Threat Inteliigence / OSINT / NETSEC / NATSEC

China's intelligence operations under the scrutiny of the Justice Department

The name of the blog obliges, therefore, this time we deal with the latest events in the field of catching intelligence officers and combating the operations they conduct. The opportunity for this was provided by the US Department of Justice, publishing indictments against a total of thirteen people accused of espionage, and Mandiant who published a report detailing the detected Chinese outflow operations. In this post, we will focus on the first of these events.

I have already written about the indictment relating to cyber operationsthis time, however, we will look less at the cyber and more on the classic side of intelligence activities. This is valuable knowledge because while we can regularly read reports of private companies on cyber operations, the detection of HUMINT remains the domain of the state law enforcement and counterintelligence apparatus. So let's look at the operation that the American prosecutor's office managed to detect and describe.

The Justice Department released indictments in three cases. The first concerned seven Chinese nationals who were engaged in the forced repatriation operation known as "Fox Hunt". In the second, two Chinese intelligence officers attempted to obtain confidential information regarding criminal proceedings against an international telecommunications company (yes, probably Huawei). Finally, the third issue is that of attempts to recruit people in the United States as agents of China's intelligence.

According to the document on the first case, the accused carried out "unilateral and not agreed with the local authorities operations in the field of combating crime," but this description seems to be a strong euphemism in the context of the nature of Operation Fox Hunt. It is true that the Chinese government issued a red note within Interpol asking member states to arrest the indicated person, but the methods of operation described in the document did not resemble standard police procedures. The accused forced the family members of the person they were trying to bring to China to travel to the States and hand over threats from the Chinese government to persuade the person to return. And that was only the beginning of a long campaign of persecution involving, among others breaking into property to control correspondence and leaving messages, pressure on the family and bringing unfounded actions to expose defense costs. Finally, Chinese government officials explicitly admitted that the persecution would not stop until the person returned to China, and there were still many ways to make life difficult. In addition, the defendants were involved in money laundering - they tried to avoid the supervision of financial institutions by making money transfers from China in tranches of less than fifty thousand dollars and indicating associates as the recipient of the transfers.

While the next case was much less dramatic, it was from the point of view of counterintelligence and the scope of Chinese services the next one is no less interesting. This is because it concerns two people who tried to influence the criminal proceedings conducted by the prosecutor's office of the Eastern District of New York against the "global telecommunications company based in the People's Republic of China". The company name is not indicated in the document however, according to CNN sources, it is about Huawei. According to the special agent of the FBI, who prepared the indictment, both of the accused are officials of Chinese intelligence, however, it is not certain whether it is the Ministry of State Security. However, photos of interested people were posted:

The operation they wanted to carry out was doomed to failure from the very beginning, because they recruited an American official who had no intention of helping, but under the supervision of the FBI, he began to "cooperate" with the accused. As a result, however, the US prosecutor's office has gained a very detailed picture of the perpetrators' methods of action. The purpose of the operation was primarily to obtain information on the prosecution's procedural strategy, including lists of witnesses and evidence collected by the prosecution. It is worth noting how the accused tried to rationalize actions and justify actions. They were convincing their "associate" that the successful conclusion of the process was not so much in the interest of the corporation itself as in the cultivation of the US-China relationship. Reading the indictment brings three interesting observations regarding the operational safety of the action. First, there is a preference for officers to transfer payments in Bitcoin. As you can see, the possibility of bypassing the banking system with cryptocurrencies remains attractive when conducting illegal operations. It should be noted that the more classic methods of transferring funds, such as Western Union transfers and jewelry, were also used. Second, the use of an encrypted messenger. This is because the Department of Justice mentions that the "associate" sent documents using an encrypted communication application. This situation illustrates well that ultimately technology cannot provide security if one of the participants in the communication is not on our side. A secure communicator can even give a deceptive feeling of confidence, a overly theatrical approach to security it even attracts the attention of investigators. Finally, third, the role of the information transmission chain. The description of the events shows that the company under investigation wanted to contact the person with access to the data directly to clarify exactly what materials they needed, but the request was denied for security reasons. Moreover, even the operating officers claimed that they had no contact with the company in question, but merely provided guidance from their superiors.

The third indictment instead, it speaks directly about the activities of the officers of the Ministry of State Security in the United States. Four of the defendants were involved in a long-term campaign to recruit scientists, former law enforcement and national security officials. The goal was to collect political, economic, military, scientific and technical information that could help China strengthen its position. To disguise their actions, they pretended to be researchers associated with the alleged Institute for International Studies at Ocean University of China. It is worth noting that the formal accusation of the responsible officers ended the very long operation. According to the document, the establishment and operation of the agency in the United States began around 1997.

In the context of the organization of MSS, the indictment also provides many interesting observations. Emphasis is placed on the decentralization of the executive structures with regional offices given instructions to conduct operations. I wrote more about offices in the post about the organization of MSS, and while we focused on cyber activities there, most offices have individual intelligence functions under their responsibility. Later you can read about the precautions taken by the MSS and attempts to avoid traveling to the States to avoid the risk of arrest. Officers use the services of intermediaries such as entrepreneurs traveling for business purposes and academics, as well as electronic means of communication. In one of the conversations between the accused and the accomplice, it was also stated that retired Chinese intelligence officers were not allowed to leave the country for a period of seven years. The length of the period is allegedly due to the fact that, after such a time, most of the secret information is no longer up to date.

The three operations depicted show the three different functions that intelligence operations can perform. The first is an element of political repression, the second was to help a company of strategic importance to the Chinese government, and the third is an example of a classic intelligence operation aimed at recruiting personal sources of information. In the context of the comparison with cyber operations, it should be noted that while the goals of the second and third could be, at least partially, achieved by network operations, it is difficult to imagine it in the case of the first. Threats, taking advantage of the victim's family or bringing legal actions already require direct interest in the wrong place. However, when it comes to the use of technical means to support personnel operations, the mentioned use of instant messaging is only another example of an efficient combination of both areas. Recent article published in Bloomeberg describing the theft of industrial property, GE mentions how in 2014 officers persuaded the victim to connect the flash drive to the system in the corporate environment, which was to enable the cyber phase of the operation. Which is an example of a much more advanced combination of fields than just the use of encrypted communication or Bitcoins.

The analysis of classic intelligence operations should be a constant part of every CTI analyst's day. As I mentioned, not all goals set for intelligence agencies can be pursued by cyber activities. Therefore, only a comprehensive look at the operations of various intelligence disciplines can bring us closer to understanding the goals and strategies of a particular state. In the case of China, it is important because the scale of cyber activities and their analysis by private entities may create the impression that HUMINT has, in a way, relegated to the background. Of course it is not so, and when it comes to trends, the problem is only getting more and more serious.

Leave a Reply

Your email address will not be published. Required fields are marked *