‘Hey there, do you sell the ‘Poisonivy Program’? How much do you sell it for? i wish to buy one which can not be detect and killed by the Anti-Virus software.”
The email was sent to a Chinese cyber security company from a military officer in a special part of China’s People’s Liberation Army intelligence service, formally known as the Third Department of the General Staff Department.
American intelligence officials know the spy service simply as 3PLA, and it has been one of Communist China’s most successful tools for stealing American military technology through cyber means. A second Chinese military intelligence-gathering arm is called the Second Department of the General Staff Department, or 2PLA. The Fourth Department, or 4PLA, conducts both electronic spying and electronic warfare.
Together the PLA intelligence units have placed China at the forefront of the most significant foreign intelligence threat to American security. All three cooperate closely in stealing a broad array of secrets from the United States. If the information is in digital form, the Chinese steal it.
PoisonIvy is well known in international hacker circles as the favored software of the PLA. It is a remote access tool (RAT) and, while not the most advanced software on the international hacker black market, would turn out to be an extraordinarily effective cyber intelligence-gathering weapon for 3PLA.
The reason PoisonIvy is so widely used is simple: All computers and networks using Microsoft Windows operating systems are easy prey. Once inside, the malware allows remote key logging, screen capturing, video capturing, massive transfers of files, password theft, system administration access, internet and data traffic relaying and more.
The email from the 3PLA officer seeking PoisonIvy cyber-spying software had been intercepted by the National Security Agency and would eventually lead to the arrest and conviction of a major Chinese cyber espionage actor named Su Bin, aka Stephen Su. The case of Su Bin would reveal for the first time the Chinese military’s relentless drive to steal American weapons know-how from defense contractors such as Boeing to build up its forces for the ultimate defeat of “American imperialism” — the term used by China in many of its internal communications to describe the Communist Party of China’s main enemy, the United States.
Military intelligence organizations are strategic players in the Chinese goal of achieving information dominance — the first step in laying waste to the main enemy in both peacetime and war and paving the way forward to achieving global supremacy.
Until 2016 and the advent of the Trump presidency, details about Chinese cyberattacks and the organizations behind them were tightly held secrets. Successive U.S. administrations since the 1990s sought to cover up and hide nefarious Chinese intelligence activities as part of rigid policies designed to appease Beijing.
It was through such feckless, defeatist policies that the United States theorized that conciliation and engagement would lead the Party rulers and their military henchmen away from communism and toward democracy and free markets. Instead, a hated Communist Party regime was not only perpetuated but strengthened at the expense of America’s most precious intellectual resources.
In spring 2018, the Trump administration took an unprecedented step and, for the first time, exposed the activities of one of China’s most important spymasters, PLA Major General Liu Xiaobei. Gen. Liu for many years headed 3PLA.
In late 2015, 3PLA was subsumed into a service-level military organization known as the Strategic Support Force and became the main component of a new unit called the Cyber Corps. The Cyber Corps is one of the PLA’s most secret units and is staffed by as many as 100,000 hackers, language specialists and analysts at its headquarters in the Haidian District of Beijing. Branch units are located in Shanghai, Qingdao, Sanya, Chengdu and Guangzhou.
Beginning in the 1990s, the Chinese used large-scale cyberattacks in support of a larger industrial policy of building up the country’s science and technology business and military sector. 3PLA is China’s most aggressive technology collector by far, with at least 19 confirmed and nine possible cyber units under its command. The CIA identified Gen. Liu in a 2014 report as an encryption specialist and director of the Technical Reconnaissance Bureau, another term for 3PLA.
The general appeared in a 2013 PLA propaganda video called “Silent Contest,” which described the United States as the main target of Chinese cyberattacks, based on the country being the birthplace of the internet and having the ability to control its core resources.
A U.S. Trade Representative (USTR) report on Chinese technology theft provided some of the first clear evidence of the massive damage caused by cyber-economic spying attacks. Chinese unfair trade practices and Beijing’s intellectual property theft, according to the report, cost Americans a staggering $225 billion to $600 billion annually in lost information.
The Su Bin case
The case of Su Bin provides one of the clearest examples of how that theft occurs. Mr. Su was the owner of a company based in China and Canada called Beijing Lode Technology Company Ltd., an aviation and space technology supply firm with clients in China and around the world, including the United States.
The email dated July 23, 2008, from the PLA officer marked the beginning of a series of events that ultimately led the U.S. government to expose part of China’s hugely successful campaign of cyber theft operations — the most massive transfer of American wealth through cyberattacks in U.S. history.
That technology theft ranged from extremely valuable government information to the pillaging of proprietary electronic data on some of the most strategic weapons systems — all obtained covertly from the small group of American defense contractors, including Boeing and Lockheed, who built and maintained cutting-edge aircraft, warships and other military hardware that made the United States the most powerful nation on earth. China significantly undermined the United States’ standing as the world’s premier military power by funneling this stolen military intelligence into the PLA for use in its massive arms modernization program.
On October 24, 2009, a day after receiving a contract, Mr. Su returned the signed document in an email to the 3PLA officer. Over the next five months Mr. Su and the two PLA officers directed a team of hackers operating in China, who began targeting specific employees with access to computer networks at the Boeing C-17 assembly plant in Long Beach, California.
The Chinese used emails with fraudulent email sender addresses that were carefully crafted to masquerade as someone known to the recipient. The objective was to have the person click on an innocuous computer link that would automatically download malicious Chinese hacking software. The practice is called “spear phishing,” or just phishing, and is a tactic mastered by the Chinese.
Sometime between December 2009 and January 2010, the Chinese hacking operation hit pay dirt. Mr. Su was able to gather details of several Boeing executives, and within a few months the hackers had stolen 85,000 files on the C-17 aircraft from Boeing.
An intercepted email to higher-ups in the PLA outlined the operations in detail. It outlined the successful exfiltration of C-17 secrets between two other PLA officers and one other member of the hacking team — probably a civilian hacker working as a contractor. The report expressed the elation the hackers experienced from stealing the crown jewels of a development project that had cost American taxpayers around $40 billion to develop from the 1980s to the 1990s. Ultimately, 280 C-17 aircraft were built at an average cost of $202 million apiece.
For the Chinese, the operation to steal the vital secrets was an intelligence coup of extraordinary magnitude. Not only did Chinese aircraft manufacturers save billions of dollars in development costs, but those companies quickly incorporated the secrets in a new PLA transport, Y-20, that cost a mere 2.7 million RMB, or $393,201.98 for the entire cyber-spying operation.
The PLA summary of the operation read in part:
“… Thorough planning, meticulous preparations, seizing opportunity, [we] initiated all human and material preparations for the reconnaissance in the beginning of 2009. After a few months’ hard work and untiring efforts, through internal coordination [we] for the first time broke through the internal network of the Boeing Company in January of 2010. Currently, we have discovered in its internal network 18 domains and about 10,000 machines.
“From breaking into its internal network to obtaining intelligence, we repeatedly skipped around in its internal network to make it harder to detect reconnaissance, and we also skipped around at suitable times in countries outside the U.S. In the process of skipping, we were supported by a prodigious quantity of tools, routes, and servers, which also ensured the smooth landing of intelligence data.
“… We made appropriate investment and reaped enormous achievement. Through our reconnaissance on the C-17 strategic transport aircraft, we obtained files amounting to 65G [gigabytes]. Of these, there were 630,000 files and 85,000 file folders, containing the scans of C-17 strategic transport aircraft drawings, revisions, and group signatures, etc. The drawings include the aircraft front, middle, and back; wings; horizontal stabilizer; rudder; and engine pylon. The contents include assembly drawings, parts and spare parts. Some of the drawings contain measurement and allowance, as well as details of different pipelines, electric cable wiring, and equipment installation.
“Additionally, there were flight tests documents. This set of documents contains detailed contents, and the file system is clear and detailed, considered top-flight drawings by experts! This project took one year and 2.7 million RMB to execute, showing cost effectiveness and enormous achievement. This reconnaissance job, because of the sufficient preparations, meticulous planning, has accrued rich experience for our work in future. We are confident and able … to complete new mission.”
The PLA report was made public in court documents from the Su Bin case after his arrest — five years after the PLA stole Boeing’s secrets.
Less than a decade after the Boeing C-17 data heist, the Chinese were busy showing off their version of the aircraft, the Xian Y-20 heavy transport, a jet that not surprisingly looked almost identical to the C-17 when it was showcased in November 2018 at the Zhuhai International Air Show. Chinese propaganda outlets bragged that the Y-20 “made China the third country after Russia and the US to design and develop its own heavy military transport aircraft.” The first prototypes were built in 2013 — three years after the Boeing hack.
Michelle Van Cleave, a former high-ranking US counterintelligence official within the Office of the Director of National Intelligence, said the Su prosecution was a success. But the case did little to stem the torrent of secrets flowing out of American computer networks and represented but “a drop in a bucket that keeps getting bigger every year.”
“The Chinese have a sophisticated network of tens of thousands of human spies and computer hackers targeting American military and technological secrets,” Ms. Van Cleave said. “What they can’t acquire legally through trade, or creatively through mergers and acquisitions, they are prepared to steal. And it’s getting harder all the time to stop them.”