Hackers Indicted in Equifax Breach Are Part of China’s Electronic Warfare Program

February 13, 2020 Updated: February 13, 2020
FONT BFONT SText size

The FBI published a wanted poster and an indictment on Feb. 10 of four “Chinese military-backed hackers” for their alleged roles in the 2017 cyberattack against credit company Equifax.

The Equifax breach exposed personal data of 145 million Americans, including Social Security and driver’s license numbers. The FBI described the breach as “the largest known theft of personally identifiable information ever carried out by state-sponsored actors.”

Yet, despite the rare exposé of Chinese soldiers, little has been said about the hacker unit they were allegedly part of, reported by the FBI as the 54th Research Institute.

The case that most closely resembles this is the May 19, 2014, indictment of five Chinese military hackers for multiple alleged cybercrimes committed between 2006 and 2014. They were identified as being part of Unit 61398 of the Chinese military, the People’s Liberation Army.

The “Unit” and “Research Institute” named in these cases were previously known, but not widely known.

A Different Purpose

The hackers involved in the 2014 case more clearly fit the profile of their assigned military branch. An investigative series from The Epoch Times in 2015 detailed the structure of these units and their operations. Unit 61398 was under the Third Department of the General Staff Department—the former warfighting branch of the Chinese military. Under the Third Department were 22 known operational bureaus, and at least four known “research institutes” involved in their operations.

Beneath each unit were additional branches, each with a unique purpose, which in the case of the 2014 indictment were focused on the theft of trade secrets from the United States to advance the economic warfare operations of the Chinese regime. Among the regime’s programs that direct economic theft are Project 863, China 2025, the Torch Program, and others.

A July 27, 2015, report from the Project 2049 Institute, a think tank, stated that Unit 61398, also known as “The Second Bureau,” was one of the largest operational bureaus under the Third Department. It notes that the unit was structured like a Chinese military ground-force division, and was also involved in political warfare and in collecting military intelligence.

A first glance at the recent indictment of the Chinese hackers in the Equifax case would suggest the soldiers were part of the same department—namely, under one of the “research institutes” of the General Staff Department, Third Department. Yet they weren’t, which suggests the Equifax breach may have served a different purpose than economic gain.

The 54 Research Institute was under the Fourth Department of the General Staff Department, meaning that its operations were related to electronic warfare.

Defining Roles

As a brief breakdown, the General Staff Department had three main departments focused on operations of this nature. The Second Department was the human intelligence department, which was focused on more conventional spies; the Third Department was the signals intelligence department, which was focused on cyber intelligence; and the Fourth Department was the electronics intelligence department, which was focused on electronic warfare.

However, these units were more recently merged into a different parent branch of the Chinese military, which removed them from the General Staff Department and placed them under the relatively new Strategic Support Force. A 2016 report from the U.S.–China Economic and Security Review Commission states, “This composition at a minimum would suggest the Strategic Support Force is charged with cyber, space, reconnaissance, and electronic warfare missions supporting joint integrated operations.”

The 54 Research Institute of the Fourth Department—the one named in the recent FBI indictment—was described in a 2018 report from the Institute for National Strategic Studies as “responsible for research and development of operational electronic and network countermeasures,” and was “moved over to the Strategic Support Force, likely under the Network Systems Department.”

The Third and Fourth Departments—which are again the parent departments of the respective hacker groups—are considered three of the five known Chinese military entities focused on espionage and intelligence gathering, according to a 2009 report from the U.S.–China Economic and Security Review Commission. The other two are the International Liaison Department of the PLA General Political Department, and a network of various defense industrial firms.

The 2009 report notes specifically that the Third Department (as in the 2014 FBI indictment) was focused on “Signals intelligence collection and analysis” and “Cyber intelligence collection and analysis,” whereas the Fourth Department (as in the recent case) was focused on “Electronic warfare (jamming, etc.)” and “Computer network attacks.”

It adds, however, that the Third Department and the Fourth Department “may also have a complementary relationship.” In other words, as The Epoch Times has previously reported, the units may have been working together on their operations.

When it comes to the specific roles of these departments in computer operations—such as the breaches the different units were charged for—the differences appear very fine, between “network exploitation” and “network attack.”

The 2009 report says the Third Department “bears primary responsibility within the PLA for computer network exploitation.” The Fourth Department, on the other hand, “plays the leading role in computer network attack.”

It describes network exploitation as “enabling operations and intelligence collection capabilities conducted through the use of computer networks to gather data from target or adversary automated information systems or networks.”

And it explains network attack as “actions taken through the use of computer networks to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves.”

Follow Joshua on Twitter: @JoshJPhilipp