China’s reliance on domestic technology companies to carry out large-scale hacking operations—as highlighted by the U.S. government and its allies this week—is a weakness that poses risks for Beijing, a top FBI official told CyberScoop.

Cyber agencies from around the world published an alert Wednesday about what officials have described as an indiscriminate cyberespionage campaign from Chinese Communist Party-backed hackers like the group known as Salt Typhoon. The alert also named three Chinese companies that it says have assisted that hacking.

“These enabling companies, they failed,” Jason Bilnoski, deputy assistant director in the FBI’s cyber division, told CyberScoop. “This investigation, and that of our partners, are exposing that the use of these enabling companies by the CCP is a failure.”

The lack of control China has over what those companies do precisely created an opening for investigators, Bilnoski said.

“They have this unregulated system of using these enabling companies, and it does create a risk between CCP-sanctioned actions and the mistakes by these enabling private companies that they are utilizing,” he said.

The alert about the hacking campaign tracks activity from Salt Typhoon and other Chinese government-linked groups dating back to 2021, which it says Chinese entities have also assisted.

“These companies provide cyber-related products and services to China’s intelligence services, including multiple units in the People’s Liberation Army and Ministry of State Security,” the alert states. “The data stolen through this activity against foreign telecommunications and Internet service providers (ISPs), as well as intrusions in the lodging and transportation sectors, ultimately can provide Chinese intelligence services with the capability to identify and track their targets’ communications and movements around the world.”

One of the named companies, Sichuan Juxinhe Network Technology, is already the subject of U.S. sanctions. That firm has not responded publicly to the U..S. accusations to date, nor apparently have the other two. The Chinese government routinely denies backing hacking activities.

Under a series of laws that China passed dating back to 2014, the government has imposed obligations on companies that do business domestically on the handling of sensitive data, among other rules.

“Historically, the CCP has used shell companies like those listed here in the [advisory] to conduct this nefarious activity, and no doubt they will continue to do so,” Bilnoski said. “But we’re going to continue after them. We have a long memory, so if it’s today, tomorrow, we’re going to continue to identify, uncover and expose their activities.”

Defending networks can’t just be the role of the government, though, he said — thus the alert that went beyond warnings to the telecommunications companies that Salt Typhoon made headlines by hacking.

The timing of the alert was simple, he said: As the FBI and its partners conducted their investigations, responded to the attacks and assisted victims, they released it as soon as it was ready to go.

“It’s important that we understand that it doesn’t matter if you’re Fortune 500, small business — we should not and we cannot assume that our systems are secure,” Bilnoski said. “We need the American people, we need our partners around the world to take action here, not just with Salt Typhoon, but with all the indiscriminate actions that the CCP has been undertaking over the last few years.”