The year 2020, was a year steeped with several espionage cases coming to light. As expected, China and Russia compromised the top five cases in which a nation state targeted the United States using espionage to acquire information and technological know-how. These cases are:
Throughout 2020 the successful penetration of a plethora of U.S. academic and research entities was made by China througfh their Thousand Talents Program. This program identified individuals who were conducting research that was of interest to China. An approach was made to allow for the assessment and subsequent covert collaboration on the research, much of it conducted on the U.S. government’s dime, with a Chinese entity. The recruited individual would be paid twice for the same research, once with a grant provided by the U.S. government through agencies like NIH, NASA, NSA and DoD. The researchers were paid again within the envelop of the Chinese commercial agreement.
In July 2020 it became known that two Chinese nationals – Li Xiaoyu and Dong Jiazhi, operating on behalf of the MSS successfully penetrated the U.S. Department of Energy. Specifically, they compromised the Hanford Site located in Washington State from 2015 to 2018. The duo, according to the FBI, conducted 11 years of economic espionage, intellectual property theft, extortion and computer fraud. The two individuals are not MSS or PLA employees, they are contractors, and thus provided to the Chinese a layer of plausible deniability as they attacked their target’s cyber infrastructure. Their success was not limited to the United States, they were, according to the indictment, successful in penetrating entities in 10 other countries and heisting terabytes of data worth millions of dollars to the benefit of China.
Yeo was a Singaporean citizen who lived and operated within commercial spaces in Singapore and Washington, DC to spot, assess and recruit assets on behalf of China’s Ministry of State Security and the People’s Liberation Army. In 2018 Yeo was instructed by his handlers to create a fake company and use job boards to find potential “consulting” candidates by posting fake jobs. He did just that, using a number of online entities, including LinkedIn. It was on LinkedIn that Yeo was most successful when he received over 400 resumes of individuals interested in the ostensible consulting work. In a sobering aspect of his success, Yeo claimed that over 90% of those resumes were from U.S. citizens with current national security clearances. Yeo noted how the LinkeIn AI would serve up to him candidates every day based on his “criteria” – “it was like he was addicted to LinkedIn.” Three of his identified successes were an individual working on the F-35B military aircraft, an officer within the U.S. Army in the Pentagon, and a State Department employee.
Ma was a contractor within FBI Honolulu who was recruited in 2001 by China and worked within FBI’s Honolulu’s division from 2004 to 2010 doing Chinese language translation work on their counterintelligence cases. From 1982 to 1990, Ma worked as a staff officer within the CIA. When recruited in 2001 he provided a plethora of historical information concerning the CIA including his work experiences and activities, cover used by CIA officers abroad, descriptions of cryptographic equipment and CIA communications, information concerning the structure and organization of the CIA, operational tradecraft used by the CIA, and more to China’s Ministry of State Security. He was directed by the MSS to get a job with the FBI. He was turned down as a special agent due to age restrictions (he was too old). He then sought and acquired the contract linguist position at in Honolulu. The criminal complaint notes that he was a prolific source for the MSS. His methodology involved photographing or screen capturing images of translated documents. He would use a digital camera, make a CD-ROM disc, photocopy documents, or capture images with his smartphone. He even inserted a digital storage device into the FBI network and copied documents from within the FBI Honolulu secure work area. Ma was discovered when a videotape of his 2001 recruitment meeting made its way to the U.S. This allowed the FBI to make a false-flag approach to Ma in January 2019 in which he implicated himself – the FBI employee posing as MSS showed the videotape of Ma’s recruitment as bona fides.
The former U.S. Special Forces officer pleaded guilty to years of espionage from December 1996 to January 2011 on behalf of the Russian Federation, and handled by Russian military intelligence, the GRU. Readers will remember that he was spotted and assessed during a study abroad program when he traveled to Chelyabinsk, Russia. He would return following graduation from university to marry his Russian girlfriend and would at that time be formally recruited as a clandestine asset. His GRU handlers issued to him a rudimentary covert communication plan. His operational instructions were to join the U.S. military and do a fine job, and that he did. He would travel to Russia now and again to visit his wife’s family in Chelybinsk. On these trips he would meet with his GRU handlers and provide them with information about his deployments and personnel. When he left the military in late 2010, so did the narrative upon which he was indicted and pleaded guilty. What remains a mystery to the lay person, is the extent of the covert relationship from 2011 when Debbins began a civilian career which garnered him classified access within the intelligence and defense communities, to include NSA, DIA, the U.S. military, and NATO from 2011 to 2019. In 2019, during a periodic review for his national security clearance, is when he told the investigator he had had a covert relationship with the GRU.
The SolarWinds Orion software exploit is of sufficient magnitude that CISA issued an Emergency Directive telling all government users to unplug and report back with a status report within 24 hours. The SEC report from SolarWinds suggests that their Microsoft Office 365 email infrastructure was compromised, which allowed the adversary into the ecosystem of SolarWinds. From there, automated updates to the SolarWinds Orion were compromised and when the customer updated their software packages, the adversary gained their foothold. While we still don’t have all the details, and won’t for some time, it is apparent the Russian government’s intelligence apparatus identified a vulnerability at SolarWinds, analyzed the vulnerability and then exploited the vulnerability – intelligence agencies doing what they do best, collect information on an adversary country. The SolarWinds Orion compromise may very will be the most damaging of all the 2020 espionage cases, and the CISA has characterized it as having put the United States at grave risk.
The takeaway for every Facility Security Officer and those who are responsible for their entity’s insider threat counterespionage/counterintelligence program is that the adversary never takes their foot off the operational accelerator of their espionage activities.
These cases highlight the actualization of the operational use of fake consulting contracts designed to acquire privileged information, the use of illegal collaboration agreements to acquire U.S. government paid research, and the fact that historical knowledge continues to have value. Perhaps the most important takeaway is the fact that both China and Russia are engaged for the long-haul. They use seeding techniques to place personnel into the U.S. intelligence and defense sectors and watch their access grow and will seek out and identify vulnerabilities within infrastructure which will provide discreet and ongoing access.