The email attachment would tempt anyone following the diplomaticstandoff between China and other countries in the South China Sea. The Microsoft Word document contained text and photos depicting Thai naval personnel capturing Vietnamese fishermen and forcing them to kneel at gunpoint.
But the attachment was a decoy: Anyone who opened it inadvertently downloaded software that searched their computers for sensitive information and sent it to an obscure corner of the Internet. Manning that corner, according to a new report from U.S. security researchers, was Ge Xing, a member of a Chinese military reconnaissance unit.
The growing reach of China’s army of cyberwarriors has become a flash point in relations between Beijing and Washington that President Barack Obama said will be a focus during Chinese President Xi Jinping ’s state visit to the U.S. this week.
Cyberspace is the newest domain in warfare, and China’s relentless testing of its boundaries has flustered the U.S. The story of the Chinese military staffer’s alleged involvement in hacking provides a detailed look into Beijing’s sprawling state-controlled cyberespionage machinery.
Mr. Ge doesn’t appear to fit the hacker stereotype. His published academic papers identify him as an expert in a nontechnical subject: Thai politics. Frequent posts on Chinese social media that researchers have linked to him show him to be a new father and avid bicyclist who drives a white Volkswagen Golf sedan and occasionally criticizes the government.
But his activity elsewhere on the Internet links him to a Chinese hacker collective that attacks targets in an area of strategic interest to the U.S., according to the report by cybersecurity concern ThreatConnect and security consulting firm Defense Group Inc.
The U.S. has been caught flat-footed in recent months by a string of cyberintrusions in which Chinese state-sponsored hackers are the leading suspects. They include the theft of sensitive personal data on millions of government employees from computers at the U.S. Office of Personnel Management, and similar network breaches at health insurers and other companies.
Under pressure to respond, the White House has begun preparing a list of sanctions against Chinese companies that U.S. officials believe have benefited from cybertheft of U.S. corporate secrets, Mr. Obama said last week. Those sanctions, if implemented, wouldn’t address state-to-state hacking.
Beijing has bristled at U.S. finger-pointing on cybersecurity and portrayed itself as a victim of hacking, pointing to disclosures by former U.S. security contractor Edward Snowden of U.S. government cyberspying on China. “Cybertheft of commercial secrets and hacking attacks against government networks are both illegal,” Mr. Xi told the Journal in a written interview prior to embarking on his U.S. visit. “Such acts are criminal offenses and should be punished according to law and relevant international conventions.”
The ThreatConnect-DGI report helps throw new light on a still little-understood aspect of China’s cyber operations: the relationship between the country’s military and an aggressive corps of Chinese-speaking hackers that appear to be pressing the country’s interests abroad.
Through accounts allegedly tied to Mr. Ge, the report draws a direct link between his unit, People’s Liberation Army Unit 78020, a military intelligence arm based in China’s southwest, and a hacker collective known as Naikon that security researchers say has successfully penetrated key computer networks in countries competing with China for control over the South China Sea.
“What we see from Chinese intrusions is that they have a very grass roots, bottom-up kind of model,” said James Mulvenon, director of DGI’s Center for Intelligence Research and Analysis. “They have a lot of groups that are encouraged with relatively vague guidance to go out and develop hundreds of accesses and bring back lots of data.”
Two academic papers on Thailand’s political situation Mr. Ge published in 2008 identify him as working for Unit 78020, a technical reconnaissance bureau based in the southwestern Chinese city of Kunming. It is one of more than two dozen such bureaus within the PLA tasked with intelligence gathering, analysis and computer network defense and exploitation, according to Mark Stokes, executive director at Virginia think tank Project 2049 Institute and an authority on the role of China’s military in signals intelligence like cyberspying.
Unit 78020 is controlled by the PLA’s Chengdu Military Region, which is responsible for securing Tibet as well as China’s borders with Vietnam, Myanmar and India. Another reconnaissance bureau under the Chengdu Military Region was responsible for the hacking of computer networks connected to exiled Tibetan spiritual leader the Dalai Lama, Mr. Stokes said. Given the region’s focus on the border, “it also makes sense that they would do collections related to the South China Sea,” he said.
Staff with Unit 78020’s propaganda office declined requests for an interview. A spokesman for Chengdu Military Region referred questions to the defense ministry, which didn’t respond to requests for comment. The foreign ministry also didn’t respond to requests for comment.