China’s hacker army has garnered significant attention in recent years in the race to control the cyberspace. The Chinese government is believed to have a complex network of cyber units, including the notorious Unit 61398 of the People’s Liberation Army (PLA), which has been linked to numerous high-profile cyberattacks.
Internet was founded in 1982 by splitting the military ARPANET into separate military and civilian networks. Interestingly, Kevin Poulsen @ ‘Dark Dante’ was arrested in 1983 itself for breaking into the ARPANET. In 1984, Bill Landreth @ ‘The Cracker’ was convicted of hacking computer systems and accessing NASA and Department of Defense computer data. Hacking is that old an affair!
Yet, you will be surprised to learn that the American government recognized the necessity of cyber warfare officially only in 2009 when the United States Cyber Command (USCYBERCOM) was formed. At about the same time, the world started talking of China’s Hacker Army. The Chinese have not looked back since then and are now a force to reckon with.
So much so that in June 2020, the American Federal Communications Commission (FCC) was forced to formally designate Chinese firms Huawei Technologies Co. and ZTE Corp as posing threats to US ‘national security’. The FCC said, “We cannot and will not allow the Chinese Communist Party to exploit network vulnerabilities and compromise our critical communications infrastructure.” In December 2022, the US government banned approvals of new telecommunications equipment from these two tech giants, fearing that China could use them to spy on Americans.
How the Chinese Took Control of the Cyberspace
Initially, the impression was limited to largely Hollywood speculation. The world got its first detailed peep into their shadowy world through the autobiography of a Chinese hacker known in cyberspace as SharpWinner who worked with the elite hacker group RedHacker’s Alliance. The book titled ‘The Turbulent Times of the Red Hackers’ tells about hundreds of such groups spread across China. And mind you, they are not cyber freelancers or nerds slogging in congested rooms for a little kick; they operate from luxurious high-rise apartments and are equipped with sophisticated network tools.
Some of the famous hacker groups include Honker Union, APT40, Gothic Pandas, etc. In 2017, the journal Foreign Policy estimated the number of private hackers to be up to 100,000. In May 2023, the FBI Director Christopher Wray admitted before a House Appropriations subcommittee that if each one of the FBI’s cyber agents and intelligence analysts focused exclusively on the China threat, Chinese hackers would still outnumber FBI cyber personnel by at least 50 to 1. To anyone who knows Chinese, just Google the characters for ‘heike’ (a transliteration of hacker that means, literally, ‘black guest’) and you’ll come up with pages and pages of results.
Also Read: PLA’s Achilles heel: flaws that weaken China’s combat capabilities
In January 2010, a deeply embarrassed Google admitted on its weblog that it had been the victim of a cyber-attack. The company said the attack occurred in mid-December 2009 and originated from China. Later, it was found that in this series of cyber-attacks codenamed ‘Operation Aurora’, 34 major companies were targeted including Northrop Grumman, Dow Chemicals and Morgan Stanley etc. While investigating the attack, Google found that the Gmail accounts of a number of Chinese human-rights activists had also been hacked.
You must know that despite their moral grandstanding on free speech, Google had been conforming to the Chinese government censorship policies for four years in the sense that they obliged by restricting their search results in conformity with the ‘Great Firewall’ and removing content that was deemed objectionable by the government. Google did that for nothing but profits because the number of Internet users in China is more than twice the population of USA. After the 2010 cyber-attacks, Google started diverting their traffic to their uncensored Hong Kong version. Eventually, China banned Google from China for all practical purposes.
Enter the Red Dragon
Let us admit one thing. All those thousands of private hackers are not the conventional cyber criminals trying to make a quick buck. There is little evidence of these freelancers indulging in any anti-national activity or crime within the nation. We cannot dismiss their patriotism and commitment to the national cause. It is a different thing that the Chinese State supports their activities or conducts similar activities on its own.
In China, the State has co-opted domestic hacking talent for state-driven cyber warfare operations. At times, the MSS (Ministry of State Security) has contractual relationship with non-state actors. China enacted two laws in 2017, the Cyber Security Law and National Intelligence Law, which provide legal authority for China’s intelligence services to access data and co-opt Chinese companies for use in vaguely worded national security investigations.
An interesting example is Tan Dailin @ WickedRose who was associated with the group WICKED PANDA/APT41. He had begun as a ‘patriotic’ hacker while still at university in 2000-2002, carrying out defacements during the US-Sino hacker war. He was talent-spotted by his local People’s Liberation Army (PLA) branch, the Chengdu Military Region Technical Reconnaissance Bureau (TRB) and asked to compete in a hackathon. This was followed by an “internship” where he and his fellow hackers taught attack/defence courses. He is also suspected to have been involved in the initial Titan Rain attacks discussed later. They were allowed to do contract work for gaming firms, hacking a variety of South Korean, Japanese, and US gaming firms, which gave them experience with high-level vulnerabilities that are able to manipulate at the kernel level.
People’s Liberation Army PLA Unit 61398
The PLA Unit 61398 (also known variously as APT1, Comment Crew, Comment Panda, GIF89a, or Byzantine Candor) is the Military Unit Cover Designator of the unit of the Chinese armed forces that has been believed to be one of the sources of Chinese cyber-attacks. US intelligence agencies have been citing it since 2002.
In 2013, an American cyber security firm Mandiant claimed that PLA Unit 61398 operated under the 2nd Bureau of the PLA General Staff Department (GSD) Third Department from Pudong, Shanghai. How it got the information, no one knows. However, claiming that the base of operation could be traced to a particular 12-storey building there is preposterous. No nation could be so stupid as to keep all its cyber warfare resources in one building. The US could, in the event of impending war, make a surgical strike on it with precision-guided munitions and obliterate it. The resources have to be dispersed. Officially, the Chinese government dubbed the Mandiant report as ‘unprofessional’.
In 2014, a US court had indicted five Chinese military officers and accused them of hacking into American nuclear, metal and solar companies to steal trade secrets. It was claimed that Chinese state-owned companies had ‘hired’ Unit 61398 ‘to provide information technology services’. The Chinese companies were not named. China vehemently denied the charges.
Cyberspace Force That Replaced Strategic Support Force (SFF)
The SFF existed from 2015 until April 2024. It oversaw all units responsible for psychological warfare, information warfare, space warfare, cyber warfare, and electronic warfare operations. On April 19, 2024 the PLA announced that three co-equal forces, namely, the Aerospace Force, Cyberspace Force, and Information Support Force would be established to replace the SFF. The Cyberspace Force will take on the cyber-attack, defence, and espionage missions from the former SSF’s Network Systems Department.
What Could We Expect In Cyber-Attacks
The beauty of a good cyber-attack is that it should be almost impossible to trace and must be completely ‘silent’. By the time the enemy country figures out that it has been attacked, the damage should have been done. The American Stuxnet virus that damaged Iran’s uranium enrichment centrifuges was an excellent example.
Cyber-attacks generally focus on espionage; sabotage; vital systems like electrical power grids, transportation, water supplies, hospitals; propaganda; attacks on economic establishments such as stock markets, payment systems, and banks; and surprise attacks. There are myriad known as well unknown techniques of doing it, such as hacking; viruses and computer worms; Distributed Denial of Service attacks; spyware; and ransomware, etc.
Starting 2003 and until 2006, in a series of coordinated attacks given the name of Titan Rain, hackers (believed to be from PLA Unit 61398) gained access to many US defence contractor computer networks, which were targeted for their sensitive information, including those at Lockheed Martin, Sandia National Laboratories, Redstone Arsenal, and NASA. Officially, the US maintained that no classified information was stolen but only unclassified information was stolen. This could be true or a face-saving lie also.
Last year witnessed several high profile ransomware attacks on UK’s national postal service; Fortra’s GoAnywhere MFT (managed file transfer) tool; NCR, American manufacturer of ATMs, barcode readers, payment terminals, and other retail and banking equipment; municipal services in Dallas, Texas; Progress Software’s MOVEit Transfer file transfer tool; University of Hawaii (they actually admitted paying up to the attackers to save personal data of over 28,000 people from going public) etc.
Damage Chinese Hacker Army Could Inflict In a War
Jen Easterly, Director of the Cyber-security and Infrastructure Security Agency, said during a House Select Committee hearing, that now, besides the historical focus on espionage, China is preparing for destructive cyber-attacks on critical services of the enemy country during or immediately preceding a war. For example, a major interest area is to could hinder the United States’ ability to help Taiwan during a potential invasion.
In January 2023, US State Department spokesperson Matthew Miller had conceded in a press briefing, “The US intelligence community assesses that China almost certainly is capable of launching cyber-attacks that could disrupt critical infrastructure services within the United States, including against oil and gas pipelines and rail systems.” You may recall that in May 2021, digital systems of the famous Colonial Pipeline (constructed in 1962 and which starting from Texas, moves oil from the Gulf of Mexico to the East Coast states) were hacked and infected forcing it to be shut down for several days. The US government was forced to declare a state of emergency.
Adam Kozy, independent analyst; CEO of SinaCyber; and former official with the FBI’s Cyber Team says that while it can be argued that Russian cyber operatives are more advanced in terms of sophistication, China is by far the most aggressive cyber power in its region which aggressively conducts computer network exploitations against all of its regional neighbours with specific Advanced Persistent Threat (APT) groups.
Advanced Persistent Threat means an attack campaign in which the intruders establish an illicit but long-term presence on a network in order to mine highly sensitive data. They are much more complex than the amateur hit-and-run attacks. Network infiltration is achieved by malicious uploads like RFI (Remote File Inclusion), SQL Injection and XSS (Cross-Site Scripting), etc. Once the foothold is established, attackers move to broaden their presence within the network and moving up the hierarchy which has access to more sensitive data. While an APT operation is underway, the stolen data is typically parked in a secure location inside the infiltrated network itself. Extraction of the stolen data is trickier. Typically, white noise tactics are used to create distractions. For example, by mounting a Distributed Denial of Service attack that occupies the attention of the network personnel or weakens site defences, thus giving an opportunity to move out the data.
On April 19, 2024 the FBI Director Christopher Wray admitted that China was developing the ability to physically wreak havoc on US critical infrastructure and its hackers were waiting for just the right moment to deal a devastating blow. He made these comments in the context of a Chinese government-linked hacking operation or group codenamed Volt Typhoon. This was discovered in May 2023 by analysts at Microsoft who found that it had targeted everything from US telecommunication networks to transportation hubs. Wray admitted that the hackers had successfully gained access to targets in telecommunications, energy, water and other critical sectors. The attack was also able to take control of routers, modems and even internet-connected security cameras. This constellation of remotely controlled systems, known as botnet, will severely limit the ‘visibility’ of the cyber defenders in tracking down the attackers. In all probability, it must have been a dry practice run to probe vulnerabilities and test own capabilities.
