One of the biggest challenges of threat intelligence is determining the intent of attackers. It is not always possible, but if we have to face such a challenge, it is helpful to understand the context of attackers' activities and the organization in which they operate. In the following posts, we will therefore deal with one of the main players on the cyber scene - China - and the organizational apparatus responsible for intelligence operations and obtaining information for decision makers. Despite the fact that this country is often mentioned in one line with Russia or North Korea, individual Chinese government agencies responsible for intelligence activities, including cyber operations, are definitely not as well known as, for example, the Russian GRU. This should not be a special surprise. The language and cultural barriers, as well as the difficult access to information related to the censorship imposed by the authorities in Beijing, make the bar for analysts set much higher. Therefore, starting with PLA, I will try to present individual organizations and their role in the cyber operations ecosystem. In a broader context, we will have three main actors on stage:
- PLA (People's Liberation Army, Zhōngguó Rénmín Jiěfàngjūn, 中国人民解放军) - People's Liberation Army, i.e. Chinese armed forces. Although threat intelligence teams sometimes include statements such as "PLA responsible for this operation" in various reports, of course this is a gigantic generalization comparable to the statement that the US Armed Forces or the Polish Army are responsible for a given action. In practice, we will talk about individual branches Strategic Support Force People's Liberation Army (SSF - Strategic Support Force, Zhōngguó Rénmín Jiěfàngjūn Zhànlüè Zhīyuán Bùduì, 中国人民解放军 战略 支援部队), because that's where we find Department of Network Systems responsible for cyber activities.
- MSS (Ministry of State Security, Guójiā Ānquán Bù, 国家 安全 部) - the Ministry of State Security, i.e. Chinese foreign intelligence services. China's main intelligence agency will come as no surprise that it is also currently operating in cyberspace. It is worth noting that the Ministry is not limited to foreign activities and also acts as a secret police - it has the power to arrest and detain people similarly to the police authorities. We, however, will deal with the external aspects of the activity and the numerous groups active under this umbrella, including cases of industrial espionage as well as classical political intelligence. Of course, MSS also consists of many local offices and organizational units - for example The United States assigned APT10-related activities to the Tianjin State Security Bureau.
- MPS (Ministry of Public Security, Gōng'ānbù, 公安部) - the Ministry of Public Security, i.e. the Chinese internal intelligence body. Theoretically, it is a police agency, but its main tasks are focused on counterintelligence and ensuring political security. We will talk about MPS rather in terms of policy impactber than individual organizations.
Speaking of cyber-analysis of PLA operations, we must first go back to 2013 when Mandiant published the report APT1: Exposing One of China's Cyber Espionage Units. It was the first public report of a private company to describe the PLA's espionage activities against targets around the world, mainly in the United States and Western Europe. Mandiant assigned this activity to Division 61398 operating within the 3rd Department of the General Staff of the PLA. This rather complicated account is illustrated by the graphic designer:
When it comes to much of the same number, it is called MUCD (Military Unit Cover Designator) used to identify a unit without revealing the scope of activities in the name. At this point, the attentive reader will rightly ask where the Strategic Support Forces mentioned earlier. The reorganization of the PLA under which this component was created took place only in 2015, specifically in December 2015, the SSF started operating. The diagram below shows how the reform influenced the organization of the individual components that were allocated to the new component:
As we can see, the Third Department within which the technical intelligence units operate have been transferred to the jurisdiction of the SSF and thus now this is where the 61389 branch operates. Of course, as long as the unit has remained operational unchanged since the Mandiant report. As mentioned, we will be most interested in the Department of Network Systems, sometimes also known as cyber forces (wang jun, 网 军). Despite its name, however, the scope of the Department's activities is broader than just network operations and also includes psychological operations and EW (radio-electronic warfare) operations. The reorganization brought about a significant centralization of resources. In the previous model the intelligence operations were carried out by the twelve technical reconnaissance offices of the Third DepartmentThe CNA was led by the Fourth Department, and the defense activities by the IT Department of the General Staff. Now, both the CNE and CNA fell under the wings of the SSF, concentrating their offensive abilities there. Defense missions remained under the management of previous organizational structures in the newly created Joint Staff Department's Information and Communications Bureau (信息 通信 局).
The position of the SSF in the PLA structure and in relation to the said Third Department is presented in the following diagram:
The SSF is expected to play a key role in enabling the PLA to gain information dominance on the battlefield. This concept fits in with the Chinese understanding of the battlefield, in which achieving domination in three domains - air, space, and information - ensures victory. In the context of direct support for the armed forces, it is assumed that the information advantage translates into gains in terms of time and space on the battlefield. Having information about the enemy's intentions and actions can, at key moments, delay, stop his plans or limit the possibilities of power projection, ensuring that China realizes its strategic goals. In the context of the role of the SSF in the PLA structure, it is also worth noting that the second main area of the formation's activities is space. The Chinese doctrine here seems to connect the cyber and cosmic areas due to the fact that both areas are based on the spectrum of electromagnetic waves as a medium for information transmission. This may be due to the fact that in the most dramatic scenario of the invasion of China, the enemy's long-range precision weapons would use the space and IT infrastructure, which means that domination in this sphere must be an end in itself. Additional information on the role of cyber operations in Chinese military doctrine is provided by the "Science of Military Strategy" published regularly by the PLA National Defense University. In the 2020 edition we find assumptions for conflict in cyberspace, including statements going as far as that victory in war begins with victory in this domain. The authors emphasize the key role of communication and information systems as the center of the battlefield. Interestingly, the example of Iraq is also given, which allegedly succumbed to the US military so quickly because the control of cyberspace allowed the paralysis of government and military functions, and thus the collapse of morale. Next, we also find thoughts on the interface between cyber and space domains. As previously indicated, Chinese doctrines treat both of these areas as closely related by the use of the spectrum of electromagnetic waves. It also indicates the need to integrate operations so that cyber and space activities are coordinated with strategic and political goals in a conflict situation.
Since we are talking about cyber operations, which have their specificity related to the need to maintain access to the attacked environments, it is also worth paying attention to the emphasis on andintegration between peacetime and war operations. This concept is one of the reasons for the reform in general - before the changes, the PLA was afraid that in the event of a conflict, a change in the functioning of the armed forces would change from that adapted to functioning in peacetime to one that was prepared for warfare. This was due to the fact that in the previous model, there would have to be extensive coordination of military departments and divisions scattered across different types of armed forces and government agencies and organizational structures in order to form an Information Operations Group. The creation of the SSF simplified this process by organizing the appropriate operational group units as a default flowchart. In this way, cyber operations that require preparation, such as reconnaissance or the development of access vectors to hostile systems, can be smoothly carried out and in the event of an armed conflict, troops can efficiently move to the next phases of the attack, such as the use of vulnerabilities and installation.
An important element of the functioning of the SSF is involvement in the concept of military-civil fusion (MCF, 军民 融合). The MCF assumes strengthening cooperation between the private and public sectors in the field of research and implementation of technologies that may benefit China's defense. It is a multidimensional undertaking consisting, among others, of With deregulation of the defense sector and encourage the development of dual-use technologiesthat can help in developing the potential of the Chinese armed forces. In the context of the SSF, MCF is primarily intended to train staff and recruit staff. This should not come as a surprise - the problem with cybersecurity employment seems to be independent of longitude. Therefore, SSF has established cooperation with a number of institutions, such as China Electronics Technology Group or the Chinese University of Science and Technology in the field of training and education of human resources. Notably, the idea that it is very difficult to separate cyberspace operations in times of war and peace already appears in the Science of Military Strategy from 2013. There, too, we will find support for the MCF - the authors emphasize that the difference between the military and civil spheres is blurring, and during the war both sectors should "attack side by side".
So what examples of other PLA branches responsible for cyber operations have been detected? One of them has already appeared in the pages once counterintelligence.pl when I wrote about attribution and the problems associated with it. It was about the ThreatConnect report "Project CameraShy”In which analysts assigned the tracked activity to branch 78020. This unit operated within the Kumming Technical Reconnaissance Office and dealt with intelligence operations related to the situation in the South China Sea. In the context of cyber operations, it is a group of APT "Naikon" activities.
Another group associated with a specific unit is Putter Panda. This threat actor was described in a 2014 Crowdstrike report which described how group activity led to branch 61486 again linked to the Third Department. This time it is about the twelfth technical reconnaissance office based in Shanghai. Analysts discovered traces of the group's activity as early as 2007. And when it comes to victimology, Putter Panda has targeted defense, satellite and aerospace technology targets. As in the case of APT1, the Chinese military conducted technology sourcing operations here in the form of industrial espionage.
Since in the descriptions of the groups the term "technical reconnaissance office" appears repeatedly, I have to make a reservation here. At the moment, I have not found any information as to whether all these offices have actually been brought under the jurisdiction of the SSF. It would indicate how the SSF was formed in terms of the tasks it is to perform, but as I mentioned, only offensive operations were transferred to the new component. Strictly speaking, it is not possible to say with certainty how the offices were distributed among these components, especially in the context of the fact that in the previous model each military region had its own office responsible for SIGINT and cyber activities. The same, if we go back to the place of the SSF in the PLA structure for a moment, it reports directly to the Central Military Commission, but the theater command may have their own EW and cyber capabilities. The relationship between the command and authority over individual units is therefore not entirely clear yet.
When describing the possibilities of PLA, attention should also be paid to research institutes. The Third Department supervised the Office of Science and Intelligence Technology, which in turn supervised three institutes. Considering what we know about the 2015 reorganization, it can be assumed that they are now working for the SSF. These units are:
- 56 Research Institute / Institute of Computer Technology Research in Jiangnan - the largest and oldest PLA research and development center dealing with research on the creation and application of supercomputers.
- 57 Research Institute / South-West Institute of Electronics and Telecommunications Technology - conducts research in the field of signal capture and processing, as well as satellite technology in agreement with the Chinese Academy of Space Technology.
- 58 Research Institute / South-West Automation Research Institute - conducting research on cryptology and IT security.
Additionally, in indictments against four PLA officers from 2020, we can find information on 54 Research Institute (Northern Institute of Electronic Equipment) as also subordinate to the Chinese army.
The creation of the SSF shows how high the priority China gives to securing itself in terms of operations in cyberspace. PLA has gained a component dedicated to cyber activities, similar to the American Cybercommand, albeit with a slightly different scope of responsibility - which results from the doctrine closely linking cyberspace with outer space. Perhaps a more appropriate comparison would be the American Stratcom Strategic Command responsible for space activities, intelligence and C4ISR. Of course, the search for exact equivalents does not make much sense. The Chinese doctrine has its own assumptions, especially in terms of treating all available means of combat as possibly integrated combat forces. Domain integration is a key turn when we are talking about the 2015 armed forces reform. Computer operations units have been combined in a common PLA component, which is to enable integrated operations seamlessly combining functionalities necessary in peacetime and war, and cooperation with the civilian sector within the framework of MCF is one of the pillars of the SSF idea.
And this is the organizational structure of the People's Liberation Army in terms of supporting and conducting cyber operations. Right now, I invite you to the next post, where we will look at the activities of gloomy fame Ministry of State Security.