When Attorney General William Barr announced Monday that the U.S. had charged four Chinese military hackers in the giant Equifax hack of 2017, he also confirmed something that cybersecurity experts had long suspected: China was also behind the hack of information on some 500 million Marriott hotel guests in 2018.
Barr also mentioned the 2015 hack of the Office of Personnel Management, another major breach that included sensitive information from about 21.5 million Americans who had done work for the federal government.
In doing so, Barr publicly confirmed that China has been collecting troves of personal data on U.S. citizens for years.
Beginning around 2014, a host of American organizations that store personal identifying information were hacked, with either the government or major private cybersecurity firms attributing China’s Ministry of State Security as the culprit each time. Personal identifying information, or PII, includes names, addresses, birthdays and Social Security numbers.
Cybersecurity experts point to two likely reasons for suspecting China. First, the country’s ability to process large amounts of data at scale makes megabreaches a tempting target. Second, it can be used for more traditional espionage, such as identifying people who could become intelligence assets.
China is already the most advanced domestic surveillance state in the world, keeping detailed, real-time records of citizens’ location through facial recognition and keenly monitoring social credit scores by mining data and sifting through it with the aid of artificial intelligence.
Byers Market Newsletter
Get breaking news and insider analysis on the rapidly changing world of media and technology right to your inbox.
“For a nation-state, if you’re trying to seed a large analytic engine, more data is always better,” said Michael Daniel, the White House cybersecurity coordinator under President Barack Obama.
“You want to be able to use big-data analytics, and use machine learning and those kinds of new analytic capabilities that have been emerging over the last decade or so. That only becomes viable if you in fact have large amounts of data,” said Daniel, who is president of the Cyber Threat Alliance, an industry trade group.
The U.S. regularly accuses China of stealing corporate trade secrets and giving them to state-affiliated companies for a leg-up in business, which goes against U.S. policy. It’s harder for the U.S. to make public accusations of hacking to gather intelligence on foreign targets since the U.S. doesn’t deny it does the same.
The 2015 breach of the Office of Personnel Management, which functions roughly as the human resources department of the U.S. government, was the most significant Chinese effort to steal American PII. In addition to the basic PII on the 21.5 million Americans who had worked for the government, China’s Ministry of State Security also acquired a trove of background checks on employees interviewed for sensitive work.
But cybersecurity researchers, who track advanced hacker groups by their tactics, infrastructure and targets, have long tied the hackers behind OPM to other megabreaches, like the hack of 80 million customers from Anthem insurance, reported in 2015.
The Marriott hack, which began as early as 2014 and went unnoticed until 2018, was widely believed to bear China’s fingerprints, but that wasn’t formally confirmed by a federal official before Barr’s comment on Monday.
Having a working database of Americans’ identifying information is also immediately useful for conventional espionage, said Priscilla Moriuchi, principal analyst at the cybersecurity firm Recorded Future and former East Asian cyberthreats expert at the National Security Agency.
With such a database, one could build “a profile of a person that you’re either attempting to recruit or have recruited, or a profile of someone who may be susceptible to recruitment,” Moriuchi said, or to verify intelligence gathered through other sources.
The Equifax charges — notably, against officers in the People’s Liberation Army, rather than the Ministry of State — focus mainly on computer intrusion to commit economic espionage, similar to how the Justice Department has charged China previously with trying to steal high-tech trade secrets; it’s unclear how China would leverage a credit reporting agency information.
“I think they’re stressing the economic espionage on the indictment side because that’s what you can indict for,” said Adam Segal, director of the Council on Foreign Relations’ digital and cyberspace policy.
“I think there is a gap between what the incident says and what Barr’s statement does,” Segal said. “It was clearly political messaging to the Chinese.”