by Bill Gertz
The South China Sea incident, as the military encounter was called, was just the kind of military miscalculation senior American military leaders feared would take place for years, as China’s military forces over the years had built up military forces on disputed islands and gradually claimed the entire strategic waterway as its maritime territory.
Following the South China Sea incident, U.S.-China tensions reached a boiling point with threats and counterthreats, including official Chinese government promises of retaliation. In Washington, phone calls to Chinese political leaders went unanswered. Beijing streets were filled with thousands of protesters in what were carefully orchestrated government-run demonstrations denouncing America. The demonstrators were demanding payback for sinking the warship. Tensions were the highest in history and threatened to end the peaceful period since the two major trading partners shelved their ideological differences beginning in the 1980s.
Colonel Sun and his team are now striking back in ways the United States would never suspect. The sabotage mission they have embarked on is unlike any conducted before and is one that China’s military over the past two decades has been secretly training to carry out: an information warfare attack on the American electrical power grid.
Chinese military intelligence hackers, after decades of covert cyber intrusions into American industrial control computer networks, have produced a detailed map of the United States’ most critical infrastructure—the electrical power grid stretching from the Atlantic to the Pacific and north and south between Canada and Mexico.
Unbeknownst to the FBI, CIA, or National Security Agency, the Chinese have discovered a strategic vulnerability in the grid near the commandos’ location. The discovery was made by China’s Unit 61398, the famed hacker group targeted in a U.S. federal grand jury indictment more than a decade earlier, which named five of the unit’s PLA officers. The officers and their supporters had laughed off the Americans’ legal action as just another ineffective measure by what Beijing believed had become the weakened “paper tiger” that was the United States.
The raid is code-named Operation Duanlu—Operation Short-Circuit—and was approved by the Communist Party of China Central Military Commission a day earlier. The commission is the ultimate power in China, operating under the principle espoused by People’s Republic of China founder Mao Zedong, who understood that political power grows from the barrel of a gun.
The two commandos in the truck drive off to a remote stretch of highway several miles away to a point that was previously identified near a large hardwood tree that has grown precariously close to a key local power line. The truck drives by the tree, whose roots have been weakened on the side away from the power lines by the commandos weeks earlier. The backhoe arm pushes the tree over and into the power lines, disrupting the flow of electricity and shutting down power throughout the area.
At precisely the same time as the tree strikes the power lines, Colonel Sun sits in the car, boots up a laptop computer, and with a few keystrokes activates malicious software that has been planted inside the network of a nearby electrical substation. The substation is one of the most modern power centers and is linked to the national grid through “smart grid” technology designed to better automate and operate the U.S. electrical infrastructure. The smart grid technology, however, has been compromised years earlier during a naïve U.S. Energy Department program to cooperate with China on advanced electrical power transmission technology. The Chinese cooperated, and they also stole details of the new U.S. grid system and provided them to Chinese military intelligence.
Once in control of the substation’s network, Colonel Sun sets in motion a cascading electrical power failure facilitated by cyberattacks but most important carried out in ways that prevent even the supersecret National Security Agency, America’s premier cyber-intelligence agency, from identifying the Chinese cyberattackers and linking them to Beijing. The agency never recovered from the damage to its capabilities caused years earlier by a renegade contractor whose charges of illegal domestic spying led to government restrictions on its activities that ultimately prevent the agency from catching the Chinese before the electrical infrastructure cyberattack. For political leaders, the devastating power outage is caused by a tree in Pennsylvania, leading to a cascading power outage around the nation.
The Chinese conducted the perfect covert cyberattack, which cripples the United States, throwing scores of millions of Americans into pre-electricity darkness for months. Millions of deaths will ensue before Washington learns of the Chinese military role and, rather than fight back, makes a humiliating surrender to all Beijing’s demands—withdrawal of all U.S. military forces from Asia to areas no farther west than Hawaii, and an end to all military relationships with nations in Asia.
• • •
The above scenario is fictional. Yet the devastation a future information warfare attack would have on critical infrastructures in the United States is a real and growing danger.
No other nation today poses a greater danger to American national security than China, a state engaged in an unprecedented campaign of information warfare using both massive cyberattacks and influence operations aimed at diminishing what Beijing regards as its most important strategic enemy. Yet American leaders remain lost in a Cold War political gambit that once saw China as covert ally against the Soviet Union. Today the Soviet Union is gone but China remains a nuclear-armed communist dictatorship on the march.
From an information warfare stance, China today has emerged as one of the most powerful and capable threats facing the United States. By May 2016 American intelligence agencies had made a startling discovery: Chinese cyber-intelligence services had developed technology and network penetration skills allowing them to control the results of Internet searches conducted on Google’s world-famous search engine.
By controlling one of the most significant Information Age technologies used in refining and searching the massive ocean of data on the Internet, the Chinese are now able to control and influence what millions of users in China see when they search using Google. Thus a search for the name Tiananmen—the main square in Beijing, where Chinese troops murdered unarmed prodemocracy protesters in June 1989—can be spoofed by Chinese information warriors into returning results in which the first several pages make no reference to the massacre. The breakthrough is similar to the kind of totalitarian control outlined in George Orwell’s novel Nineteen Eighty-Four with the creation of a fictional language called Newspeak, which was used to serve the total dominance of the state.
Technically, what China did was a major breakthrough in search engine optimization—the art and science of making sites appear higher or lower in search listings. The feat requires a high degree of technical skill to pull off and would require learning the secret algorithms—self-contained, step-by-step computer search operations—used by Google. The intelligence suggests that Chinese cyberwarfare researchers had made a quantum leap in capability by actually gaining access to Google secrets and machines and adjusting the algorithms to make sure searches are produced according to Chinese information warfare goals.
Those goals are to promote continued rule by the Communist Party of China and to attack and defeat China’s main enemy: the United States of America. Thus Chinese information warriors can continue the lies and deception that China poses no threat, is a peaceful country, does not seek to take over surrounding waterways, and does not abuse human rights, and that its large-scale military buildup is for purely defensive purposes.
The dominant battle space for Chinese information warfare programs is the Internet, using a combination of covert and overt means. The most visible means of attack can be seen in Chinese media that is used to control the population domestically, and to attack the United States, Japan, and other declared enemies through an international network of state-controlled propaganda outlets, both print and digital, that have proved highly effective in influencing foreign audiences. One of the flagship party mouthpieces is Chi
na Daily, an English-language newspaper with a global circulation of 900,000 and an estimated 43 million readers online. China Central Television, known as CCTV, operates a twenty-four-hour cable news outlet as well to support its information warfare campaigns.
“The People’s Republic of China has studied the U.S. approach to information warfare from the Cold War and has successfully navigated itself into a position of ‘respectability’ compared to their brothers from Russia and their ham-fisted ‘Russia Today’ (RT),” said retired navy captain James Fanell, a former Pacific Fleet intelligence director who specializes in Chinese affairs. Fanell compares Chinese information warfare targeting the United States and the inability to recognize the danger to a frog being slowly boiled alive. “The heat in the pool just keeps going up one degree at a time,” he says.
• • •
Chinese information warfare is being developed within the Communist Party of China’s Central Military Commission, the highest-ranking military body in the nation. One of the most visible uses of information operations can be seen in China’s systematic approach to acquiring territory around the periphery of the country, specifically the waters stretching from the Pacific northeast southward through the South China Sea and Indian Ocean.
China’s aggression in the South China Sea, the strategic waters joining the Pacific and Indian Oceans, is among the more visible examples of this new strategic information warfare. The effort remained at low levels for years but emerged as a major policy issue for the United States around 2011. China carefully avoided provoking a U.S. reaction and decided to carry out its island building at the lowest profile possible. Before long, it had built up some 3,200 acres of islands, through dredging the seafloor and using the sand to produce above-water islands that had once been coral reefs. The Chinese were able to deceive the world into believing that the waters were historically theirs and that any other countries’ claims to the sea as international waters were false. Beijing also announced, significantly, that any attempt to counter these claims posed a threat to China’s central national interests—language widely viewed as a basis for going to war to defend those interests.
Behind the campaign was a sophisticated combination of information warfare and Chinese deception operations that lulled the United States into first ignoring the problem and later halfheartedly attempting, through public statements, to prevent military weapons and facilities from being added. But it was too late. By 2016, China had finished building a series of military bases in the South China Sea, first on Woody Island in the Paracels, in the northern part of the sea, then on three separate maritime outposts in the Spratly Islands in the southern part; it also revealed plans for a major base on Scarborough Shoal, a fifty-eight-square-mile shoal that is strategically located some 120 miles west of the Philippines—where U.S. warships and warplanes are deployed at Subic Bay as part of an enhanced U.S.–Philippines defense agreement.
China launched an aggressive information and cyberwarfare operation against regional states beginning around 2010, using military cyberwarfare units located in the Chengdu military region under a code-named Unit 78020. No government was spared in the attacks that involved cyber strikes against computer networks in Cambodia, Indonesia, Laos, Malaysia, Myanmar, Nepal, the Philippines, Singapore, Thailand, and Vietnam. “We assess Unit 78020’s focus is the disputed, resource-rich South China Sea, where China’s increasingly aggressive assertion of its territorial claims has been accompanied by high-tempo intelligence gathering,” states a report by the cybersecurity firm ThreatConnect. “The strategic implications for the United States include not only military alliances and security partnerships in the region, but also risks to a major artery of international commerce through which trillions of dollars in global trade traverse annually.” According to the report, “Dominating the South China Sea is a key step for Beijing in achieving regional hegemony.” Additionally, the other claimants to the sea, notably Vietnam and Philippines, are weaker and lack the security guarantees from the United States that have helped temper similar tensions with Japan in the East China Sea.
The information warfare campaign focused on all the governments of Southeast Asia, including the headquarters of the ten-nation Association of Southeast Asian Nations and private and public energy organizations. The goal was data theft, to gain valuable commercial information and foreign government secrets that could be given to Chinese companies or used in negotiations. For the longer term, Chinese military hackers were gaining strategic access to target government computer networks that could be attacked and shut down in a crisis or conflict, or used to spread disinformation internally to confuse and weaken the enemy. For the South China Sea campaign, the Chinese used an extensive network of hundreds of Internet Protocol addresses that in some cases were used for only an hour before being abandoned—all in line with a methodology designed to avoid detection by cybersecurity services, both government and private. The operation was first detected in September 2010 and continued at the time the ThreatConnect report was published in August 2015. The domain used for the attacks by the Chinese, known as “greensky27.vcip.net,” included 1,236 IP addresses spanning twenty-six cities in eight nations.
Through these information warfare activities China incrementally gained control over the South China Sea and employed multiple pillars of national power with the larger goal of influencing and ultimately exercising control over the entire region. The shadow information war is typical of the kinds of activities China engages in not just in Southeast and Northeast Asia but globally as part of its drive for world acceptance and domination.
As ThreatConnect states:
All of China’s activities in the South China Sea, whether military, diplomatic, or economic, have been long supported by a well-resourced covert signals intelligence and digital exploitation unit that maintained deep access within China’s Southeast Asian neighbors’ public and private sector enterprises. . . . What is really at hand is a broader national objective of physically intruding into the 1.4 million square miles that make up the South China Sea. It is likely that China does not view this behavior as criminal in nature, insofar as it cannot be stealing if you already consider something to be yours. But the targets of this activity most certainly do not share that view. This aggressiveness clearly comes at an expense to China’s reputation regionally and internationally as credible proof of these operations continues to mount.
What made the ThreatConnect report so compelling was its detailed analysis of one of the players involved in the campaign. A PLA officer code-named GreenSky27 was exposed as Ge Xing, a cyber operative with an extensive public persona on Chinese social media sites dating to 2004. Ge posted photos of himself within the compound located in Kunming, in Yunnan Province, China, which borders Myanmar, Laos, and Vietnam and is the center of information warfare operations against South China Sea states. Ge was shown biking and holding an infant and posting about his “beloved Party school” in Kunming where he attended courses as part of his career as a PLA officer. He also attended the PLA International Studies University in 2014 and published several academic papers for Unit 78020, including “Analysis of Post-War Thailand’s Political Democratization Characteristics and Factors” and “Examination of Trends in Thailand’s Southern Muslim Separatist Movement.” Ge was born in 1980 and graduated from Yunnan University in 2008. GPS routes used in Ge’s various bike rides in Kunming also were posted. Technical analysis of Ge’s online activities in the Unit 78020 hacking operations included his links to the cyberattacks, which showed a decline in malicious hacking activities during his travel and vacations and a corresponding decline in his social media postings during the same absences. There was even a gap in his Unit 78020 cyber operations when Ge’s child was born. The infrastructure used in the South China Sea cyberattacks also ceased operating during Ge’s visits to his ancestral memorial, and during two vacation trips in the summer of 2014.
In May 2014, after the Justice Department indicted five PLA hackers belonging
to another cyberwarfare unit, Shanghai-based Unit 61398, the South China Sea cyberattack operations showed a dramatic drop-off in activity. The high-profile indictments targeted military hackers who stole valuable information from major companies in Pennsylvania, including Westinghouse and Alcoa.
The PLA indictments were largely symbolic since the Justice Department has no real prospect of ever prosecuting the Unit 61398 hackers. But the indictment was the first time the U.S. government had taken off the veil of secrecy surrounding Chinese cyberattacks against the United States. The PLA hackers were identified as Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui and their activities outlined in the fifty-six-page indictment. The group was part of the Third Department of the General Staff, also known as 3PLA, and its Unit 61398. The FBI went so far as to draw up wanted posters for the five.
Since 2006 the hackers had used sophisticated technology and traditional fake emails to fool targeted Americans with access to corporate secrets into providing break-in points to company networks. They then methodically stole key commercial secrets, such as technical design details for Westinghouse nuclear reactors and solar panel technology. Internal communications containing valuable economic data were also stolen and provided by the PLA to Chinese state-run competitors.