A new study suggests that a series of cyber threats against Central Asian countries starting in 2014 may be linked to the Chinese People’s Liberation Army’s Xinjiang 69010 unit. Experts say China’s cyber attack force, a combination of the PLA and the Ministry of State Security, has taken China from a “second-tier” cyber state to a “top cyber threat in the world” in more than a decade. And China could reshape traditional geopolitics through cyber espionage as one of its main tools to compete with the United States.
What is PLA Unit 69010?
The Insikt Group, the research arm of Recorded Future, a U.S. firm specializing in cybersecurity research, recently released a report suggesting links between RedFoxtrot, a suspected Chinese state-sponsored cyber threat activist group, and Chinese military intelligence agencies. Insikt Group, which has long tracked the group’s cyber threat activity through Recorded Future’s open-source tools and technologies, identified the series of malicious activities as being located at the People’s Liberation Army’s Unit 69010 in Urumqi, Xinjiang through large-scale automated network traffic portfolio identification analysis.
According to the report, Unit 69010 is likely a unit of the PLA’s Strategic Support Force (SSF) Network Systems Department (NSD), the branch of the PLA that engages in information and cyberspace warfare.
Morgan Wright, chief security advisor at SentinelOne, an autonomous cybersecurity platform company, senior fellow at the Center for Digital Government Studies, and former senior advisor to the U.S. State Department’s Counterterrorism Assistance Program, told Voice of America that 69010 is the primary PLA unit that has been attacking critical infrastructure for the past 10-12 years.
Wright, who has participated in several Recorded Future webinars, praised the Insikt Group’s report as “accurate and high quality. He said the cyberattack groups “are part of both the PLA and the intelligence community, a combination of the PLA and the Ministry of State Security.”
Wright said China is making rapid progress in cyber warfare, with an estimated 25,000 troops involved, with each group responsible for a different region of the world, and that it is China’s neighboring countries, including India, Central Asia, Pakistan and others, that are being targeted by the 69010 unit.
Emily Harding, deputy director of the International Security Program at the Center for Strategic and International Studies, believes the Insikt Group report is important. Based on years of research on Russian activities in its neighborhood, she believes the attacks done by Force 69010 on its Asian neighbors are likely testing its cyber tools and then expanding to deploy them globally, and she calls for the U.S. and the world to pay attention to what is happening here.
Cyber Attacks in China Have Increased Significantly Over the Past 10 Years
While the Insikt Group report found a new set of threat activities, cyberattacks by the PLA are nothing new. James Andrew Lewis, director of the Strategic Science and Technology Program at the Center for Strategic and International Studies, told Voice of America that China has been engaged in cyberattacks for 20 years. “Within the first two or three years of global high-speed Internet connectivity, we saw the first instances of Chinese spies stealing intellectual property from governments, defense departments and companies. (China) has also used it to track human rights activists, and has been doing so since they discovered they could use the Internet to spy on people.”
Lewis said Chinese cyberattacks have made significant advances in the past decade and “are a major source of espionage attacks on the United States.” He quoted an FBI source as saying, “China is spying on the United States more than they have ever seen during the Cold War.”
China’s most recent cyberattack on the United States occurred in March of this year. A Chinese government-backed hacking group called Hafnium exploited a vulnerability in Microsoft’s exchange servers to steal data, affecting many U.S. businesses, government agencies and schools, and up to 250,000 users.
Last July, Reuters reported that the U.S. Department of Justice had filed charges against two Chinese hackers for more than a decade of attacks around the world, stealing large amounts of trade secrets and data, including “spying” on the vaccine-developing company Modena during the outbreak. China has refuted this, saying that the reports are “pure disinformation and slander.
The most significant impact on the United States in recent years has been the cyberattack on U.S. Office of Personnel Management (OPM) civilian government employees. The operation, which began in late 2013 and was not discovered until April 2015, resulted in the theft of personnel records, including fingerprint records and Social Security numbers, from more than 20 million civilian employees.
Gregory F. Treverton, co-founder and president of the Global Technology Political Forum, was serving as chairman of the U.S. National Intelligence Council at the time of the OPM hack. He told VOA that his information was also compromised in that cyberattack, and that it took his intelligence community a long time to finally identify where the hackers came from in China. So far, he said, China hasn’t done anything with the data.
Harding, of the Center for Strategic and International Studies, believes the OPM case is reflective of China’s tactics in cyberattacks. “China is willing to absorb a lot of data and then figure out what to do with it. the hackers in the OPM case took everything, and then they can wait for free time to exploit it again. “
Harding said China has become “the top cyber threat in the world. They have the manpower, the time and the patience to solve the problem, and their skills are growing, so China is definitely a growing threat.”
The Harvard Kennedy School’s 2020 National Cyber Power Index report ranks China as the “Most Comprehensive Cyber Power” after the United States. And U.S. cybersecurity provider IronNet reports that China, once considered a “second-tier” cyber nation, has been actively and consistently building its national cyber program, taking advantage of the global connectivity of the Internet age and quickly growing into one of the world’s most prominent cyber players. “
China’s aim: “Steal technology to compete with the U.S.”
Wright told Voice of America that China’s purpose in conducting cyberattacks is different from malicious cyberattacks by North Korea or Russia. “North Korea is in need of money because of economic sanctions and they need money. “
For China, they don’t need money, they do it for intellectual property, they grab technology from countries like the U.S., and according to the Office of the U.S. Trade Representative, China acquires an average of about $600 billion in technology each year and then copies and replaces it,” Wright said. So (its purpose) has both an economic part and an intelligence part. “
“They’re not after money, they’re after information about what we’re building on the nuclear side, information about our industry, they’re also after the pharmaceutical, biomedical, university and research side – there’s almost no limit in terms of gathering intelligence information and intellectual property. ” Wright said.
In the early 2000s, the Washington Times revealed that hackers from a Chinese government agency broke into Los Alamos National Laboratory’s computer system and stole a large amount of sensitive information containing the word “nuclear.
Wright believes the stolen technical information has been used to develop China’s military forces. “(China’s) new stealth fighter looks a lot like ours,” Wright said. ” Wright said.
Lewis, for his part, argued that “China is using cyber espionage as one of its primary tools to compete with the United States. It has been going on for decades, focusing on stealing trade secrets and technology, done entirely by the state or individuals acting on behalf of the state — hackers who may not wear uniforms, but take orders from the PLA. “
Lewis argues that cyber threats in China and Russia are not the same, and that for China, “the real discussion is not whether it’s state or non-state behavior, but whether it’s the PLA or the Ministry of State Security. These are state and government actions. “
Lewis told Voice of America of his conversations with individual Chinese hackers, “They told me China is a country where surveillance is omnipresent and if you do a cyber attack, the police usually find you within a few months, come to your house, invite you ‘to tea’ and tell them ‘Either work for us or go to jail.’ “
Cyber Threats Will Reshape Geopolitics U.S. Needs to Draw Red Lines
The book “Hackers and the State: Cyberattacks and the New Normal of Geopolitics,” published last year by Harvard University Press, explores the different ways in which hackers are reshaping geopolitics. The book argues that unlike traditional nuclear deterrence, cyberattacks are not designed to change the play of the other side of the table, but to reshape the power relationships between the dueling sides by stacking or stealing cards. “It is a slow and insidious business of accumulating competitive advantage. “
Ben Buchanan, the book’s author, politely declined an interview with Voice of America because he is about to enter federal service. As an example of reshaping geopolitics, Buchanan focuses on Chinese PLA Unit 61398 in his book because of its “prolific scope and speed of hacking operations. “
Treverton, former chairman of the U.S. National Intelligence Council, argues that geopolitics has changed drastically with the rise of cyberattacks. “Any future war will certainly be accompanied by significant cyber activity. …Even the case of the hacking of the Colonial gas pipeline for money, which shut down fuel supplies to the U.S. East Coast for several days, has enormous geopolitical significance. Cyberspace is increasingly becoming the future of geopolitical controversy and competition.”
Treverton noted that many U.S. companies do not have good protection mechanisms in place, and some told him they are willing to take a 5 percent loss if they are threatened by hackers. “That may be fine for one company, but in the economy as a whole, we are underprotected. We need to strengthen the ability of relevant government agencies to respond to cyberattacks and increase the focus on supply chains, accountability, and transparency.”
Wright, for his part, believes that cyberattack is not new, but the government needs to update the way it defines it. “We have to have a very clear policy on what the red line is, and if you cross it, we escalate from low-intensity conflict in cyberspace to activating warfighting readiness.”
According to Wright, “If someone hijacked a couple of planes into the mountains, we would consider that an act of war, whereas if the attack was conducted through cyberspace, such as disrupting a network of critical infrastructure, affecting the infrastructure (of power, water, and food, etc.) in the coldest part of winter or the hottest part of summer, causing a threat to hundreds of lives, I would consider that an war.”