China’s main internal security and police university is training hackers for cyber attacks, according to new information obtained by the U.S. government.
The People’s Public Security University in Beijing, a part of the Ministry of Public Security that trains all of China’s police and internal security troops, has several units engaged in training and operations for cyber attacks.
One section of the school was identified last month as a key training center for police network attack operations: The Network Attack and Defense Laboratory. The lab uses Chinese software that was identified last year by officials as designed for training cyber warfare operators and spies.
Disclosure of the police training unit for Chinese hackers follows several U.S. reports made public last year that identified China’s primary military hacking force as Unit 61398, located near Shanghai.
Another Chinese school, Wuhan University, also has been linked by U.S. intelligence agencies to cyber attacks against the West.
Chinese cyber attacks against the United States have been carried out on a large scale since the early 2000s. The attacks have been detected against both government and private sector networks and have involved the loss of defense and commercial secrets as well as the potential for future sabotage in a crisis or conflict.
The People’s Public Security University’s Network Security Defense College was identified recently as a major training center for police who conduct computer attacks and spying operations.
Within the college, an “Experiment Center” was created with 15 laboratories, one of which is the “Network Attack and Defense Laboratory,” the unit that trains cyber warfare technicians.
That lab uses a training tool developed by the Beijing Simpleware Technology company that includes special computers and software, including three types of software. They include the “Information Security Experiment Education System” (SimpleISES), “Network Attack and Defense Exercise Platform” (SimpleSCR), and “Network Attack and Defense Experiment Education System” (SimpleNAD).
Photos of the network attack laboratory were posted on the software manufacturer’s website last year.
In China, the Internet is tightly controlled and the internal security police is known to arrest and imprison people who criticize the ruling Communist Party, its leaders, policies, and activities.
Shortly after current leader Xi Jinping took power in 2012, China’s government invoked a new decree tightening censorship over the Internet. The rules required Chinese citizens to use their real names online and also called on network providers to remove and document “illegal” information and report the acts to authorities.
The police university is also training hackers at a Network Penetration Test Laboratory that conducts programs on both attacking and defending networks. The lab also conducts penetration testing, a key tool used to train hackers to break into foreign networks and to defend against foreign network intrusions.
China’s government routinely denies its engagement in any cyber attacks and has asserted that it is a major victim of foreign cyber attacks.
A former Chinese security official said the university is one of the top training institutes for police and part of the Ministry of Public Security (MPS) that conducts some activities overseas but mainly focuses on controlling domestic dissident groups or groups in China suspected of having foreign ties.
"If the university trains hackers, it is most probably for this purpose," the former official said. "I am sure MPS uses hackers inside China for political duties and criminal investigation."
Additionally, the MPS has computer networks and systems linked to Internet service providers in China that are used by the police for largescale surveillance of the Chinese people, the former official said.
Also, the MPS uses hacker technology in some specific cases and has the capability of conducting overseas cyber operations, the former official said.
The former official said the MPS is more public and more powerful within China than the secretive Ministry of State Security, the main overseas spying agency.
Based on its domestic clout within the communist system, the MPS has more authority to "task and manage hacker activities both inside China and overseas," the former official said.
However, "hacker training and operations by the [People's Liberation Army] and [Ministry of State Security] are more significant for overseas activities," the former official said.
Richard Fisher, an expert on China’s security affairs, said the university, which is also associated with the People’s Armed Police that is known for its brutal military crackdowns on dissidents, has been involved in China's computer network warfare preparations since shortly after the creation of the Internet.
“This university was preparing for ‘network security’ in 1978, likely when other Chinese intelligence and military services assessed the direction and potential for computer network communication and were preparing to exploit it,” Fisher, a senior fellow at the International Assessment and Strategy Center, said in an email.
“This is the computer network attack training institute of the People's Armed Police, which began its work about a decade before the Internet took off in the late 1980s,” he said. “It is very likely that all other Chinese military and intelligence services have similar institutes.”
Fisher said that in 1998 during a visit to China then-President Bill Clinton urged China to harness the information age by embracing freedom. “Today China is a world leader in harnessing the Internet to surveil and suppress its own people and to wage war against the rest of the world,” Fisher said.
Michelle Van Cleave, former National Counterintelligence Executive, said China's extensive intelligence apparatus is engaged in highly coordinated spying operations against U.S. information and computer systems.
"All U.S. national weapons laboratories, Pentagon computers and communications systems, and other sensitive government networks have been targeted by China-based cyber intruders," Van Cleave said in an email.
"And Beijing has a national policy of using cyber espionage to acquire industrial and proprietary secrets."
Although some have said the Chinese government's role in cyber attacks is difficult to confirm, "I don’t see how global cyber espionage could be orchestrated from within China without government involvement, if not direct control," she said.
A report by the private cyber security firm Mandiant in February identified China’s main military cyber espionage group near Shanghai as Unit 61398, part of the People’s Liberation Army’s 2nd Bureau of the General Staff Department’s 3rd Department (3PLA).
“The nature of Unit 61398’s work is considered by China to be a state secret; however, we believe it engages in harmful computer network operations,” the Mandiant report said.
China’s Defense Ministry did not deny the findings of the Mandiant report, unlike other Chinese government spokesmen.
A ministry spokesman told state-run Xinhua news agency in February 2013 that the report lacked a legal basis to “assert cyber espionage” because it was based on the collection of some routine cyber activities.
Another Chinese cyber warfare unit was identified last year by the Project 2049 Institute, a Virginia-based think tank. The institute disclosed in a report that China uses the Beijing North Computing Center, also part of the 3PLA, as a cyber warfare group.
U.S. officials last spring identified China’s Wuhan University as involved in supporting Chinese military cyber attacks against the West.
That university, located in central China’s Hubei Province, set up the “Key Laboratory of Aerospace Information Security and Trusted Computing,” part of its computer science school.
Wuhan’s computer science school has produced more than 760 security officials who now work in either the government, military, or state-run corporations.
The Wuhan computer school is funded by several Chinese military organizations, including the 3PLA.
Wuhan also has an “Information Network Attack and Defense Research Center.”
The key lab, like the Public Security University lab, also uses SimpleISES software.
U.S. officials said the system allows up to 20 students at a time to practice cyber attacks on networks. SimpleISES was developed by Beijing Simpleware Technology Co., Ltd. and is used at more than 30 universities throughout China.
Analysts say SimpleISES is a key element behind China’s large-scale military related cyber attacks abroad.
The China Information Technology Security Center (CNITSEC) was identified in a leaked 2009 State Department cable as a key player in certifying Chinese information security products.
A CNITSEC subgroup, TOPSEC Network Security Technology Company, Ltd., was involved in training a military officer from China’s Communications Department's 3rd Communication Regiment, known as Unit 61416 Unit.
“Additionally, CNITSEC enterprises has recruited Chinese hackers in support of nationally-funded ‘network attack scientific research projects,’” the cable said, adding that the use of private hackers “illustrates the PRC's use of its ‘private sector’ in support of governmental information warfare objectives, especially in its ability to gather, process, and exploit information.”