How China Uses Stolen US Personnel Data

Interesting analysis of China’s efforts to identify US spies:

By about 2010, two former CIA officials recalled, the Chinese security services had instituted a sophisticated travel intelligence program, developing databases that tracked flights and passenger lists for espionage purposes. “We looked at it very carefully,” said the former senior CIA official. China’s spies “were actively using that for counterintelligence and offensive intelligence. The capability was there and was being utilized.” China had also stepped up its hacking efforts targeting biometric and passenger data from transit hubs…

To be sure, China had stolen plenty of data before discovering how deeply infiltrated it was by U.S. intelligence agencies. However, the shake-up between 2010 and 2012 gave Beijing an impetus not only to go after bigger, riskier targets, but also to put together the infrastructure needed to process the purloined information. It was around this time, said a former senior NSA official, that Chinese intelligence agencies transitioned from merely being able to steal large datasets en masse to actually rapidly sifting through information from within them for use….

For U.S. intelligence personnel, these new capabilities made China’s successful hack of the U.S. Office of Personnel Management (OPM) that much more chilling. During the OPM breach, Chinese hackers stole detailed, often highly sensitive personnel data from 21.5 million current and former U.S. officials, their spouses, and job applicants, including health, residency, employment, fingerprint, and financial data. In some cases, details from background investigations tied to the granting of security clearances — investigations that can delve deeply into individuals’ mental health records, their sexual histories and proclivities, and whether a person’s relatives abroad may be subject to government blackmail — were stolen as well….

When paired with travel details and other purloined data, information from the OPM breach likely provided Chinese intelligence potent clues about unusual behavior patterns, biographical information, or career milestones that marked individuals as likely U.S. spies, officials say. Now, these officials feared, China could search for when suspected U.S. spies were in certain locations — and potentially also meeting secretly with their Chinese sources. China “collects bulk personal data to help it track dissidents or other perceived enemies of China around the world,” Evanina, the top U.S. counterintelligence official, said.

[..]

But after the OPM breach, anomalies began to multiply. In 2012, senior U.S. spy hunters began to puzzle over some “head-scratchers”: In a few cases, spouses of U.S. officials whose sensitive work should have been difficult to discern were being approached by Chinese and Russian intelligence operatives abroad, according to the former counterintelligence executive. In one case, Chinese operatives tried to harass and entrap a U.S. official’s wife while she accompanied her children on a school field trip to China. “The MO is that, usually at the end of the trip, the lightbulb goes on [and the foreign intelligence service identifies potential persons of interest]. But these were from day one, from the airport onward,” the former official said.

Worries about what the Chinese now knew precipitated an intelligence community-wide damage assessment surrounding the OPM and other hacks, recalled Douglas Wise, a former senior CIA official who served deputy director of the Defense Intelligence Agency from 2014 to 2016. Some worried that China might have purposefully secretly altered data in individuals’ OPM files to later use as leverage in recruitment attempts. Officials also believed that the Chinese might sift through the OPM data to try and craft the most ideal profiles for Chinese intelligence assets seeking to infiltrate the U.S. government­ — since they now had granular knowledge of what the U.S. government looked for, and what it didn’t, while considering applicants for sensitive positions. U.S. intelligence agencies altered their screening procedures to anticipate new, more finely tuned Chinese attempts at human spying, Wise said.

Posted on December 24, 2020 at 6:44 AM21 Comments

Comments

Stengler December 24, 2020 9:07 AM

…so “Intelligence” on foreign governments can be very useful.
High quality Intelligence can be extremely useful.
Digital data and Internet linkage is a bonanza for Intelligence gathering.

U.S. Government poorly protects its own sensitive data, but has spectacular success penetrating foreign government sources.

Good Offense — Bad Defense.
Radical shake-up of U.S. Intelligence senior-management required ASAP.

Somebody Anon December 24, 2020 10:07 AM

I am quite sure that the 3 letter agencies of USA do much the same to all other countries. The US agencies were, perhaps, ahead of intelligence agencies of other countries, in this regard.

Pattern and traffic analysis have long been used to find anomalous behaviour amongst suspects. Such detailed analysis, on very large data sets, is what differentiates the intelligence capabilities of individual countries. And, this is probably what drives research into quantum computers and machine learning algorithms.

AlexT December 24, 2020 11:02 AM

By all measures the OPM leak was absolutely catastrophic – If it was the Chinese I’m surprised they did not make a more agressive use of it. As far as publicly known (and this article is one a the very few actually adressing this matter) it was not really “milked” to the incredible level it could have been. Just imagine someone leaking the whole witness protection database, as a random exemple…

Clive Robinson December 24, 2020 2:23 PM

@ Stengler,

U.S. Government poorly protects its own sensitive data, but has spectacular success penetrating foreign government sources.

The two might not be unrelated…

If you encorage the push for security weak systems out of major Silicon Valley Corps, into all markets, or do not actively help stop such a mess then you get where we are today. I think most people can see that.

A logical consequence of which, is basicly everybodies systems through out the world including every US IC agency and all inter related agencies such as the Office of Personnel Managment etc etc are also weak and extreamly vulnerable to outside and inside attack.

Then idiotic idea behind it is, as an “attacking espionage agency” it makes your life easier. As we have just seen with the ongoing SolarWinds exploits. But if you think back a little, also as for insiders as well to just walk out the door with all your secrets in a Rubic’s Cube or just under your arm…

There is some myth that computers make people more efficient… Well for office workers that’s actually not true and has not been since the early 1970’s…

You can actually measure the speed an old Apple ][ alows you to enter text into an editor -v- a modern high end all singing all dancing end PC, Smart Device etc and find that the old Apple ][ with an 8bit 6502 CPU 48k of RAM all running at 1MHz and doing it’s own video generation still wins…

Many years ago IBM with it’s “Big Iron” Z range of computers proved the point that where computers realy score is not working “on data” but “shifting data” between points A and B through Z and on. This makes copying and moving data so easy that more data than a human could read in ten lifetimes can be out of an organisations door in mear seconds…

As a secondary effect computers alow for the staff using them to “dumb down” with the likes of spell checkers, grammar checkers, and as much fancy formatting as you want. All of which slows everybody down and makes them less efficient… To make up for this we now have “Software of Coercion” to watch not just a users “data entry” but now with microphones and cameras built in watch the user directly, includong eye movment, resperation and pulse rates…

Thus a bunch of clueless types in certain areas of managment, just ripe to be exploited for large sums of money, by the vendors of such software, then use the software to come up with some lame brain virtually usless “performance statistics”. Some even try and build businesses around such “Software of Coercion” systems (have a look at certain “out sourced” programming jobs to see this nonsense in action, the resukting software is generally fairly usless andvhas almost unimaginable down stream risks and thus costs).

As someone once observed “Even hamsters can move fast in a wheel, but what does it achieve?”[1].

You can still see the mindlessness and lack of understanding in the likes of William Barr ex head of the US DoJ telling tech to nerd harder to give him the impossible. Because he can not or simply refuses to see a “Backdoor under any other name is a security risk to all”.

Such mindless demands for personal power and similar psychopathic behaviour by those who demand the right to interfere where they have no hope of comprehension is why we are in the mess we are in…

In essence they can not see that all tools are “agnostic to use or who uses them”. The NSA has tried quite a few “Nobody But Us” tricks in the past some quite subtle. The fact we have found out quite a few of them should tell people what the fate of such insecurity is. Oh and the recent SolarWinds exploitation should start giving people justva small clue as to what disasters await “NoBus Backdoors”.

The problem is we have for too long let the “lunatics run the asylum” and they belive quitr incorrectly that they can win any and all “Red Queen Races”[3] that they create by a psychotic monomania[2]…

Such people should not be alowed to be incharge of themselves let alone anything or anyone else. As an example the idea you can win a Red Queen’s race has given us the disastrous “High Frequency Trading”. In a similar way it gave rise to a variant form, where you do exactly the same as everyone else, on the logic “You are all winners because there can not be any loosers if every one does the same” stratagem that gave us the Banking Crisis we are still in. Oh and more recently it has given us the COVID pandemic killing more people a day in the Western World than any ongoing battle in mankinds history.

There are some obvious solutions, but I very much doubt as a society we will do what is required…

[1] Hence the lovely expression “The Hamster Wheel of Pain”, which poped up eith regards Security Risk Managment more than a decade and a half ago. But is relevant in many other areas as well[2] you can see when reading the article,

https://www.markerbench.com/blog/2005/05/04/Escaping-the-Hamster-Wheel-of-Pain/

Oh don’t go searching on the expression without care, apparently “wheel of pain” is used by certain “adult entertainment” and the market gets serviced in part by an organisation that uses Hamster as part of it’s name…

[2] For instance Allan Schnaiberg’s concept of the “Treadmill of Production” is also a “Treadmill of Status” and both are very pathalogical in nature. In short the idea of efficiency is misappropriated by those who do not understand it ad they strive for greater “production” at the cost of everything else. The result is what has happened on the US for the last seven decades or more and realy started with the “War Effort” mentality,

https://www.greeneuropeanjournal.eu/the-green-new-deal-the-answer-to-schnaibergs-treadmill/

In essence everybody does the same, unless regulated not to, and you enter into a “Read Queen’s Race”[3] and attendent “race to the bottom” “tailspin of doom”.

[3] https://en.m.wikipedia.org/wiki/Red_Queen%27s_race

Etienne December 24, 2020 2:24 PM

I’m retired now, but in my government job, I was restricted from flying commercial with an over-stop in China. Even if I wasn’t going there.

Personnel were being pulled out of the lobby and interrogated.

If you ended-up in China, you can bet you would be sitting in a room with a communist bastard looking at your SF-86 with kimchi stuck to his teeth.

That was the story they gave us.

xcv December 24, 2020 2:59 PM

@Etienne

Personnel were being pulled out of the lobby and interrogated.

If you ended-up in China, you can bet you would be sitting in a room with a communist bastard looking at your SF-86 with kimchi stuck to his teeth.

That was the Office of Personnel Management under Katherine Archuleta during the Obama Administration, wasn’t it? The database with all the background checks and fingerprints personality profiles whatnot was kindly hosted by a Democrat-friendly German government on a SAP database, which was subsequently hacked by Chinese.

If the Chinese know your political leanings are not friendly to Xi Jinping’s regime, or more properly, to the Chinese Communist Party, how do you expect to be treated fairly in China?

The OPM hack explained: Bad security practices meet China’s Captain America
How the OPM hack happened, the technical details, and a timeline of the infiltration and response.

SpaceLifeForm December 24, 2020 11:08 PM

@ Clive

“Even hamsters can move fast in a wheel, but what does it achieve?”

As long as I can feed my hamster, and she can spin the wheel, she will generate random for me.

Goat December 25, 2020 12:22 AM

“she will generate random for me.”, The movements of a hamster on a wheel aren’t random, it is a function of what you feed it(quite non-random).

I use either os’s inbuilt random or https://qrng.anu.edu.au/ when pseudo random doesn’t work.

Clive Robinson December 25, 2020 1:52 AM

@ SpaceLifeForm,

As long as I can feed my hamster, and she can spin the wheel, she will generate random for me.

Ahh “love” and “random happiness” two of the greatest gifts that life can bring our brains 😉

@ Goat,

The movements of a hamster on a wheel aren’t random

All physical processes are random at some level, all you have to divest is “the technical noise”,

https://arxiv.org/pdf/1411.4512.pdf

@ All,

May Rudolph’s nose be a glow,
As Santa slides down low,
Through your abode so quiet,
To bring you much delight,
By your tree to place a gift below.

Goat December 25, 2020 2:55 AM

@Clive, Thankyou seems like an interesting way to generate random.

@All let there be random happiness in your lives, Happy Grav Xmas!!

xcv December 25, 2020 12:05 PM

@ O.P.

detailed, often highly sensitive personnel data from 21.5 million current and former U.S. officials, their spouses, and job applicants, including health, residency, employment, fingerprint, and financial data. In some cases, details from background investigations tied to the granting of security clearances — investigations that can delve deeply into individuals’ mental health records, their sexual histories and proclivities, and whether a person’s relatives abroad may be subject to government blackmail — were stolen as well….

As subjects of America’s carceral state ourselves, forever disabused of our dreams of liberty and justice for all, many of us subject to additional government restrictions and mandates since our own rights have been revoked for life without recourse on the slightest hint of suspicion of mental illness or domestic violence etc., the only feeling we can really work up on this case is a somewhat smug sense of satisfaction or justice served somehow that the prison guards, commanding officers, and federal agents who dictate every waking and sleeping moment of our lives under 24×7×365 surveillance and publish such lies and slander on our records for every slightest infraction of their arbitrary rules have themselves become the victims of the same war crimes they have perpetrated and continue to perpetrate on us.

Such records exist at a certain department of government, in an unclassifed database. To think the personal data and records were not stolen or abused for purposes other than what they were originally intended — when there is such a great motive for the Mob to control and blackmail government workers — for the control they in turn exert upon us — no, absolutely not.

Of course we are being blackmailed and controlled by adverse nation-state interests through these security weaknesses in our own government.

We do not have the luxury of viewing China and Russia as unified nation-states — despite a One China policies etc., there is simply too much internal strife and disunity in those countries as well as in the United States — and we depend on maintaining positive mutually beneficial trade relationships with our friends in those countries as well as defending ourselves from our Chinese and Russian enemies.

… as we hold the rest of mankind, Enemies in War, in Peace Friends. …

Untitled December 26, 2020 1:58 PM

There are certain countries which, frankly, no-one with citizenship of another country should visit under any circumstances. Those countries include, for different reasons, China, Iran and the United States of America. It would be very dangerous for a U.S. official’s wife or children to visit China, even if that official wasn’t in a sensitive position; they shouldn’t have gone on that trip. Anyone with a ‘Western’ citizenship visiting Iran is in danger of being arrested, officially a ‘spy’ but actually as a hostage for exchange. In the U.S. there have been far too many cases of abuse of power, with impunity, by immigration, customs and law enforcement officials. I’ved visited all three of the aforementioned countries in the past but under their present regimes I’m not going back.

Winter December 27, 2020 4:17 AM

@Untitled
“Anyone with a ‘Western’ citizenship visiting Iran is in danger of being arrested, officially a ‘spy’ but actually as a hostage for exchange.”

Nonsense. Tourists are welcome in all three countries. I have personally visited both the USA and China as a tourist and I know a lot of people who visited Iran as tourists. All was well.

Problems occur when you have some value, positive or negative, to the rulers. You know law enforcement and the judiciary in all three countries are against foreigners.

Winter December 27, 2020 4:23 AM

In conjunction with the other contributions, I have a question.

Some years ago I read a suggestion that TLAs around the world were compiling databases of all humans and there activities. These Chinese Big Data programs come close.

I am still wondering whether this is feasible and who could complete such a program?

The biggest problem I would think for such a program would be data quality. Too much garbage in would make the system unusable. But how to curate the data?

JonKnowsNothing December 27, 2020 8:15 AM

@Winter @Untitled @All

re: Detained in a foreign country

It escapes most people traveling from places like the USA, where public activities and actions are tolerated, that they are traveling TO another country with DIFFERENT laws, rules and standards.

From this comes a variety of difficulties and legal entanglements. Arbitrary detention is quite “normal” in some countries.

Specifically for the USA, there is a list of NO GO countries maintained by the US State Department. There are a few categories ranging from WARNING to IF YOU GO-GO TO JAIL. The USA Cuba policy fluctuated recently after many years of NO GO.

Yes, people got around that by traveling to Canada and then traveling to Cuba where everyone knew NOT TO STAMP THE PASSPORT. But now, with our fancy passports and the large manifest travel systems it would be harder to pass beneath the radar.

Traveling to a country that does not have diplomatic ties with your own, is seriously problematic. The US Embassy will not really help you at all if you become entangled in a legal mess, but there is supposed to be some legal assurances, which may or may not happen.

Like many other countries, USA has people in detention, rendition or jurisdiction-hopping prisons around the world. The right amount of foreign aide will grant the US Government full access to arbitrary detention and false imprisonment On Demand in many countries and even their own private prison systems. Gitmo is located in Cuba a No Go Country. Gina Haspel, currently head of CIA, ran a few CIA prisons one of them in Thailand.

You don’t have to be a “Big Target” either. Just an ordinary Smoe.

iirc(badly)

One TV documentary about Airports where they followed people around 24×7 to show the day to day workings, there was a sequence where they followed some Airport Security folks. An arrival plane from South America landed in the big London airport and the security team watched as the passengers walked to the baggage area. They picked a target: A man, dressed very nicely, sweater, nice pants, new shoes and “brought him in” for questioning. The man spoke little or no English. The clothes and lack of English were the “trigger” for detention. The episode was appalling but it aired. After many hours (could have been several days) the man was released and told to “Have a nice vacation”.

This was before much was known about such activities. David Miranda did not watch this episode or he would never have gotten off a plane in the UK.

There is, for those in the USA, a small detail that used to be buried on the US State Department site about traveling outside of the USA. It is a small form that needs to be filled out and filed, about 4-5 lines. It gives the named persons on the forms the “rights” to request the US State Department/Embassy to tell them about the location, health and disposition of a US Citizen that has “gone missing” or missed contact times. Without being a named person on this form, the US State Department will not talk to anyone, family or lawyer, about a person “missing” outside of the USA. The State Department can by choice, tell you but is not required to tell you without the form.

The important aspect of this, is that most people do not know to fill this out and often it is “trivialized” by officials as “not needed”. This is one reason rendition of US Citizens is so successful. If the target did not fill out the form, the US State Department is not required to tell anyone where the person is or why. It’s an important weapon in being Disappeared.

ht tps://en.wikipedia.org/wiki/Kilroy_was_here

ht tps://en.wikipedia.org/wiki/Gina_Haspel

ht tps://en.wikipedia.org/wiki/David_Miranda_(politician)
(url fractured to prevent autorun)

xcv December 28, 2020 12:54 AM

@ JonKnowsNothing

Without being a named person on this form, the US State Department will not talk to anyone, family or lawyer, about a person “missing” outside of the USA. The State Department can by choice, tell you but is not required to tell you without the form.

Travellers occasionally get into a bit of tough spot or a bind abroad, and it doesn’t always help for the U.S. State Department to start talking smack and gossiping and questioning past activities and present whereabouts with relatives and acquaintances of the targeted individual at home.

The important aspect of this, is that most people do not know to fill this out and often it is “trivialized” by officials as “not needed”. This is one reason rendition of US Citizens is so successful. If the target did not fill out the form, the US State Department is not required to tell anyone where the person is or why. It’s an important weapon in being Disappeared.

And sometimes “persons of interest” — a common law enforcement code-phrase for “Jews” or “persons involved in finance or banking” — do need to “disappear” from other persons who are too “interested” in them for all the wrong reasons.

Mishigas January 2, 2021 11:47 AM

It is interesting to read stories like the FP piece in juxtaposition with, for example, Bellingcat’s recent explanation of some of their investigative techniques for identifying a very professional, well-resourced team who they claim are responsible for the Navalny poisoning [1]. The whole series of articles make for interesting reading and highlights the point which a number of posters here have made before, that (operational) security is damn hard and that one mistake can have an outsized impact.

Between the FP article, Bellingcat, and e.g., Intrusion Truth, among others, it makes a curious mind wonder about the sorts of steps a country might take as it relates to databases which are likely to be hacked, both to secure cover for those currently working in clandestine capacities as well as to afford themselves identity-related opportunities in 5 and 10 years’ time.

[1] bellingcat. com/resources/2020/12/14/navalny-fsb-methodology
[2] intrusiontruth.wordpress .com – an anonymous group focused on revealing the real-world identities of alleged Chinese High Strength Attackers (as a previous commenter tended to call these sorts of folks).

Clive Robinson January 2, 2021 12:27 PM

@ Mishigas,

it makes a curious mind wonder about the sorts of steps a country might take as it relates to databases

Well you could thing about,

“incompetence-v-maliciousness”

I’m of the oppinion whrn it comes to security of,

Never ascribe to incompetence, when maliciousness is profitable

When it comes to Government databases of PII there are statistics around that say upto 80% of records have incorrect information in one or more fields ib many such national or wider databases…

Most of us can put two and two together, thus it would not be overly speculative to suggest that so many errors hiding in plainsight of the few, could be used by the few against the many quite profitably.

Thus the two questions of,

1, Are they taking advabtage?
2, How could you find out?

It is known that the UK Met Police used a known error in Government databases originally made very public in the book “Day of the Jackal” over half a century ago… And it came out in court over paternity responsibilities.

So there is atleast one case were the answers are,

1, Most definately.
2, By simple digging for cort acceptable evidence, which was found.

So “over to you” to have a cogitate on…

Mishigas January 16, 2021 4:44 PM

@Clive,

Ah! Took a while to re-find the article that was scratching my memory[1] – I know if I were in a position to do so, I’d at least consider — I don’t know what you would call it, but I suspect it would have a food-related name reminiscent of poisoning the well, mixing up a barium shake, etc. (it feels like the sort of thing @Wael would at least be able to come up with a good name for, if one doesn’t exist) — creating affordances for my interests in at least some of the databases within my territory. And also playing a bit of hob with the data outside my territory, particularly my adversaries’ data or in the databases I had high confidence that they were targeting. And even if I came to the conclusion I wasn’t going to do it, I’d certainly work from the presumption that other people were.

What I need to continue to cogitate around a bit more is how to make things like multiple databases that should be in mutual agreement, leaked over a period of years and possibly stored offline, play to the advantage of my organization/agency/country. I have some vague ideas that, as is often the case with effective techniques, are variations of or inspired by pre-computer techniques; but I should probably go consult Uncle Stan’s memoirs[2].

  1. CIA’s Secret Fear: High-Tech Border Checks Will Blow Spies’ Cover. wired[.]com/2012/04/cia-spies-biometric-tech
  2. Stanislaw Lem, Memoirs Found in a Bathtub. en.wikipedia[.]org/wiki/Memoirs_Found_in_a_Bathtub

Wael January 17, 2021 1:52 AM

@Mishigas,

[…] would at least be able to come up with a good name for

I have a mental block.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.