In 2015, media reports attributing data breaches to China exceeded by a wide margin those of any other state-sponsor of cyberattacks in consistency, volume and severity. From Anthem, to Premera, to the Office of Personnel Management, Chinese hackers are widely suspected of having compromised the sensitive data of well over 100 million people in the United States alone. Cyberattacks of varying scale and sophistication were launched against targets spanning nearly every industry.
Though this year’s seemingly relentless bombardment against American computer systems may seem to be just another in a decade-long campaign, events both within and outside China suggest this year may have been the start of something new. To date, Chinese cyberespionage against Western targets has largely been motivated by the pursuit of economic advantage. Events throughout 2015 suggest that a pivot toward more security-focused interests is underway. The Chinese government, it seems, has begun to repurpose a formerly loose collection of state-controlled hacking units into a more centrally controlled tool for traditional state espionage and politically-motivated cyberattacks.
Throughout 2015 Chinese authorities took a number of steps to professionalize their cyber warfare forces. This process began with a series of frank admissions by the Chinese of not only their cyber capabilities, but also their future plans for their cyber forces. For one thing, following a decade of blanket denials, the People’s Liberation Army (PLA) have now explicitly confirmed the existence of both civilian and military network warfare units within the Chinese government. In May this year, China’s Ministry of National Defense expressed its desire to reorganize its forces to win “informationized local wars” in its first published white paper on military strategy.
Toward the end of the year Chinese President Xi Jinping seemed to engage in a flurry of diplomacy and deal making aimed at further telegraphing China’s non-hostile intentions for its cyber forces.
In a September interview, Xi officially acknowledged a distinction between economic espionage and traditional clandestine intelligence gathering, seemingly ruling out all future state support for the former (though simultaneously denying that China had ever engaged in such practices). Subsequently, Xi concluded an accord with U.S. President Barack Obama on cybersecurity. This followed a similar deal struck with Russia, and also resembled cyber accords later announced with the United Kingdom and Germany.
Thereafter, shortly prior to a meeting of China’s senior leadership in October, PLA officials announced their intentions to centralize China’s dispersed cyber warfare units under the direct command of the Central Military Commission. The move was described by experts as an attempt by China to rein in the activities of its more independent cyber spies, while furthering the goal of the PLA to prepare for future “informatized” warfare.
These moves to develop a more focused cyber warfare force paralleled a campaign to solidify and enforce the idea of “Internet sovereignty.” First brought to the global stage in November 2014 during the inaugural World Internet Conference, the concept of Internet sovereignty has been vigorously pushed by Chinese diplomats on numerous occasions throughout 2015. In January, acting through the Shanghai Cooperation Organization, China formally submitted a proposal to the United Nations for an International Code of Conduct on Information Security. The proposal reaffirmed the rights of states to exercise control over Internet content and infrastructure within their borders in the interests of their national security. At a July meeting of the World Summit of the Information Society, China’s UN ambassador again advocated a strong role for states in Internet governance stressing that they should not be marginalized by independent enterprises and NGOs.
Within China itself, legislators have worked tirelessly to enshrine Internet sovereignty into law. These efforts were initially stymied by a united front of deeply concerned U.S. and European technology firms. For example, in March the National People’s Congress (NPC) temporarily tabled plans to roll out a controversial counterterrorism bill that would have required technology firms to hand over encryption keys and install security “backdoors” in their systems. However, legislators did eventually adopt a new national security law that includes broad provisions allowing the government to make Internet infrastructure and content “secure and controllable.”
Together, strengthened cyber forces alongside expanded police powers has fueled a crackdown on both internal and external dissent. As part of a larger campaign of reform initiated by Xi Jinping, Chinese censors and law enforcement have tightened their grip over domestic Internet actors. A number of Chinese Internet companies have been publicly censured and fined and more than 15,000 people have been arrested for allowing “illegal and harmful information” to spread on the Web. The state has also begun to rigorously enforce its ban on anonymity for users of blogs and instant messaging services.
This year Chinese censors also began to expand their mandate from that of merely refereeing which Web content is allowed in and on their Internet space to proactively dis-incentivizing users from seeking out or posting undesirable content. The most illustrative example of this occurred in March, when Chinese hackers used malicious code to hijack the accounts of millions of users of the popular Chinese search engine Baidu. The infected computers were unknowingly directed to launch a massive, week-long DDoS attack against the servers of Github and its partner sites GreatFire and CN-NYTimes. The attacks were the first known use of the “Great Cannon,” a weapon experts believe allows China’s censors to not just filter information entering China but to also selectively and discretely attack the sources of undesirable Web content.
Virtual private networks (VPNs), long in the cross hairs of Chinese authorities, were also prime targets for offensive cyberattacks this year. Many popular services such as VyprVPN, Astrill, and StrongVPN have reportedly been blocked outright or substantially impaired. Watering hole attacks have also been used against certain sites as has new malicious software capable of bypassing anonymity settings of VPNs and the Tor network in order to siphon the personal data of users of certain websites. A number of hacking collectives have also weaponized VPN servers marketed to local Chinese, using seemingly legitimate Web traffic to launch attacks on foreign organizations and governments.
Laying out these three broad trends against a timeline of some of this year’s highest profile breaches underscores the idea that China’s objective in launching cyberattacks has narrowed to collecting data for traditional state espionage.
For instance, the year began with reports that China had stolen up to fifty terabytes of data on the U.S. military’s next-generation stealth fighter, the F-35. Attacks on Pennsylvania State University, the University of Connecticut, and the University of Virginia followed later in the year. All three schools – each of which hosts research centers with strong ties to the U.S. Department of Defense – publicly blamed China for their breaches. Breaches at such well-known research institutions would all serve the goal of advancing Chinese military modernization.
Many of China’s cyberattacks against the private sector also exhibit a clear intelligence-driven agenda. The year started with reports of man-in-the-middle attacks against Microsoft’s Outlook email system in China, the standard email service used by U.S. government agencies. The breaches at Anthem, Premera, and the Office of Personnel Management netted data thieves a treasure trove of highly sensitive information potentially from tens of millions of current and former U.S. government employees. This data combined with the flight manifest data garnered from the breaches of United Airlines and Sabre Corp., a reservations processor for American Airlines, could very well allow Chinese intelligence services to begin assembling a vast database of profiles detailing the histories, behaviors, and movements of U.S. government employees.
Historians may look back on 2015 as an important inflection point in the development of China’s national cybersecurity strategy. In keeping with his overriding goals of centralizing power in order to execute major reforms throughout his country, Xi may be in the midst of a major overhaul of China’s approach to controlling and manipulating the flow of data inside and beyond his borders. The trends this year may suggest relief is in the offing for private companies that have been relentlessly harassed for their intellectual property by Chinese competitors. However, they also seem to foreshadow a much darker and more turbulent future for China’s geopolitical rivals, and for those private groups and activists who dare to deviate from the (Communist) party line.
Tremayne Gibson is a Senior Associate at Global Risk Advisors, a boutique information security firm specializing in cutting-edge network defense, threat mitigation, and incident response services. He is a graduate of John Hopkins SAIS and Harvard College.