As staff at the Melbourne office of Securecorp were preparing to hand over the company to its new Chinese owners in 2016, they noticed an unusual delegation enter the building.
A group of Chinese government officials had arrived over the weekend to inspect one of Australia’s largest security firms.
But rather than simply admiring the artwork and taking in a Powerpoint presentation, they detoured into the firm’s data centre, a highly secure room which conducts remote monitoring of dozens of landmark sites around Australia, and also holds sensitive information about clients, who have included senior officials and business leaders.
According to one Securecorp insider the government delegation was in the data room for at least half an hour, an unusually long time.
“I thought they were mining the data,” the insider said.
More than two years has passed since that incident and the Shanghai-based China Security Co. was allowed to complete its $158 million takeover of Securecorp with only the mildest of concerns raised in the Victorian upper house.
But the insider was still sufficiently worried about the incident to have recently contacted The Age and Herald to express his concerns about the visit and the likelihood that it was not benign. If data mining did occur, as the insider believes, it could have hoovered up much of the firm’s pre-takeover information, including data which may not have survived beyond the corporate transition.
There are also worries that Securecorp’s ultimate Chinese owner might exploit its ringside seat in Australia, which has included 96 CCTV cameras in Melbourne’s CBD and security operations at everything from Westfield shopping centres to Glencore mines and the Melbourne Cricket Ground. In addition there is Securecorp’s boast of being a “trusted partner in the Defence industry” and its $11.5 million contract with the Australian Electoral Commission which runs until September next year.
In a statement, Securecorp said it was not unusual for it to have visitors into its control room and they always required approval, while adding the “security of clients’ data and information is of the utmost importance”.
“Our information systems are protected to the highest standards using both IT and operational controls which are maintained and tested. This was the case before our sale, and remains the case today,” the company said.
The worry for the insider, however, was that like all companies which operate on the mainland, China Security Co. and its owners, are beholden to the Communist Party for their survival and prosperity, in an environment where Beijing is continually seeking to use whatever leverage it can to expand and upgraded its intelligence gathering capabilities.
China’s Ministry of State Security
Recent indictments filed in US courts show the increasing sophistication of these operations and how they usually involve exploiting both human and technological openings.
China’s intelligence gathering in this area has largely fallen to the Ministry of State Security and, since 2010, foreign intelligence services have begun to recognise the agency as the leading edge in China’s campaign to rapidly upgrade its economy through the theft of intellectual property.
It was the MSS, for example, which led the smash-and-grab raid on Rio Tinto’s Shanghai office in 2010 according to state media reports, seizing laptops and hard drives, and at the same time arresting the company’s head of iron ore trading Stern Hu for corruption.
It then used the seized equipment to infiltrate Rio’s computer networks in Singapore and Perth to such a degree that the networks needed to be taken offline, the ABC’s 4 Corners program reported in 2010.
Like the Australian Secret Intelligence Service (ASIS) which is charged with aiding “national economic well-being”, the MSS has taken the lead in advancing China’s economic development.
But the difference, as argued by security officials, is that Australia and its allies focus on traditional intelligence gathering, while the MSS is charged with stealing commercial secrets to speed up China’s development.
The ‘dawn raid’
In more recent years this harvesting of intellectual property has been done under the guise of antitrust or regulatory investigations, according to a former Australian official who now advises companies operating in China. Known as the “dawn raid” phenomenon, it involves Chinese authorities using raids on foreign companies to then access to their computer systems and harvest any available data.
“Some companies now have a policy of keeping no significant IP in China and ensuring their computers aren’t connected to servers which hold meaningful data,” said the former official.
Another senior national security official says other companies operate on the assumption that any data held in China will be compromised.
“These companies decide what is really important information and they work to secure that,” he said. Other company data is then treated as if it is or will be compromised.
Several large Australian mining companies now provide their executives with laptops and phones that they only use while in China.
These behaviours reflects the new normal in China. It’s an operating environment that also throws new light on previous investments in Australia by Chinese companies.
For instance, the 2016 acquisition of Securecorp was not subject to approval by the Foreign Investment Review Board as it was valued at less than $261 million. That threshold remains today, but since that time, awareness of IP theft and data hacking has exploded.
The head of FIRB, David Irvine, has said he will have a much greater focus on “data protection” in foreign acquisitions.
The MSS has overseen a surge in cyber attacks on Australian companies over the past year in breach of an agreement between Canberra and Beijing to not steal eachothers commercial secrets. In addition internet traffic heading for Australia was diverted via the mainland over a six day period last year, in what some experts believe was an attempt to steal data.’
Australia has largely stayed silent on what one intelligence official called a “a constant, significant effort to steal our intellectual property”, due to fears of sabotaging the $116 billion trade relationship with Beijing.
In contrast, the US, which is far less dependant on Chinese trade and has much more leverage over Beijing than Australia, has been far less restrained. A former director of the National Security Agency, Keith Alexander, has described the Chinese cyber campaign as the “greatest transfer of wealth in history”.
The current Assistant Attorney General for National Security, John Demmers, said the theft of intellectual property was “part of an overall economic policy of developing China at American expense.”
“We cannot tolerate a nation stealing our firepower and the fruits of our brainpower. We will not tolerate a nation that reaps what it does not sow,” he said on October 10.
Insight into China’s tactics
Mr Demmers’ words followed the US Justice Department charging an MSS operatives and members of their team with attempting to steal sophisticated engine technology for use in civilian aircraft. While the indictment was a rare example of the US seeking to prosecute Chinese operatives for their behaviour, it also gave an insight into how the MSS operates.
Over three indictments, officers from the Federal Bureau of Investigation revealed some of the tradecraft used by the MSS. The indictments showed how the MSS pushed much of its operational responsibilities down to a provincial level, in a similar manner to how the Communist Party does with most government functions.
In this case it was the Province of Jiangsu, outside Shanghai, which was charged with stealing proprietary technology for a “turbofan engine used in commercial jetliners”. Geography was the main determinant.
Given the French-US joint venture had a factory in the province the Jiangsu State Security Department (JSSD), a regional branch of the MSS, which was tasked with the job.
According to the indictment, the operation was carried out by two MSS agents, a division director and section chief. They in turn had six hackers at their disposal, who went by names like “Cobain”, “Leanov”, “Fangshou” (Defence) and “Le Ma” (Happy Mum).
But most worrying for any foreign enterprises operating in China was that the MSS relied heavily on local employees of the French and US company to install malware, used for cyber intrusions, and to provide information. These local staff were effectively recruited by the MSS and would have had little choice but to cooperate.
The indictments also reveal while the MSS was careful in its communications outside China, it took few precautions on the mainland.
This was clearly a mistake and the US was able to access text messages, which now form part of the criminal case against the group.
People’s army involvement
Analysts believe the MSS has been active in this area for much of the last decade, but has been overshadowed by a cyber unit within the People’s Liberation Army. Known as Unit 61398, it was famously outed by security consultant Mandiant in 2014 as the primary group seeking to harvest commercial secrets from multinational companies.
But since Chinese President Xi Jinping restructured the military in 2015, the PLA is believed to have largely retreated from the gathering of commercial secrets.
“The PLA was noisy and kept getting caught,” said Peter Mattis, a former counterintelligence analyst at the CIA. “Its efforts to steal commercial secrets were also becoming a distraction from its main role in seeking military intelligence.”
That has cleared the field for the MSS, which has been linked by cyber security firm CrowdStrike to actors known as “advanced persistent threats”, or APTs. These people work over months or years, adapting to defences, and they often strike the same victim multiple times.
One of the most active Chinese state-sponsored adversaries has been dubbed “APT10” or “Stone Panda”. It is amongst 44 named actors out of China identified by CrowdStrike, compared to 31 from Russia and five from North Korea.
While there are hundreds more which are not named, as they have not been detected or are not sufficiently active, it shows the scale of Beijing’s-state sponsored hacking effort. When combined with evidence from the indictments, the picture is one of sophisticated technology combining with insiders to harvest some of the world’s most valuable intellectual property.
Worryingly for authorities the indictments deal with tactics which are at least five years. Since then, say officials, China’s willingness to adhere to anti-industrial espionage pacts has declined as its technological capability has improved.
By Nick McKenzie