Fugitive Military Hackers Traced to Government Office in Shanghai

Operatives with hacker unit help the Chinese regime spy on its own people
July 31, 2015 Updated: August 2, 2015

Hackers with the Chinese military who are frequently tied to cyberattacks against the United States have been traced to a government office in Shanghai. The findings from the Project 2049 Institute think tank also show evidence that the hackers help the Chinese Communist Party (CCP) spy on its own people.

The findings are presented in a new report from Mark Stokes, executive director of the Project 2049 Institute. It provides an overview of how the military hackers in China operate, what their capabilities are, and which organizations they’re tied to.

In May 2014, the U.S. Department of Justice indicted five Chinese military hackers who serve in Unit 61398, also known as the Second Bureau. The unit is just one of at least 11 similar hacker units under the Third Department of the Chinese military’s warfighting office, the General Staff Department (GSD).

According to Stokes, the hacker unit is more than just a roomful of soldiers behind computers. Their bases and facilities can be found in all parts of China, and their work stretches far beyond the cyberattacks we’ve seen on the U.S. government and U.S. businesses.

One of its sub-units, he notes, shares its address with a Shanghai City government office.

While its leaders report to the GSD headquarters in Beijing, Stokes says, the hacker unit “appears to have horizontal relationships with the Shanghai City government and other intelligence units in the Yangzi River Delta area.”

Most significantly, the director of Unit 61398 is simultaneously the director of one of the Shanghai City government offices. Stokes says these relations between the hacker unit and the Shanghai City government become even more significant when similar relations of other Chinese military offices under the GSD are factored in.

Both the General Political Department Liaison Department and the Intelligence Department have similar ties in their Shanghai bureaus. Both offices are likewise under the GSD of the People’s Liberation Army.

While this structure is still vague, he says, “a better understanding of civil-military lines of authority could help inform U.S. policy responses to cyberespionage and counter-intelligence operations.”

Spying on Chinese Citizens

The hacker unit has spy systems throughout China, many of which are likely being used for domestic spy operations aimed at the Chinese people.

Two officers under Unit 61398 have ties to a radio monitoring station under the Shanghai Radio Administration Bureau. Stokes says the radio monitoring station “appears to have an internal security mission.”

Epoch Times previously reported that an office under the GSD is playing a leading role in the CCP’s new domestic spy program, its “Social Credit System.”

A source familiar with the system told Epoch Times that the system gathers information on all Chinese citizens from nearly all offices of the Chinese secret and regular police, spy organizations, and other databases. It then gathers this data into one consolidated system, which can then be used to deepen the CCP’s ability to track and monitor its citizens.

This same system, the source said, is being used by the CCP to create a similar database on Americans. Information stolen by Chinese hacker units, such as Unit 61398, is being fed into this database that allegedly includes information on U.S. federal employees stolen from the Office of Personnel Management.

This same system, the source said, is being used by the CCP to create a similar database on Americans.

Among the spy facilities controlled by Unit 61398 may be three circularly disposed antenna array systems, located in North, South, and Southwest China. These systems may give the cyberspies geolocation technology and the ability to intercept high-frequency transmission in China.

Systems that use the high-frequency spectrum include military and government communication systems, shortwave broadcasts, and ground control systems for airlines.

Similar spying sites under control of Unit 61398 are located in Suihua in Northeast China, Kunming in Southwest China, and Guangzhou in South China.

These sites could be used to monitor, interfere, or block signals that are “unfavorable to the CCP’s goals,” according to Stokes.

It’s possible that Unit 61398 is using some of these sites to target high-frequency networks used by the U.S. Air Force. It would also allow them to access maritime safety networks, and international air traffic control managed by the International Civil Aviation Organization.

The hacker unit also “played a role” in establishing the National Information Security Technology Center, according to Stokes. While it’s unclear what the center’s roles are, it is managed by the GSD Third Department—which runs the CCP’s hacker and signals intelligence operations—on behalf of the State Council’s Ministry of Science and Technology, National Crypto Management Center, State Security Bureau, Ministry of Public Security, and Ministry of State Security.

Spying on Neighbors

The presence of Unit 61398 at the Shanghai City government office is significant, Stokes says, since it is near several critical systems including a submarine cable landing station in Pudong.

The unit is also able to access data from China Telecom’s Internet monitoring center, which is also in Pudong. Stokes says the center “functions as a gateway for submarine cable landing stations in Nanhui and Chongming.”

The unit also oversees a work station near a “major submarine cable landing station” on Chongming Island, he says, and likely has a unit near the Nanhui cable landing station as well.

These landing stations are chokepoints for Internet traffic and phone calls carried over fiber optic cables, and are highly valuable for spying. Operatives under Unit 61398 could use these stations to spy on information entering and leaving China.

“As gatekeepers, Second Bureau officers may have some cognizance of large volumes of data exfiltrated by other cyberespionage groups operating from throughout China,” Stokes says.

Other spy organizations under the CCP’s People’s Liberation Army “may have access to similar landing stations located in Qingdao, Shantou, Hong Kong, and more recently in Fuzhou,” he says, noting that the GSD’s Fourth Department, which works on electronics intelligence, operates in some of the same areas as Unit 61398.

The conventional human operatives working as spies under the CCP’s military may have some overlap with Unit 61398. The office that oversees the military human intelligence operations is the GSD Second Department.

Similar to the dual role the head of Unit 61398 plays by holding a position in the Shanghai City government, Stokes says, the director of the GSD Intelligence Department’s Shanghai Liaison Bureau is also the director of a Shanghai City government office.

Officers in Unit 61398 also share some platforms with the Second Department spy units, Stokes says, including the Shanghai Association of International Strategic Studies and the Shanghai Strategy Association.

Epoch Times has reported a similar overlap between the cyberspies and human spies operating under the CCP’s military. Hackers under the Third Department will at times use cyberattacks to cover the tracks of spies under the Second Department. The spies can also internally infect networks in U.S. businesses or government offices, which can then grant system access to the hacker units.

Stokes says that hackers under Unit 61398 work with other GSD offices as well. He says their “capacity to intercept email exchanges, computer files, cellphone calls, text messages of targets of interest on Taiwan, in the U.S., and elsewhere,” may give intelligence used for political warfare by the General Political Department, also under the GSD of the Chinese military.

Intelligence stolen from the United States, Taiwan, and elsewhere, could be used by the CCP’s political warfare operatives to target individuals for spy operations.

“The bureau allegedly maintains a database on military officers from Taiwan, and presumably other foreign military personnel with a rank of colonel and above,” Stokes says.

Intelligence stolen from the United States, Taiwan, and elsewhere, could be used by the CCP’s political warfare operatives to target individuals for spy operations.

Profiles on foreigners are updated on a semi-monthly basis, he says, and “include basic data such as date and place of birth, education, personal habits, family, and current location.”

The operations could help explain why the CCP’s military hackers are stealing personal data on Americans from targets including the Office of Personnel Management, and Anthem BlueCross and BlueShield.

According to Stokes, groups operating in China “are believed to be waging a coordinated cyberespionage campaign targeting U.S. government, industrial, and think tank computer networks.”

While Unit 61398 plays a significant role in these operations, Stokes says, it is just one of close to a dozen similar groups “identified and linked with the PLA, and others connected with universities and information security enterprises.”

Meanwhile, Unit 61398 “plays an important role in the creation of a ‘global electronic fishbowl'” for the CCP, he says, yet a survey of its structure and capabilities suggests its responsibilities go “well beyond cyberespionage.”

Follow Joshua on Twitter: @JoshJPhilipp