China’s Ministry of State Security civilian intelligence is facing new global scrutiny following a coordinated U.S. and allied “name and shame” campaign this week to expose Beijing’s massive covert cyber operations.
Secretary of State Antony Blinken said on Monday the MSS, as the spy service is called, “fostered an ecosystem of criminal contract hackers who carry out both state-sponsored activities and cybercrime for their own financial gain.”
The Justice Department joined the effort, unsealing an economic espionage indictment against four Chinese hackers — three of them MSS officers — following a three-year investigation into global hacking operations.
The indictment provides new details on how MSS agents used a technology front company that prosecutors say conducted cyberattacks against the National Institutes of Health, seven U.S. universities, eight American companies, a Cambodian government ministry, two Saudi Arabian government ministries, a Malaysian high-speed rail company and a Malaysian political party.
The MSS Hainan operation set up the front company in 2011. Hainan Xiandun Technology Development Co. Ltd. recruited both cyber experts and linguists for cyber operations against the American government and private-sector companies.
The four Chinese indicted were identified as Ding Xiaoyang, Cheng Qingmin, Zhu Yunmin and Wu Shurong. Mr. Ding, Mr. Cheng and Mr. Zhu are said to be with the MSS.
Mr. Ding was first revealed as an MSS officer by the cybersecurity blog Intrusiontruth last year, based on advertisements he had placed on two Chinese university websites. One of the advertisements appeared on the Hainan University School of Foreign Languages web page and said Hainan Xiandun was recruiting English-language majors. “Party members and student cadres are preferred,” the ad noted.
According to the indictment, the MSS hackers used an array of malware and hacker techniques, such as fraudulent emails, to gain access to foreign computers and steal information. They also used a technique called “steganography” that allowed the intelligence agency to place stolen data inside of images to conceal the location on the internet.
In 2018, according to the indictment, the Hainan hackers moved stolen trade secrets and hydroacoustic data — useful in the development of submarines — to a GitHub account using steganographs of a koala bear and then-President Trump.
A senior Biden administration official this week also charged that MSS is employing contract nongovernmental Chinese hackers to pull off ransomware attacks for financial gain.
Expansion of cyber intelligence operations beyond data collection is a new wrinkle in the MSS playbook, one that the administration said included conducting a major global cyberattack program using a security flaw in the Microsoft Exchange Server software.
The Microsoft Exchange Server cyberattack was launched in January and targeted more than 300,000 computers, compromising some 30,000 networks for several months until the attack was uncovered and the software security hole patched.
The information gathered by the MSS is part of a major database consisting of files on tens of millions of people who will assist Beijing’s military and economic development. The MSS is China’s political police and spy service, and operates under the tight control of the ruling Communist Party.
“Over the last two decades there has been an extraordinary growth in China‘s Ministry of State Security capabilities and numbers of operations,” said Nicolas Eftimiades, a former Defense Intelligence Agency counterintelligence specialist on China. “That growth includes thousands of human intelligence operations, as well as extensive cyber collection.”
The KGB model
The MSS central headquarters is in Beijing with a network of provincial state security departments and city and country state security bureaus.
The operations of the four Chinese hackers disclosed in this week’s indictment were under the Hainan provincial state security section, located on Hainan Island in the South China Sea. Another major provincial unit is the Shanghai state security whose extensive operations in the U.S. have been disclosed in other recent Justice Department prosecutions.
The MSS was modeled after the Soviet KGB spy service, which, like the MSS, was dedicated to preserving the rule of the Communist Party. The ministry emerged in 1983 from the Chinese Ministry of Investigation and elements of the Ministry of Public Security, another Chinese secret police agency.
According to its charter, the primary mission of the MSS is maintaining the “security of the state through effective measures against enemy agents, spies and counterrevolutionary activities designed to sabotage or overthrow China’s socialist system.” Beginning around 2001, MSS launched an “internet army” of people that used contractors that engaged in economic espionage and other cybercrime activity.
The MSS engaged in both non-military human spying and cyber espionage and main targets are U.S. intelligence agencies, the U.S. military, defense contractors and advanced technology companies.
The indictment of the MSS hackers is largely symbolic because the likelihood of a future prosecution in a U.S. court is limited. The hackers are believed to be in China and out of reach of U.S. law enforcement. Still, as in the past, the indictment and earlier prosecution actions have been used to declassify and shine a light on MSS activities.
The operations of the Chinese spies are outmatching American security defenses, experts say.
“U.S. counterintelligence services, especially the Department of Defense, are incapable of contending with this level and type of espionage lacking cohesive management, language skills, cultural awareness, training, and funding,” Mr. Eftimiades said.
Peter Mattis, a former U.S. intelligence official who has written on Chinese espionage, said Chinese intelligence is aggressive in pursuing secrets but was damaged for decades from political purges that took place during the tumult of the Cultural Revolution in the 1970s.
“To date, China’s clandestine tradecraft probably does not rate among the world’s most sophisticated at least with any consistency across a large number of intelligence officers,” Mr. Mattis said.
“The Cultural Revolution and previous political movements purged (or killed) many of the Chinese case officers with professional knowledge, experience and training in assessing, developing, recruiting, and handling clandestine sources, especially foreigners,” he said.
The MSS, and its military companion service the Joint Staff Department Intelligence Bureau, have both become proficient at cyber operations and both have scored major successes.
Among the Chinese military’s most successful cyber operations was the theft of military aircraft secrets from Boeing and other companies in the early 2000s that involved the loss of secrets on warplanes.
For the MSS, their major success was the hack of the Office of Personnel Management in 2015 that gathered more than 2.1 million highly sensitive records on federal employees, including those in the military, law enforcement and intelligence agencies.
Former U.S. counterintelligence official John Costello said in testimony before a congressional China commission that Beijing‘s intelligence operations are increasing in both numbers and capability. Mr. Costello said it is believed the MSS was behind the OPM hack that stole records that included fingerprints, personnel records, and background investigation for security clearances.
“We should expect to see continuing Chinese efforts to breach U.S. government and military systems, building upon their database of federal workers and military personnel,” he said.
Cyber operations by the Chinese spy services have become centrally coordinated in recent years. As a result, the U.S. likely faces a substantial decrease in the number of cyber intrusions but an increase in the sophistication of the cyberattacks.
“This is the so-called ‘Russian’ model of cyber espionage,” Mr. Costello said, noting the growing professionalism of the Chinese hacker spies and better coordination for their operations.
Chinese spies also are more likely to operate more cautiously than in the past in order to provide better access to sources and their information.
“Likely passed are the days of smash-and-grab tactics many defense firms and U.S. agencies are used to,” Mr. Costello said. “Long-term capabilities will be the primary cyber imperative rather than the short-term intelligence gains inherent in economically motivated cyber campaigns.”