Daily and the Chinese Communist Party, has a history of promoting nationalistic narratives and framing Western actions as hostile. The article employs several propaganda and framing techniques:
Selective Attribution: By attributing cyberattacks to the U.S. without evidence, the article mirrors “wolf warrior” diplomacy, a term associated with aggressive Chinese state rhetoric. This approach, noted under former editor Hu Xijin, aims to rally domestic support by portraying China as a victim of Western aggression.
Vague Language: The lack of specifics about the vulnerabilities, targets, or evidence is a common tactic in state-driven propaganda to avoid scrutiny while advancing a narrative. This vagueness prevents independent verification and allows the claim to persist unchallenged in domestic media.
Conflation of Issues: Linking cyberattacks to unrelated U.S. policies, like visa restrictions, creates a broader narrative of U.S. hostility. This framing distracts from China’s own documented cyber activities, such as the 2021 Microsoft Exchange attacks attributed to Chinese actors by the U.S., UK, and EU.
Appeal to Authority: Citing the CSAC, a government-affiliated body, lends an air of credibility to domestic audiences but lacks weight internationally due to its lack of independence. This tactic exploits trust in official sources within China.
Victimhood Narrative: The article portrays China as a target of U.S. aggression, ignoring China’s own history of state-sponsored cyberattacks, such as those against U.S. government agencies and private firms. This selective narrative aligns with the Global Times’ role in China’s propaganda apparatus.
Potential Fake or Exaggerated Elements
Fake or Unsubstantiated Claims: The core claim of U.S. cyberattacks lacks evidence beyond CSAC’s statement. No technical reports, IOCs, or independent analyses corroborate the allegations, suggesting they may be fabricated or exaggerated for political purposes.
Projection of Chinese Actions: The focus on Microsoft Exchange vulnerabilities echoes China’s own exploitation of such flaws in 2021. This could indicate projection, where China attributes its tactics to the U.S. to deflect criticism.
Propaganda Amplification: The article’s timing, coinciding with heightened U.S.-China tensions over tariffs and sanctions, suggests an intent to amplify anti-U.S. sentiment domestically.
Broader Context and Credibility
The Global Times is a known outlet for Chinese state propaganda, with a track record of spreading disinformation and framing international events to align with Beijing’s interests. Its claims should be approached with skepticism, especially without corroboration from neutral sources like Recorded Future, Mandiant, or CISA. Conversely, China’s own cybersecurity activities, including attacks on U.S. infrastructure, are well-documented by Western intelligence agencies. The article’s narrative fits a pattern of deflecting blame and portraying China as a victim, a tactic used to bolster domestic support amid external pressures.
The Global Times article’s claims about U.S. cyberattacks on Chinese military-industrial enterprises are unverified and likely exaggerated, serving as propaganda to frame the U.S. as an aggressor. The lack of specific evidence, reliance on a state-affiliated source, and conflation of unrelated issues undermine its credibility. While U.S.-China cyber tensions are real, independent reports do not support the article’s allegations. Readers should seek primary cybersecurity sources and cross-reference claims to avoid falling for state-driven narratives.
