Chinese intelligence and state-linked cyber actors do active reconnaissance on U.S. military procurement systems using a layered approach that blends open-source scraping, supply-chain maneuvers, front companies, and contracted cyber operations. The activity is deliberate, low-cost, and high-value. It is not theoretical. It is happening now, and procurement officers must stop treating acquisition systems as purely administrative backwaters.
How they do it
1) OSINT and procurement scraping
Public procurement records are a gold mine. Researchers and adversaries alike scrape federal, state, and local procurement portals to map what agencies buy, who supplies it, and where risky technology proliferates. That technique has been used to show how Chinese telecom and surveillance gear reached hundreds of state and local buyers despite federal warnings. This kind of visibility lets an adversary identify which agencies use what products, who the prime contractors are, and where exploitable equipment sits on networks.
2) Supply-chain placement and opaque subsidiary relationships
China has placed dual‑use components into Western government supply chains through subsidiaries and less-transparent supply routes. Investigations have found encryption controller chips tied to Chinese ownership in storage devices used by Western militaries and agencies. Those supply-chain placements create opportunities for later exploitation or covert collection. The lesson is simple: an item that looks commercial can still be an intelligence pathway.
3) Third-party contractors and hacking firms working for state actors
Leaked documents and public indictments show that Chinese contractors and APT groups operate as both collection arms and service providers for state objectives. A major leak exposed a Chinese firm that provided targeted access and offensive services to Chinese state customers. Separately, U.S. and allied actions in 2024 tied organized hacking activity to state intelligence objectives. These actors can and do pivot from harvesting open procurement data to active intrusion campaigns against suppliers, integrators, and government customers.
4) Credential harvesting and targeting of downstream suppliers
Procurement systems are only one node. The real prize is the contractor ecosystem: subcontractors, logistics vendors, and small suppliers often have weaker cyber defenses. Adversaries perform reconnaissance across procurement portals to identify low-value, high-access targets and then use phishing, credential stuffing, or contractor compromise to reach sensitive engineering data, bill-of-materials lists, and component provenance. Once inside a supplier, attackers can map programs, find schematics and test data, and quietly exfiltrate procurement and design files.
Concrete risks this creates
-
Discovery of supply-chain dependencies. By matching procurement line items to vendor registries, an adversary can find where Chinese components and software are embedded in defense programs and then prioritize targeting those touchpoints.
-
Targeted intelligence collection. Procurement leads to program names, schedule milestones, and contact points. That information reduces the time and cost of a successful espionage operation.
-
Enabling compromise and disruption. Identifying state and local systems that rely on suspect vendors can expose critical services to later exploitation or coercive leverage. Procurement reconnaissance is a first step toward either theft or disruption.
Why procurement systems are attractive and vulnerable
Procurement data is granular, persistent, and frequently public. Acquisition offices, especially at state and local levels and at lower-tier suppliers, lack the staffing and cyber maturity of prime contractors. Contracts, vendor contact lists, delivery schedules, and acceptance test criteria are all useful intelligence. Where procurement portals interconnect with vendor portals, invoice systems, or document repositories, an adversary with limited access can enumerate the entire lifecycle of a program.
Evidence from 2022–2024 shows two parallel realities: researchers and defenders using procurement data to find and replace risky equipment, and adversaries exploiting the same data and weak vendors to perform intel collection and compromise. The i-Soon (Anxun) document leak in February 2024 gave a window into how Chinese contractors take government-directed tasking and convert it into tailored cyber operations against foreign targets. Broader reporting and indictments in 2024 documented state-linked APT activity aimed at harvesting political, economic, and defense-related intelligence.
What needs to change now
1) Treat procurement systems as intelligence targets
Assume procurement portals are being monitored by adversaries. Limit unnecessary public detail about program timelines, component lists, and vendor contacts. Where documents must be shared, sanitize or redact operationally sensitive metadata before publication.
2) Force supply-chain provenance into contracts
Require prime contractors and critical subcontractors to disclose country-of-origin and supplier pedigree for components and software down to a practical tier. Use enforceable contract clauses and audits rather than voluntary reporting. Simpler enforcement beats complex promises.
3) Harden vendor and contractor accounts
Apply strong identity controls, multifactor authentication, conditional access, and regular credential hygiene across SAM, vendor portals, and prime contractor collaboration systems. Attackers exploit weak contractor credentials more than exotic zero-days.
4) Prioritize visibility into lower-tier suppliers
Defensive budgets and attention still cluster at primes. Shift more resources toward vetting small suppliers for cybersecurity hygiene and provenance. Fund programs that replace identified risky gear in local governments and utilities that touch defense networks.
5) Expand and operationalize SCRM (supply chain risk management)
Public-private task forces and federal centers have begun work on ICT supply chain risk management. Turn that planning into binding rules for critical programs and a practical, fundable remediation path for state and local partners that host mission‑critical systems.
Bottom line
Reconnaissance on procurement systems is cheap, repeatable, and often invisible until a larger compromise occurs. China’s toolkit mixes open-source scraping, legitimate commercial channels, and contracted hacking to map and then exploit procurement ecosystems. If you are responsible for acquisition, program security, or contractor oversight, start treating procurement data and contractor accounts as front-line intelligence risk. Fix basic hygiene, demand provenance, and stop assuming your acquisition systems are merely administrative. That is how you deny reconnaissance its utility. Failure to act hands the adversary a map to your vulnerabilities and a timetable for exploitation.