A Chinese cyber security firm is covertly working with Beijing’s Ministry of State Security intelligence service in conducting cyber espionage operations, according to Pentagon intelligence officials.
The company known as Boyusec, officially the Bo Yu Guangzhou Information Technology Co., is also working with China’s global telecommunications company Huawei Technologies, which has been identified by U.S. intelligence agencies as linked to the Chinese military.
According to an internal report by the Pentagon’s Joint Staff J-2 intelligence directorate, Boyusec and Huawei are working together to produce security products that will be loaded into Chinese-manufactured computer and telephone equipment. The doctored products will allow Chinese intelligence to capture data and control computer and telecommunications equipment, said Pentagon officials familiar with the report.
“It’s closely connected to the [Ministry of State Security] and Huawei and they are developing a start-up program that will use malware allowing for capturing and controlling devices,” said one official of Boyusec.
No other details of Boyusec’s activities could be learned.
The employment of a cyber security firm as cover for intelligence gathering has been used in the past by Russian intelligence. China appears to be following the same pattern, analysts say.
The Defense Intelligence Agency reported last spring that Russia’s Kaspersky Labs was marketing security software for industrial control networks that the agency warned could create cyber vulnerabilities.
Government cyber actors from both China and Russia have been detected mapping American critical infrastructure networks, including the U.S. electrical grid.
Boysec’s website reveals that the company is based in Guangzhou, China, and is a “cooperative partner” with Huawei, along with the Guangdong Provincial Information Security Assessment Center, a government bureau that conducts security assessments of software.
Guangzhou is a Chinese city located inland from Hong Kong in Guangdong province.
Boyusec did not respond to emails seeking comment.
A Joint Staff spokesman had no immediate comment.
Disclosure of Chinese security firm’s links to the Ministry of State Security followed a report in the New York Times earlier this month that China had pre-installed software on some Android phones that covertly provided a backdoor to supply data from the devices to China every three days.
Security researchers at Kryptowire discovered that the secret reporting software was produced by a company called the Shanghai Adups Technology Co. and was found on more than 700 million phones, cars, and other smart devices.
The software is used on phones made by Huawei and another major Chinese telecommunications firm, ZTE.
Huawei was identified in a 2009 Pentagon report on China’s military as one of several Chinese information technology companies that maintains “close ties to the [People’s Liberation Army] and collaborates on R&D.”
A report by the CIA-based Open Source Center in 2011 revealed that Huawei’s chairwoman, Sun Yafang, worked at the Ministry of State Security’s communications department before joining the company.
The report stated that Sun used her ties to the intelligence service to help Huawei fight off unspecified financial difficulties after the company was founded in 1987.
National Security Agency documents made public by former contractor Edward Snowden revealed that the agency had penetrated Huawei’s communications networks and was spying on foreign countries’ communications through Huawei equipment in Iran, Afghanistan, Pakistan, Kenya, and Cuba.
The NSA also expressed concerns in one document that Huawei equipment could be used by China for cyber attacks.
“There is also concern that Huawei’s widespread infrastructure will provide the PRC with SIGINT capabilities and enable them to perform denial of service type attacks,” stated an NSA briefing slide labeled “Top Secret.”
The NSA revealed that the Huawei cyber threat also was outlined in a National Intelligence Estimate, a major report approved by the 16 U.S. intelligence agencies.
The document was titled “The Global Cyber Threat to the U.S. Information Infrastructure” and warned: “We assess with high confidence that the increasing role of international companies and foreign individuals in U.S. information technology supply chains and services will increase the potential for persistent, stealthy subversions.”
Huawei spokesman William Plummer confirmed that Huawei has a relationship with Boyusec but said the ties are limited to Boyusec security evaluations of Huawei’s internal corporate intranet.
“No solution or service from Bo Yu Guangzhou Information Technology Co. has ever been incorporated into any Huawei product or service offered to any Huawei customer,” Plummer said.
John Tkacik, a former State Department official, said the company appears from its website to pose a security risk.
“If I were at the Pentagon or Cybercom, I would keep my eyes on Boyusec, and only blow the whistle on them if they were actively marketing services to U.S. companies,” Tkacik said.
“If the United States had a functional offensive cyber capability, and if I caught them in flagrante, I’d quietly blow up their servers with a ransomware attack and let them figure out what happened.”
Tkacik said a Chinese cyber security company working with a Chinese intelligence service is a “dog-bites-man story.”
“I want to hear U.S. cyber warriors strike back, a man-bites-dog story, although if man ever bites dog maybe it’s best not to let the cyber-PETA hand wringers get wind of it in the press,” he said.
A congressional China commission annual report made public this month stated that the Ministry of State Security is the main civilian spy service under the State Council, the chief administrative authority of the Chinese government and the ruling Communist Party’s Politburo Standing Committee, the seven-member collective dictatorship that runs China.
“The [Ministry] conducts a variety of intelligence collection operations, such as human intelligence (HUMINT) and cyber operations,” the report says.
Regarding cyber espionage, “China has a large, professionalized cyber espionage community,” stated the report of the U.S.-China Economic and Security Review Commission.
“Chinese intelligence services have demonstrated broad capabilities to infiltrate a range of U.S. national security (as well as commercial) actors with cyber operations,” the report said.
The Ministry of State Security, according to the commission, was behind the hacking of the Office of Personnel Management, the government’s personnel records repository, and the theft of some 22 million records on federal workers, which included sensitive background investigation data.
According to the report, China is using cyber attacks to support intelligence collection against the U.S. diplomatic, economic, and defense industrial base sectors that support U.S. national defense programs.
The cyber thefts may benefit China’s defense industry and high-technology sector as well as provide the Communist Party of China with insights into U.S. leadership perspectives on key China issues.
“Additionally, targeted information could inform Chinese military planners’ work to build a picture of U.S. defense networks, logistics, and related military capabilities that could be exploited during a crisis,” the report says.
In addition to both civilian and military cyber espionage units, other unofficial Chinese hackers have conducted cyber espionage operations targeting the United States.
These include Chinese nationalist hackers and criminal cyber spies.
“Some observers suggest China is shifting cyber espionage missions away from unofficial actors to centralize and professionalize these operations within its intelligence services,” the report said.
Boyusec states on its website that it provides information security services, consulting, and security evaluations.
Its testing services include static application security testing and dynamic network security testing, including simulate cyber attacks.
Last year, Boyusec joined with the Guangdong information security office to create a joint laboratory for testing software and developing cyber defenses.