The Chinese army has been funding thousands of "cybermilitia" groups at Chinese tech companies and universities.

Story highlights

Since 2005 Nanhao has been home to a cybermilitia unit of the People's Liberation Army

Company vice president: "All staff under the age of 30 belong to the unit"

Nanhao operation is one of thousands set up by the Chinese military in past decade

Security experts around the world have blamed China for many global hacking attacks

Financial Times  — 

Nanhao Group is, in many ways, an ordinary technology company. Its staff make online scoring systems, exam-mark scanners and other educational hardware and software.

But many of its 500 employees in Hengshui, just south-west of Beijing, have a second job. Since 2005 Nanhao has been home to a cybermilitia unit organised by the People’s Liberation Army.

“All staff under the age of 30 belong to the unit,” said Bai Guoliang, Nanhao vice-president. It is unclear what exactly the unit does, but according to a local government announcement when it was set up, it consisted of two groups tasked with cyberattack and cyberdefence.

The Nanhao operation is one of thousands set up by the Chinese military over the past decade in technology companies and universities around the country. These units form the backbone of the country’s internet warfare forces, increasingly seen as a serious threat at a time of escalating global cybertensions.

Governments, companies and internet security experts around the world have blamed China for many of the past year’s global hacking attacks. US officials point to the Chinese government or its supporters for the theft of neutron bomb designs, the defence secretary’s emails and private sector intellectual property worth many billions of dollars.

Western cybersecurity analysts look to matching patterns between malware which played a role in intrusions and codes discussed on Chinese hacker forums as evidence of Chinese involvement. US investigators say attacks on Google and other American companies originated from computers at Lanxiang, a vocational school in the Chinese province of Shandong, and Jiaotong University in Shanghai.

Attacks on companies have “a level of sophistication and are clearly supported by a level of resources that can only be a nation state entity,” said Mike Rogers, chairman of the House permanent select committee on intelligence, last week.

Mr Rogers describes these corporate attacks as “a massive and sustained intelligence effort by a government to blatantly steal commercial data and intellectual property”. Several US state department cables obtained by WikiLeaks and marked as secret elaborate on these theories.

Even if attacks clearly originate in China, it is much harder to prove that they were sponsored by the Chinese government or military. Beijing insists the state does not sponsor hacking and its cyberwarfare strategy is purely defensive.

“China is a victim of cyberattack,” Senior Colonel Geng Yansheng, spokesman of the ministry of national defence, said in May when announcing the PLA had set up a “cyber blue team” to “better safeguard the internet security of the armed forces”.

But the PLA’s actions over the past decade deliver a different message. As early as 1999, senior PLA officers argued that China should use electronic techniques to attack adversaries. Since 2002, the PLA has been searching for external talent to put that strategy into practice.

“The PLA is reaching out across a wide swath of the Chinese civilian sector to meet the intensive personnel requirements necessary to support its burgeoning information warfare capabilities,” said a 2009 report by Northrop Grumman, the US defence contractor, on China’s cyberwarfare capabilities.

A co-ordinated cyberattack on the US electrical grid is high up the list of concerns for defence and intelligence officials

The most concrete result of this search for talent was the creation of specialised units – such as the one in Nanhao – in China’s 8m-strong militia, which is part of the PLA’s reserve force.

“[These militia] should preferably be set up in the telecom sector, in the electronics and internet industries and in institutions of scientific research,” said a paper by three officers from the Jiangsu provincial PLA command’s mobilisation department.

The paper was published in National Defense, the magazine of the Academy of Military Sciences (AMS). The cybermilitia’s tasks include “stealing, changing and erasing data” on enemy networks and their intrusion with the goal of “deception, jamming, disruption, throttling and paralysis”, the paper said.

Nanhao’s Mr Bai confirmed that its cybermilitia unit was led by the local PLA command and has “regular exchanges” with it, training PLA officers. Asked whether the group would carry out cyberattacks, he said: “That has nothing to do with you.”

This push to create cybermilitias could mean that even some of China’s largest and best-known technology companies could become part of the information warfare complex. An employee of China Telecom in the coastal province of Jiangsu said the state-owned carrier’s local affiliate had a cybermilitia unit and he believed similar groups had been set up in other provinces.

The PLA’s efforts to tap and foster civilian cyberwarfare talent also reach beyond the corporate sector.

The military sponsors hacking competitions in universities and information warfare research in academia. Tang Zuoqi, a lecturer at the College of Computer Science and Information at Guizhou University, secured his job after winning prizes in a 2005 internet warfare competition held by the Chengdu military command, according to his biography on the university’s website.

China already has a thriving hacking scene. Tightly knit groups of young hackers, mostly men, discuss code on online bulletin boards or even meet in offline classes, sometimes advertised on streets.

“Hacking for criminal purposes in China is growing, it is getting more professional and more organised,” says Liu Deliang, a professor at Beijing Normal University and one of China’s leading experts on cybercrime.

Although the Northrop Grumman report said it was difficult to establish firm links between the PLA and this criminal community, the military is trying to forge those links. The AMS paper says: “[We must] recruit experts who research internet technology, especially those who are good at ‘hacking’ attacks and virus technology.”

Additional reporting by Joseph Menn in San Francisco