Understanding Chinese Spy Operations Is Central to Understanding Cyberattacks

In 2014, five Chinese military hackers were indicted for offenses that included computer hacking and economic espionage, targeting Americans in industries such as nuclear and solar power. It was the first time criminal charges were brought against Chinese military hackers for cyberattacks. But they never went to trial.

The individuals were part of the People’s Liberation Army Unit 61398, one of 22 known operations bureaus under the Third Department of the General Staff Department—the warfighting branch of the Chinese military. Each of these bureaus is involved with different forms of cyber operations, many of which target the United States and other countries.

These Chinese warfare operations aren’t isolated from the work of an individual bureau.

You can’t understand signals intelligence operations and cyber operations as being separate from one another when trying to understand the nature of Chinese operations to steal intellectual property. Every department is interrelated with one another. The General Staff Department, Third Department works alongside the human intelligence branch (Second Department) and also the electronics intelligence branch (Fourth Department).

As an example, when we see incidents of theft taking place, there often is a human actor working in at least some element of the cyber breach, such as using a USB drive to download something. The hackers and spies of the Chinese military work together.

Through interviews with former Chinese agents, The Epoch Times learned how one of the tactics used insiders—people working for the company to steal information. If the insider stole data, hackers with the Chinese military would launch cyber attacks against the same network at the same time, that same day. When the company conducted a cyber-forensic investigation to try to analyze the breach, they would surmise that a cyberattack was the cause of theft.

Even if there was enough evidence to take the insider to trial, on the grounds that the person was involved in the theft and transfer of information, the insider could point to the cyberattack to claim that he or she was wrongfully blamed for an external breach. The insider could even turn around and sue the company. This ties into what the United States is facing right now—Chinese unrestricted warfare operations.

According to “Unrestricted Warfare,” a 1999 book authored by two colonels in the Chinese military, these operations work across three different spectrums: the non-military, trans-military, and conventional military. At its core is a series of tactics that function outside what would be termed conventional full-scale warfare. Instead, these tactics utilize every element that makes society function as a warfighting mechanism. Individuals working for the General Staff Department, Third Department, for example, use non-conventional military means.

Non-military operations include areas such as cultural warfare, propaganda warfare, financial warfare, and economic warfare, which would be attacking things that affect the GDP of a nation. Business warfare utilizes a “death by a thousand cuts” approach, such as stealing individual product designs. Cyberwarfare, as we know it, would fall into the trans-military operations, the crossover between the public and private. Full military spectrums of unconventional warfare would involve electromagnetic pulse attacks, space warfare, and poisonings.

Also, not all cyber operations are being directed by the Chinese military itself. Some are being done for personal gain by individual companies. This is because only a few years ago, it was a free-for-all. As there is no extradition treaty with China, there are no real consequences or punishments for launching cyber operations against the United States, and Chinese threat actors were getting very little pressure until around 2014.

In July 2017, a source working in undercover infiltration operations in the darknet provided documents to The Epoch Times about a criminal market operated by Chinese military hackers in their free time. Originally called Babylon APT, the website was later renamed to C-Market (criminal market) and sold a number of different services including personal information, government documents, government identification, energy information, hospital information, credit card information, and others. The site’s operators also could be hired to launch targeted attacks.

One example of what C-Market operators sold was access to U.S. Coast Guard’s vessel identification system, the price was advertised for around five to seven bitcoins, valued at the time at around $11,761 to $16,465.

Common clients for such darknet sites include Mexican drug cartels and foreign governments; when the workload of the Chinese hackers grew too heavy, there were even captured chats showing that they hired mercenary hackers from different countries. This site highlights the way some of these Chinese operations are done today.

State Guidance

The other element is actual state guidance. Project 863, Torch Program, 973 Program, and 211 Program are all names of different cyber operations being run by the Chinese Communist Party’s programs that direct economic theft.

“Each of these programs looks to foreign collaboration and technologies to cover key gaps,” according to the book “China’s Industrial Espionage: Technology Acquisition and Military Modernization,” authored by William C. Hannas, James Mulvenon, and Anna B. Puglisi.

After obtaining the stolen technology or data, China’s National Technology Transfer Centers come into play. These centers convert stolen technology or intellectual property into goods that can be used for the country.

About 202 such centers are “models for emulation by other transfer facilities,” according to “China’s Industrial Espionage.” The CCP wants private companies to emulate their centers, thereby encouraging the creation of additional programs.

Some of these centers are under the Overseas Affairs Office, one of the two main overt espionage departments of the CCP.

The authors of “China’s Industrial Espionage” summarized the system by saying, “We are talking here of an elaborate, comprehensive system for spotting foreign technologies, acquiring them by every means imaginable, and converting them into weapons and competitive goods.”