Unit 61398 & Chinese Hacks on US Databases
The 2nd Bureau of the People’s Liberation Army’s General Staff Department 3rd Department, more informally known as Unit 61398, has a title as innocuous and soporific as the drab office building in the outskirts of Shanghai from which they operate. But dull as it may sound Unit 61398 is the elite of China’s offensive cyber forces, and the picture of the drab building which heads this post is their headquarters (Li, 2014). From there Unit 61398 has conducted some of the largest and most significant hacks on US targets yet uncovered, and their successes have enabled China to compile an enormous database on which to run their ever growing big data analytic capabilities.
While the full extent of Unit 61398’s activities are unknown, the US Government has become increasingly willing to identify China and its cyber forces as the perpetrators behind large scale data breaches affecting US companies. On 10 Februrary 2020, US Attorney General William Barr announced the indictment of four members of the Chinese military for hacking into the credit-reporting agency Equifax (Barr, 2020). In his speech announcing the indictment the Attorney General pointed the finger at China’s cyber forces for a litany of past attacks, saying:
“For years, we have witnessed China’s voracious appetite for the personal data of Americans, including the theft of personnel records from the U.S. Office of Personnel Management, the intrusion into Marriott hotels, and Anthem health insurance company, and now the wholesale theft of credit and other information from Equifax. This data has economic value, and these thefts can feed China’s development of artificial intelligence tools as well as the creation of intelligence targeting packages.” (Barr, 2020).
The attacks which AG Barr identified were all significant. The United State’s Office of Personnel Management was an often overlooked, at least from a cyber security perspective, department of the US government. But it was the repository for the personal data of some 22 million Americans who had, did or had applied to work for the US government, including the roughly 5 million Americans that held “secret” or “top secret” clearances (Sanger, 2018). Over a 15 month period between late 2013 and April 2015 the hackers stole 4.2 million personnel files, 5.6 million fingerprints and an astonishing 21.5 million SF-86 forms, a 127 page form completed by every applicant for a security clearance in the US, containing extensive personal details about the applicant’s life (Sanger, 2018).
While the OPM hack was squarely targeted at US federal employees, other hacks attributed to the Chinese military have had a broader scope. The Marriott/Starwood hack involved the loss of up to 383 million travel records from visitors of all kinds, along with 5 million passport numbers (Chen, 2019), while the Anthem Insurance attack extracted data on 80 million employees and members, including social security numbers, home addresses and income data (Chen, 2019). Other victims of Chinese attacks include United Airlines, which lost data of flight passengers and their movements, Community Health Systems, from whom records on 4.5 million of their customers was taken, and even the US Navy, which had more than 100,000 personnel files stolen by Chinese hackers (Chen, 2019).
Big Data & Espionage
While the loss of such large volumes of data is embarrassing, it is only in recent times that it has become positively concerning. The reason is that until the advent of big data analysis techniques, large databases of the kind targeted by Unit 61398 were simply too massive to mine productively. As Admiral Mike Rogers, the head of the National Security Agency between April 2014 and May 2018, explained: the sheer volume of information from the OPM hack would have overwhelmed any foreign intelligence agency and meant that the theft as a whole was of little value (Sanger, 2018).
But times have changed. The highest levels of the Chinese government have made commitments to developing China’s big data capabilities in all fields, including the military and intelligence gathering. President Xi Jinping himself articulated this policy during his report to the 19th National Congress of the Chinese Communist Party in October 2017, where he made clear that China would “…promote the deepened integration of Internet, big data, and artificial intelligence with the real economy” (Xi, 2017).
The result is that databases of the kind stolen by Unit 61398 are now of real value to the intelligence community. As Admiral Rogers put it during a panel debate in Aspen, Colorado in October 2015:
“One of the lessons from OPM for me is we need to recognize that increasingly data has a value all its own and there were people who were actively out there interested now in acquiring data, in volumes, in numbers that we didn’t see before…you combine the power of big data analytics, and the fact that today the ability to bore through huge amounts of data and find seemingly disconnected and unrelated individual data points and bring coherent meaning and insight, something that wasn’t there in the past…” (Rogers, 2015)
While the precise big data techniques used by intelligence agencies to mine stolen databases are unsurprisingly classified, the implications of some of those techniques has been hinted at. Robert Knade, the director of cybersecurity policy in the Obama White House, is reported to have said that as a result of the OPM hack, “a whole bunch of CIA case officers [could be] spending the rest of their careers riding desks”, as a result of their covers being compromised (Sanger, 2015). To similar effect, Admiral Rogers observed, “From an intelligence perspective, it gives you great insight to potentially use for counter-intelligence purposes…If I’m interested in trying to identify US persons who may be in my country – and I’m trying to figure out why they are there: Are they just tourists? Are they there for some alternative purpose? There are interesting insights from the data you take from OPM”.
By comparing stolen databases, both against each other and against publically available and other confidential sources, China has the capability not only to identify potential spies in their own country or targets for recruitment abroad, but may even be able to identify a person of interest’s family and foreign contacts, or as one China cyber expert put it, “So now the Chinese counterintelligence authorities know which American officials are meeting with which Chinese” (Nakashima, 2015). The data available from stolen databases may also provide a treasure trove of information from which intelligence agencies can put together highly targeted phishing attacks, that may in turn enable them to compromise other networks or databases (Rogers, 2015).
The use of big data by China for intelligence gathering purposes remains an ongoing concern. President Trump’s demands that TikTok find a US owner or face sanctions on national security grounds over concerns that the app collects data on US citizens’ which is ultimately available to the Chinese government, is but the latest in what will inevitably be a continuing conflict over proprietary databases containing valuable personal information. While the classified nature of intelligence agency operations means that the commercial sector will not immediately, if ever, benefit from the techniques now being used by intelligence agencies to mine and analyse the data sets they have obtained; the knowledge that databases are a valuable target for foreign militaries and intelligence agencies should serve as a yet further spur to action by the commercial sector to appropriately secure and protect their networks and data, as well as providing possible hints at future directions of research for those of us interested in big data applications.
References
Barr, W. (2020). Attorney General William P. Barr Announces Indictment of Four Members of China’s Military for Hacking into Equifax. Available at: https://www.justice.gov/opa/speech/attorney-general-william-p-barr-announces-indictment-four-members-china-s-military. [Accessed 4 Oct. 2020].
Chen, M. S. (2019). ‘China’s Data Collection on US Citizens: Implications, Risks, and Solutions’. Journal of Sciency Policy & Governance, 15(1), 3.
Li, Z. (2014). What we know about the Chinese army’s alleged cyber spying unit. CNN. Available at: https://edition.cnn.com/2014/05/20/world/asia/china-unit-61398/index.html [Accessed 4 Oct. 2020].
Nakashima, E. (2015). With a series of major hacks, China builds a database on Americans. The Washington Post. Available at: https://www.washingtonpost.com/world/national-security/in-a-series-of-hacks-china-appears-to-building-a-database-on-americans/2015/06/05/d2af51fa-0ba3-11e5-95fd-d580f1c5d44e_story.html [Accessed 4 Oct 2020].
Rogers, M. (2015). Beyond the build: leveraging the cyber mission force. Aspen: The Aspen Institute, pp. 12-13. Available at: https://silo.tips/download/the-aspen-institute-beyond-the-build-leveraging-the-cyber-mission-force-aspen-co [Accessed Oct 4 2020].
Sanger, D. E. (2018). The Perfect Weapon, 1st ed. London: Crown, pp. 113-114.
Xi, J. (2017). Full Text of Xi Jinping’s Report at the 19th CPC National Congress,” Xinhua, November 3, 2017. Available at: http://www.xinhuanet.com/english/special/2017-11/03/c_136725942.htm [Accessed Oct 4. 2020].