When Attorney General William Barr announced Monday that the U.S. had charged four Chinese military hackers in the giant Equifax hack of 2017, he also confirmed something that cybersecurity experts had long suspected: China was also behind the hack of the information of 500 million Marriott hotel guests in 2018.
Barr also mentioned the hack of the Office of Personnel Management in 2015, another major breach that included sensitive information from about 21.5 million Americans who had done work for the federal government.
In doing so, Barr publicly confirmed that China has been collecting troves of personal data on U.S. citizens for years.
Beginning around 2014, a host of American organizations that store personal identifying information have been hacked, with either the government or major private cybersecurity firms identifying China’s Ministry of State Security as the culprit each time. Personal identifying information includes names, addresses, birthdays and Social Security numbers.
Cybersecurity experts point to two likely reasons to suspect China. First, the country’s ability to process large amounts of data at scale makes megabreaches tempting. Second, it can be used for more traditional espionage, such as identifying people who could become intelligence assets.
China is already the most advanced domestic surveillance state in the world, keeping detailed, real-time records of people’s locations through facial recognition and keenly monitoring social credit scores by mining data and sifting through it with the aid of artificial intelligence.
Byers Market Newsletter
Get breaking news and insider analysis on the rapidly changing world of media and technology right to your inbox.
“For a nation-state, if you’re trying to seed a large analytic engine, more data is always better,” said Michael Daniel, the White House cybersecurity coordinator under President Barack Obama.
“You want to be able to use big-data analytics and use machine learning and those kinds of new analytic capabilities that have been emerging over the last decade or so. That only becomes viable if you, in fact, have large amounts of data,” said Daniel, who is president of the Cyber Threat Alliance, an industry trade group.
The U.S. regularly accuses China of stealing corporate trade secrets and giving them to state-affiliated companies for a leg up in business, which goes against U.S. policy. It’s harder for the U.S. to make public accusations of hacking to gather intelligence on foreign targets because the U.S. doesn’t deny that it does the same.
The 2015 breach of the Office of Personnel Management, which functions roughly as the U.S. government’s human resources department, was the most significant Chinese effort to steal Americans’ personal information. In addition to the basic information of the 21.5 million Americans who had worked for the government, China’s Ministry of State Security also acquired a trove of background checks on employees interviewed for sensitive work.
But cybersecurity researchers, who track advanced hacker groups by their tactics, infrastructure and targets, have long tied the hackers behind that breach to other megabreaches, like the hack of 80 million customers of Anthem insurance, reported in 2015.
Download the NBC News app for breaking news
The Marriott hack, which began as early as 2014 and went unnoticed until 2018, was widely believed to bear China’s fingerprints, but that hadn’t been formally confirmed by a federal official before Barr’s comment Monday.
Having a working database of Americans’ identifying information is also immediately useful for conventional espionage, said Priscilla Moriuchi, principal analyst at the cybersecurity firm Recorded Future.
With such a database, one could build “a profile of a person that you’re either attempting to recruit or have recruited or a profile of someone who may be susceptible to recruitment” or to verify intelligence gathered through other sources, said Moriuchi, a former East Asian cyberthreats expert at the National Security Agency.
The Equifax charges — notably, against officers in the People’s Liberation Army, rather than the Ministry of State Security — focus mainly on computer intrusion to commit economic espionage, similar to how the Justice Department has previously charged China with trying to steal high-tech trade secrets; it’s unclear how China would leverage information from a credit reporting agency.
“I think they’re stressing the economic espionage on the indictment side because that’s what you can indict for,” said Adam Segal, director of digital and cyberspace policy for the Council on Foreign Relations.
“I think there is a gap between what the incident says and what Barr’s statement does,” Segal said. “It was clearly political messaging to the Chinese.”