China collects personal information on Americans and other foreigners. This creates a kind of address book with millions of entries, says an expert. This helps the secret services in their work.
When a Western citizen applies for a visa to China, the security services can consult the data collected about him: the Chinese consulate in Auckland, New Zealand.
Jason Oxenham / AP
The cyber attack caused great concern in Great Britain: Hackers were able to steal the personal information of all voters from the British Electoral Commission’s servers. As an independent body, the electoral commission monitors the elections and controls party financing. The attack was aimed at the heart of British democracy.
What is even more disturbing is that it is not criminals who are behind the attack, but a state. At the end of March, the British government attributed the cyber attack to a group linked to the Chinese state. There are now fears that the Chinese regime could try to influence elections in Great Britain. Beijing has increased its activities to influence politics abroad in recent years.
But China’s data theft is probably not about influencing elections, but rather espionage. Tom Uren is convinced of this. He knows the world of secret services well. Uren himself worked for an Australian intelligence service for 15 years and now publishes on technology topics and cybersecurity, including for the think tank Australian Strategic Policy Institute (Aspi).
China collects personal data to use it for espionage and counterintelligence, says Uren. The cyber attack on the British Electoral Commission should be seen in a larger context. “The main thing is to combine the information with other data sets,” says Uren. Since the attackers captured the names and addresses of all Britons who registered to vote between 2014 and 2022, they now have a kind of address book for Great Britain.
China is behind several major data thefts
Hackers from China, suspected of being state-sponsored, have repeatedly stolen large data sets, often in the USA, containing personal information about millions of people. Some of these actions are among the largest data thefts ever.
In 2015, Chinese attackers obtained personal data from 78.8 million people from the American health insurer Anthem. In addition to the address, telephone number and date of birth, this also included the social security number as well as information about the employer and income.
In 2017, Chinese attackers stole the data of approximately 145 million Americans from the financial services provider Equifax. Equifax offers business information and therefore stores a large amount of consumer data that is used, for example, to assess a person’s creditworthiness.
In 2018, the Marriott hotel chain leaked information about up to 500 million guests from a reservation system. This attack is also believed to have been carried out by China. The hackers also stole some of the guests’ passport numbers and their hotel booking history since 2014.
The most high-profile attack took place in 2015, when state-sponsored Chinese attackers had access to data from the United States Office of Personnel Management (OPM) for months. In total, China is said to have obtained information from 22.1 million people, including several million fingerprints of employees.
Application forms from employees and suppliers for security clearances were particularly affected. These contain particularly sensitive information such as information about family members, previous employers, any financial problems, psychiatric treatment or drug abuse.
Data can be used to create shadow resumes
Such data sets only develop their true benefit when they are combined with each other. “The data covers various aspects of a person’s life: travel, finances, health or security clearances,” says Uren. A kind of shadow CV is created, which can be useful to China – especially for espionage or counterintelligence.
In order to identify enemy spies, personal data can be searched for certain abnormalities. This could be a previous employer or certain travel habits, for example frequent hotel bookings near American embassies. Marriott’s data is particularly interesting in this regard, as the hotel chain is, according to the New York Times, the most important hotel provider for American government employees and military personnel.
Uren explains how the data could be used specifically: “If an American shows up at the embassy to apply for a visa, the Chinese authorities can see what information they have about that person.” Beijing could also use the data to analyze which Americans in China have abnormalities. In this way, says Uren, a group of suspicious people can be identified, which the authorities can then monitor more closely.
If the information is already a few years old, that is not a problem. China would certainly like an updated version of the data from the American personnel office OPM, says Uren. But the stolen information is still useful many years after the hack: “The database is useful until everyone in it is retired or dead.”
The weaknesses of potential spies can be identified
Personal information is also useful for recruiting spies. The Linkedin profile is often enough for the first step. This allows you to find interesting people who work at the espionage target – for example at the Ministry of Defense or at a pharmaceutical company.
In a second step, private information can help to select a suitable target person. If someone lives apart, the person is likely to be more receptive to romantic advances. If you have financial problems, you may be able to use money to encourage spying. Sensitive details from the past can be used to put the recruited person under pressure later.
Ultimately, details from the target person’s life are also useful when establishing contact. If an agent approaches the selected person seemingly by chance in the park, the additional knowledge is a good starting point for the conversation. Uren gives an example: “If the agent casually mentions that she once had cancer, like the target person, that can quickly create a connection.”
This is not the only possible use of the stolen data. They can also be used by attackers to make personalized emails with fraudulent content, so-called spear phishing emails, more convincing. The aim is to trick the target into installing malware or entering a password on a fake site – as a starting point for a new cyber attack. Private information can also be used to intimidate or threaten dissidents, Chinese exiles or politicians critical of China.
Western intelligence services also collect data
The intelligence craft also works without hacker attacks to steal data. But the additional information is useful, says Uren. “The data can make the work of the intelligence services more efficient and effective.” This also applies to secret services in other countries.
For Uren, it is no coincidence that China in particular is caught with data theft. “China has a long tradition of surveillance and also collects information about its own population,” he says. It is only logical if the same procedure is also applied to foreigners. In Russia, on the other hand, the secret services are not focused on large-scale surveillance.
And what about Western intelligence services? “Collecting data makes sense for everyone,” says Uren. However, the services in the West are more closely bound to legal requirements. Uren doesn’t go into detail, although as a former employee he knows the practices of Western secret services. Australia, along with the USA, Great Britain, Canada and New Zealand, is part of the “Five Eyes” intelligence alliance.
It is well known that the USA and its partners collect large amounts of data, for example by monitoring internet traffic. It cannot be ruled out that cyberattacks will also be used to obtain larger data sets. This practice is known from the Netherlands, for example.
It is also possible to purchase private information. In 2021 it became public that an American intelligence service had purchased movement data from a commercial provider. These came from smartphone apps and were resold. Such information is also useful in the area of espionage – without the need for a hacker attack.