PLA on the Cyber Front – Chinese Armed Forces and Cyber Operations

One of the biggest challenges of 3 intelligence is to find the intentions of the attackers. This is not always possible, but if we gotta face specified a challenge, it is helpful to realize the context of the attacks and the organisation in which they operate. In the following posts, we will deal with 1 of the main players on the cyber phase – China – and the organizational apparatus liable for intelligence operations and obtaining information for decision-makers. Although the country is frequently mentioned as 1 string with Russia or North Korea, the individual Chinese government agencies liable for intelligence activities, including cyber operations, are definitely not as well known as the Russian GRUs. This should not be a peculiar surprise. The linguistic and cultural barriers, as well as the hard access to information related to censorship imposed by the Beijing authorities, make the bar facing analysts much higher. Therefore, starting with PLA, I will effort to bring the various organisations and their function in the ecosystem of cyber operations closer. In a broader context on phase we will have 3 main actors:

1. PLA (People's Liberation Army, Zhōngguó Rénmín Jiěfàngjūn, 中国人民解放军) – People's Liberation Army or Chinese Armed Forces. Although in various reports the 3 intelligence teams sometimes contain statements specified as “PLA liable for this operation” it is evidently a gigantic generalization comparable to the message that the United States Armed Forces or the Polish Army are liable for the action. In practice, we're going to talk about different branches. Strategic Support Force The People's Liberation Army (SSF – strategical Support Force, Zhōngguó Rénmín Jiěfàngjūn Zhànlüè Zhīyuán Bùduì, 中国人民解放军战略支援部队), due to the fact that that is where we will find Department of Network Systems in charge of cyber activities.
2. MSS (Ministry of State Security, Gujiā Ānquán Bù, 国家安全部) – Ministry of State Security, or Chinese abroad intelligence services. China's chief intelligence agency will so not be amazed to see that it besides operates in cyberspace today. It is worth noting that the Ministry is not limited to abroad activities and besides performs the functions of secret police – it has the power to arrest and detain persons as well as police authorities. However, we will deal with external aspects of activity and many active groups under this umbrella, including cases of industrial espionage and classical political intelligence. MSS of course besides consists of many local offices and organizational units – for example The United States has assigned activities related to APT10 to Tianjin State safety Office.
3. MPS (Ministry of Public Security, Gōng’ānbù, 公安部) – Ministry of Public Security, i.e. the Chinese interior Intelligence Authority. Theoretically, it is simply a police agency, but its main tasks focus on counterintelligence and ensuring political security. We'll talk about MPS at an angle. Policy impactber than individual organisations.

Speaking of cyber analysis of PLA operations we gotta go back to 2013 erstwhile Mandiant published the study APT1: Exposing 1 of China’s Cyber Espionage Units. This was the first public study of a private company to describe PLA's espionage activities against targets worldwide, mainly in the United States and Western Europe. The Mandiant attributed this activity to the 61398 branch operating within the 3rd Department of General Staff of PLA. This alternatively complex relation is illustrated by graphics:

When it comes to much of the number itself, it is the alleged MUCD (Military Unit Cover Designer) utilized to identify an individual while not betraying the scope of action in the name. At this point, the attentive reader rightly asks where the strategical Support Forces mentioned earlier. Reorganization of PLA in which this component was created only in 2015In December 2015 the SSF started operations. The following diagram shows how the improvement affected the organisation of the individual components that were separated into the fresh component:

Source: https://manent.fdlp.gov/gpo119167/china-perspectives_13.pdf

Thus, as we can see, the 3rd Department in which the units liable for method intelligence are operating has been transferred to the jurisdiction of the SSF and thus now the 61389 branch operates there. Of course, if the unit remained operational unchanged since the Mandiant report. As mentioned, we will be most curious in the Department of Network Systems, besides sometimes known as cyber forces (wang jun, 网军). Despite its name, however, the scope of the Department's activities is wider than just network operations and besides includes intellectual operations and WRE (radioelectronic struggle). The reorganisation has brought considerable centralisation of resources. In the erstwhile model 12 method reconnaissance offices of Department 3 were liable for intelligence operations, CNA, on the another hand, led Department 4 and the defence activities of the Department of General Staff Information. Now both CNE and CNA have fallen under the wings of the SSF, focusing offensive capabilities there. The defence missions remained under the management of erstwhile organizational structures in the recently created Information and Communication Office of the Joint Staff Department’s Information and Communications Bureau (信息通信局).

The SSF's seat in the PLA structure and in relation to the said 3rd Department presents the following diagram:

Source: https://cyberdefensereview.army.mil/Portals/6/Documents/CDR%20Journal%20Articles/The%20Strategic%20Support%20Force_Kania_Costello.pdf?ver=2018-07-31-093713-580

The SSF is to play a key function in enabling PLA to gain informational dominance on the battlefield. This concept fits into the Chinese knowing of the battlefield, in which achieving dominance in 3 domains – air, space, and information – provides victory. In the context of direct support from the armed forces, it is assumed that the information advantage translates into gains in time and space in the field of combat. With information about the opponent's intentions and actions, it can be delayed at key moments, stopped his plans or limited his power projection capabilities, ensuring China's strategical objectives are met. In the context of the function of the SSF in the structure of PLA, it is besides worth noting that the second main area of the formation is space. The Chinese doctrine here seems to combine cyber and cosmos areas due to the fact that both areas are based on electromagnetic wave spectrum as a average for information transmission. This may be due to the fact that in the most dramatic script of an invasion of China, the enemy of a precise long-range weapon would usage space infrastructure and information technology to make dominance in this sphere a goal in itself. Additional information on the function of cyber operations in the Chinese war doctrine is provided regularly by the National Defence University of PLA "Science of Military Strategy". In the 2020 edition We will find the foundation of a conflict in cyberspace, including statements going as far as that triumph in war starts with triumph in this domain. The authors item the key function of communication and information systems as a centre of combat. An interesting example is besides given of Iraq, which allegedly succumbed to American troops so quickly, as cyberspace control enabled government and military functions to paralyze, and thus morale to fall. Further, we will besides find thoughts on the interface between cyber and space domains. As I pointed out earlier, Chinese doctrines treat both of these areas as very closely related by the usage of the electromagnetic spectrum. It besides points to the request to integrate operations so that cyber and space activities are coordinated with strategical and political objectives in conflict situations.

Since we are talking about cyber operations, which have their own specificity, even with the request to keep access to the affected environments, it is besides worth pointing out the emphasis on andNtegrations between peace and war operations. This concept is 1 of the reasons for the improvement in general – before the changes in PLA he feared that, in the event of a conflict, a change in the functioning of the armed forces from a time-adjusted attitude to a war-ready one. This was due to the fact that in the erstwhile model there would should be extended coordination of departments and troops scattered in various types of armed forces and government agencies and in different organisational structures to form the Information Operations Group. The creation of the SSF simplified this process through the organisation of the applicable units of the operational group as the default pattern of action. In this way, cyber operations requiring preparation specified as reconnaissance or improvement of vectors of access to hostile systems can be smoothly conducted and in the event of armed conflict, troops can decision smoothly to successive phases of the attack specified as the usage of vulnerability and installation.

An crucial component of the functioning of the SSF is the engagement in the concept of military-civil merger (MCF, military-civil fusion, 军民融合). The MCF assumes closer cooperation between the private and public sectors in conducting investigation and the implementation of technologies that could benefit Chinese defence. This is simply a multi-dimensional task consisting, among others, of Deregulation of the defence sector and encouraging the improvement of dual-use technologieswhich can aid make the possible of Chinese armed forces. In the context of the SSF, the MCF is primarily intended to train staff and recruit staff. This should not be amazing – the problem of cybersecurity employment seems to be geographically independent. The SSF has thus established cooperation with a number of institutions specified as the China Electronics Technology Group or the Chinese University of discipline and Technology in the field of human resources training and education. What is worth emphasising, the thought that it is very hard to separate operations in cyberspace during war and peace appears already in the 2013 discipline of Military Strategy. There, too, we will find support for the MCF – the authors stress that the difference between the military and civilian spheres is blurring, and during the war both sectors should "attack shoulder to shoulder".

So what examples of another PLA troops liable for cyber operations have been detected? 1 of them's been on the show before. Counterintelligence.pl erstwhile I wrote about contributions and problems related to it. Speech there was about the ThreeConnect study “Project CameraShy” in which analysts attributed tracked activity to branch 78020. The unit operated as part of a method reconnaissance office in Kumming and was active in intelligence operations related to the situation of the South China Sea. In the context of cyber operations, this is the APT activity group "Naicon".

Another group associated with a circumstantial unit is Putter Panda. This 3 actor was described in 2014 in the Crowdsstrike report, which described how the group's activity led to a branch of 61486 again associated with the 3rd Department. This time we are talking about the twelfth method reconnaissance office based in Shanghai. Analysts discovered traces of group activity as early as 2007. And as for victimology, Putter Panda attacked defense, satellite and aviation targets. As in the case of APT1, the Chinese military conducted technology acquisition operations and industrial espionage operations here.

Because in the descriptions of the groups what and move, the word "technical reconnaissance office" appears, I must make a reservation here. At the moment, I haven't found any information about whether or not all these offices have actually been pulled under the jurisdiction of the SSF. It would indicate how the SSF was formed in terms of the tasks to be carried out, but as I mentioned, only offensive operations were transferred to the fresh component. Strictly speaking, it is so impossible to say how the offices were separated between these components, especially in the context that in the erstwhile model each military region had its own office liable for SIGINT and cyber activities. Similarly, if we return to the SSF's seat in the PLA structure for a moment, it is straight under the Central Military Commission, but the regional office (theater command) may have their own WRE and cyber capabilities. The relation between command and authority over individuals is not yet clear.

In describing the possibilities of PLA, attention should besides be paid to investigation institutes. The 3rd Department supervised the Office of Intelligence discipline and Technology, which in turn overseen 3 institutes. Given what we know about the 2015 reorganisation, it can be assumed that they are now working for the SSF. These units are:

• 56 investigation Institute / Institute for Computer Technology investigation in Jiangnan – the largest and oldest investigation and improvement centre of PLA dealing with investigation on the creation and usage of supercomputers.
• 57 investigation Institute / South Western Institute of Electronics and Telecommunications Technology – conducts investigation on signal capture and processing as well as satellite technology in agreement with the Chinese Academy of Space Technology.
• 58 investigation Institute / South Western Institute of Automation investigation – conducting investigation on cryptology and IT security.

In addition, indictment against 4 PLA officers of 2020, we can find information about the 54th investigation Institute (Northern Institute of Electronic Equipment) as besides a subordinate Chinese army.

The creation of the SSF shows how advanced a precedence China is giving itself an advantage in cyberspace operations. PLA gained a component dedicated to cyber activities, akin to the American Cybercommand, although with a somewhat different scope of work – resulting from a doctrine that closely links cyberspace to space. possibly a better comparison would so be Stratcom – American Strategic Command liable for space activities, intelligence and C4ISR. Of course, searching for exact counterparts does not make much sense. The Chinese doctrine has its own assumptions, especially as regards the treatment of all available means of combat as integrated fighting forces as possible. Domain integration is simply a key phrase erstwhile we talk about the 2015 improvement of the armed forces. The units liable for computer operations have been merged into a joint PLA component, which is intended to let integrated operations seamlessly combining the functionalities essential during peace and war, and cooperation with the civilian sector within the MCF is 1 of the pillars of the SSF idea.

This is how the organization structure of the People's Liberation Army is outlined to support and conduct cyber operations. I'm inviting you to another post where we'll look at the business. It's a grim fame Ministry of State Security.