Means, Motive, and Opportunity: China’s Government a Likely Suspect in OPM Hack

AP Photo/Andy Wong
AP Photo/Andy Wong

The big question about the massive data breach of the U.S. federal government, perpetrated in April but just revealed to the American public yesterday, is whether the Chinese government was responsible.

There was much talk on Thursday afternoon about the attack originating in China, perhaps as the work of rogue hackers not directly affiliated with the regime in Beijing — a question asked every time mischief slithers onto the Internet from China, although the more cynical brand of security expert maintains it is highly unlikely such a renegade operation could be carried out through China’s tightly controlled Internet backbone without the government’s knowledge.

“The White House said it cannot conclude at this time that China-based hackers carried out the massive cyber attack on the federal agency responsible for collecting background information on and issuing security clearances for millions of government employees,” Voice of America News reported on Friday.

“Spokesman Josh Earnest said Friday the FBI continues to investigate the security breach, noting that a lot of work must still be done to determine who was responsible,” VOA’s report continued.  “Earlier, U.S. law enforcement officials said China-based hackers, possibly with links to China’s government, were behind the attack, though they have not provided details of how they came to this conclusion.”

The White House probably does not want to know if China’s government was behind the attack, because that would put them in the uncomfortable position of either having to respond somehow, or failing to respond and looking absurdly weak. Another foreign policy crisis, this time with a nascent superpower, is the last thing the Obama Administration wants. And since every bad actor in the world knows that, we can probably expect a good deal more trouble before this presidency is over.

The Chinese took an unsurprisingly dim view of suggestions that they might be responsible for the hack. Chinese Foreign Ministry spokesman Hong Lei called such speculation “irresponsible and unscientific,” while Zhu Haiquan of the Chinese embassy pitched in: “not responsible and counterproductive.”

The Chinese are fond of claiming they cannot be the miscreants behind large-scale hacker attacks because they, themselves, are targeted by hackers, which must be one of the most absurd non-sequiturs in diplomatic history. It is certainly possible to be both hacker and hackee. Techniques devised for defense against unwarranted intrusion can be repurposed for offensive use.

Rogue hackers like to claim responsibility for big headline-grabbing stunts and use the data they have pilfered for financial gain. Personal info and credit-card data swiped in previous incidents ended up for sale on black-market websites. There is no sign of that happening with any of the data from this potentially largest breach in history.

“There is no evidence that the data collected was used for criminal purposes like faking identities to make credit card purchases,” the New York Times reports, noting that the same hackers may have struck health insurance companies as well as the OPM, and almost every other federal agency. “Instead, the attackers seem to be amassing huge databases of personal information about Americans. Some have high-level security clearances, which the Office of Personnel Management handles, but millions of others do not, and the reasons for their records being taken have puzzled investigators.”

One bit of potentially exculpatory evidence: “Based on forensics, security experts believe the attackers are not one of the hacking units of the People’s Liberation Army, which were named in a federal indictment last year that focused on the theft of intellectual property. Researchers say these hackers used different tools than those utilized by the Liberation Army’s Third Department, which oversees cyberintelligence gathering.”

However, the Times notes “that does not exclude another state-sponsored group, or the adoption of new technologies that are harder to trace.”

It apparently was not necessary for the attackers to use top-of-the-line militarized hacking software to raid the Office of Personnel Management. “It is unclear why American government agencies were vulnerable to such an extent, or why those agencies left critical data unencrypted,” writes the NYT. “A report from the Government Accountability Office last year found that government agencies have inadequately responded to cyberbreaches. The report found that 24 major federal agencies had been breached, and that in about 65 percent of cases, the agencies did not completely document their response to cyberincidents.”

CNN notes that some potential victims are wondering why the government did not notify them sooner. “I do not understand why I heard this on the news instead of via letter or email from OPM,” complained retiree Linda Eleanor Rigby Robbins.

“It is disturbing to learn that hackers could have sensitive personal information on a huge number of current and former federal employees — and, if media reports are correct, that information could be in the hands of China,” said Senator Ron Johnson (R-WI) of the Senate Homeland Security Committee. “(The office) says it ‘has undertaken an aggressive effort to update its cybersecurity posture.’ Plainly, it must do a better job, especially given the sensitive nature of the information it holds.”

It would almost be comforting to think data theft on this scale requires the full resources of a major global power, rather than being within the grasp of renegade data pirates. On the other hand, it is not terribly comforting to know the Chinese military has cyber-commando squads running massive operations against other governments on a regular basis.

Security experts have long pointed out that Chinese hackers behave like government employees in a number of ways, including their tendency to work standard business hours and take weekends off. An Associated Press article in 2013 described two wings of the People’s Liberation Army devoted to electronic espionage: the Third Department of the General Staff, “responsible for collection and analysis of electronic signals such as e-mails and phone calls,” and the Fourth Department, “responsible for electronic warfare” and consisting of “PLA units mainly responsible for infiltrating and manipulating computer networks.”

The Third Department includes the notorious PLA Unit 61398, “eadquartered in a nondescript 12-story building inside a military compound in a crowded suburb of China’s financial hub of Shanghai,” which has been linked to dozens of hacks against targets in the United States, Britain, Canada, and around the world. The capers Unit 61398 was pulling back in 2013 were similar in many ways to the OPM breach. Amusingly, the very same Chinese Foreign Ministry spokesman, Hong Lei, was quoted in the 2013 piece making the exact same denials he is issuing today.

The Third Department is a very big deal, granted extensive resources by the Chinese government and tasked with making cyber-warfare a major part of China’s military strategy for over a decade. According to U.S. intelligence sources quoted by the Associated Press, it boasts “2 operation bureaus, three research institutes, and an estimated 13,000 linguists, technicians and researchers on staff,” plus “echnical teams from China’s seven military regions spread across the country, and by the military’s vast academic resources, especially the PLA University of Information Engineering and the Academy of Military Sciences.”

In July 2014, after the U.S. Justice Department indicted five Third Department officers on charges of stealing American corporate secrets, the Wall Street Journal took a long look at “3PLA,” which the Journal said “increasingly rattles governments and corporations around the world while remaining obscure outside security circles.”

At some 3PLA units in Beijing and Shanghai, where arrays of satellite dishes often dwarf the walls surrounding them, visitors face stiff-faced guards and written warnings. Security is less tight at others, including a farm field that sprouts dozens of thin radio towers next to a base in northern Shanghai. Outside Beijing, a 3PLA base thought to primarily monitor Europe operates from a secret town tucked into a mountainside and hidden behind a dozen normal-looking residential towers—though its more than 70 structures and soccer field can be seen from nearby hills.

The Journal located more than 100 technical papers—including one on predictive models for the evolution of computer viruses—written by officers who often identify themselves with addresses of 3PLA units. Other articles detail techniques for encrypting networks, defending and attacking computer systems, automated foreign language data translation, and calculating satellite orbits.

Commercial telecommunications systems, including China’s primary internet cables to the U.S., are at 3PLA’s disposal, the experts say, as are satellites and possibly surveillance airplanes.

Two former U.S. officials familiar with intelligence assessments say 3PLA’s operational structure has parallels with those of the NSA and the Pentagon’s Cyber Command, both run out of Fort Meade, Md.

But while the NSA’s targets are dictated by annual intelligence objectives set by the White House, 3PLA units follow five-year plans from China’s Central Military Commission that leave more leeway for “bottom-up” strategies, according to one of the former officials.

Perhaps the breach of the OPM and other U.S. federal agencies, along with insurance company databases, was one of these “bottom-up” operations. Analysts have said the data raid revealed yesterday seemed designed to feed into a massive database of American citizens, perhaps to provide information useful in further cyber attacks. That sounds like the sort of thing an operation like 3PLA would do, especially if they wanted to have cyber weapons armed and ready for some impending medium or hot conflict with the United States… say, the unpleasantness currently brewing in the South China Sea.


Please let us know if you're having issues with commenting.