{"id":1938,"date":"2018-11-02T17:40:25","date_gmt":"2018-11-02T17:40:25","guid":{"rendered":"http:\/\/www.blackopspartners.com\/?p=1938"},"modified":"2018-11-02T17:40:25","modified_gmt":"2018-11-02T17:40:25","slug":"chinas-5-steps-for-recruiting-spies","status":"publish","type":"post","link":"https:\/\/blackopspartners.com\/chinas-5-steps-for-recruiting-spies\/","title":{"rendered":"China’s 5 Steps for Recruiting Spies"},"content":{"rendered":"

Originally published at Wired<\/a>.<\/em><\/span><\/p>\n

Beware of Chinese\u00a0<\/span>spies offering laptops, women, or educational stipends\u2014and especially watch out for odd LinkedIn requests.<\/p>\n

On Tuesday, the Justice Department unsealed new charges<\/a>against 10 Chinese intelligence officers and hackers who it says perpetrated a years-long scheme to steal trade secrets from aerospace companies. The case continues an impressive tempo from the Justice Department, as it continues to try curb China’s massive, wide-ranging, and long-running espionage campaign. In fact, it’s the third time since September alone that the US government has charged Chinese intelligence officers and spies, including one of its biggest coups in years: The extradition earlier this month of an alleged Chinese intelligence officer, caught in Europe, who will face a US courtroom.<\/p>\n

That arrest marks the first time<\/a> the US has prosecuted an officer of China’s Ministry of State Security. The feds believe that the suspect, Yanjun Xu, spent years cultivating a person he thought was a potential asset inside GE Aviation, which makes closely held jet engine technology.<\/p>\n

While historic, the GE Aviation case hardly stands as an outlier. Chinese espionage against the US has emerged over the past two decades as perhaps the most widespread, damaging, and pernicious<\/a> national security threat facing the country\u2014compromising trade secrets, American jobs, and human lives.<\/p>\n

\n
\n
Even as popular culture and public attention has focused in the past decade on a few high-profile cases against Russian intelligence operations<\/a>, China\u2019s spying efforts have yielded a more steady stream of incidents. Over the last 15 years, dozens of people\u2014including Americans, Chinese nationals, and Europeans\u2014have been arrested, charged, or convicted of economic or military espionage for China. In just the 28-month period that a notorious Russian spy ring unraveled<\/a>around 2010, US officials charged and prosecuted more than 40 Chinese espionage cases<\/a>, according to a Justice Department compilation.<\/div>\n<\/div>\n<\/div>\n
\n
\n
<\/div>\n<\/div>\n<\/div>\n

The majority of Chinese espionage cases over the years have involved ethnic Chinese, including Chinese students who came to the US for college or advanced degrees, got hired at tech companies, and then absconded back to China with stolen trade secrets. Historically, very few Chinese spying cases have featured the targeting or recruitment of Westerners. But this year has seen a rash of cases of Americans allegedly recruited to spy on China\u2019s behalf, encouraged to turn over sensitive military, intelligence, or economic information\u2014at least one of which started with a simple LinkedIn message.<\/p>\n

Sifting through more than a dozen of the major cases that have targeted Westerners, though, provides an illuminating window into how China recruits its spies. The recruitment follows a well-known five-step espionage road map: Spotting, assessing, developing, recruiting, and, finally, what professionals call \u201chandling.\u201d<\/p>\n

\n
\n
<\/div>\n<\/div>\n<\/div>\n

Stage 1: Spotting<\/h3>\n

The first step in any espionage recruitment is simply knowing the right people to target. That job often falls to what intelligence professionals call a \u201cspotter,\u201d a person who identifies potential targets, then hands them off to another intelligence officer for further assessment. These spotters, sometimes friendly officials at think tanks, universities, or corporations, are often separate from the intelligence officers who ultimately approach potential spies, allowing a level or two of remove. They sometimes have such \u201cdeep cover\u201d that they are considered too valuable to make a recruitment approach directly, leaving that work to a cut-out who could more easily disappear if the recruitment pitch is rejected.<\/p>\n

In that vein, last week\u2019s Yanjun Xu indictment ties in to another little-noticed September arrest<\/a>, where the FBI charged a 27-year-old Chinese citizen and Chicago resident with acting as an unregistered foreign agent for China\u2014the federal criminal charge that prosecutors often use as code for spying. That man, Ji Chaoqun, had arrived in the United States in 2013 to study electrical engineering at the Illinois Institute of Technology, and had subsequently enlisted in the Army Reserves.<\/p>\n

\n

This year has already seen a rash of cases of Americans allegedly recruited to spy on China\u2019s behalf.<\/p><\/blockquote>\n<\/div>\n

Yet according to the government\u2019s criminal complaint, Ji Chaoqun had less pure motives at heart than service: He had allegedly been recruited at a Chinese job fair while in college to join a \u201cconfidential unit\u201d and work as a \u201cspotter\u201d for Yanjun Xu, helping the MSS officer identify potential recruits and providing background reports on at least eight potential spies. In a 2015 email, Ji Chaoqun wrote that he was enclosing \u201ceight sets of the midterm test questions for the last three years,\u201d according to court documents. He attached eight PDFs of background reports downloaded from sites like Intelius, Instant Checkmate, and Spokeo, which compile public records on individuals for purchase online. (The sites limit purchases to US-based consumers, so they were inaccessible to Yanjun Xu himself.)<\/p>\n

\n
\n
<\/div>\n<\/div>\n<\/div>\n

All eight of the targeted individuals were ethnic Chinese who worked in science or technology. Seven of them were either currently employed or had recently retired from US defense contractors, according to the US government.<\/p>\n

\u201cSpotting\u201d doesn\u2019t necessarily have to involve human targets; an article in the November issue of WIRED,<\/a>excerpted from the new book Dawn of the Code War<\/em><\/a>, outlines the US pursuit of the Chinese spy Su Bin, who was captured in Canada in 2014 after working for years as a technical \u201cspotter\u201d for Chinese military intelligence officers. Su, an aviation expert, would examine stolen file directories hacked by Chinese intelligence to point them to the most valuable and relevant documents, helping them navigate massive troves of files on secret projects like the US development of the C-17 military transport plane.<\/p>\n

 <\/p>\n

Stage 2: Assessing<\/h3>\n

Once intelligence officers identify potential recruits, they then examine how they might encourage those targets to spy. Professionals often summarize the motives for espionage with the acronym MICE<\/a>: money, ideology, coercion, and ego. Spies want to be paid for their work, or believe in the cause, or can be blackmailed, or want the ego boost that comes with leading a double life.<\/p>\n

\n
\n
<\/div>\n<\/div>\n<\/div>\n

While it often relies on ideology or coercion in pressuring ethnic Chinese to spy on its behalf abroad, China has proved particularly successful in luring Westerners with cash. In June of this year, FBI agents arrested a Utah man as he prepared to fly to China and charged<\/a> him with attempting to pass national defense information to China. The felony complaint says that Ron Rockwell Hansen, a former Defense Intelligence Agency officer, had been struggling financially, living primarily off his $1,900-a-month DIA pension and facing debts of more than $150,000. In 2014, Rockwell allegedly began meeting with two MSS officers\u2014who introduced themselves to him as \u201cDavid\u201d and \u201cMartin.” During one 2015 business trip to China, they offered him up to $300,000 a year for \u201cconsulting services.\u201d Hansen was, according to the government, to \u201cattend conferences or exhibitions on forensics, information security, and military communications and to conduct product research.\u201d The money, in turn, would be funneled to him by David and Martin by \u201coverpaying him for purchases of computer forensic products.\u201d<\/p>\n

Hansen attended defense and intelligence conferences, allegedly on China\u2019s behalf, for nearly four years, from 2013 through 2017. He took photos, made notes, and tried to strike up contact with former DIA and intelligence colleagues. Officials said he also purchased restricted forensics software to transport to China.<\/p>\n

All told, according to the complaint, Hansen made 40 trips to China between 2013 and 2018, often returning with tens of thousands of dollars in cash\u2014four trips cited by the government netted him $19,000, $30,000, $20,000, and, in 2015, $53,000. Ultimately, court documents show that Hansen received upwards of $800,000 from Chinese sources. Hansen pleaded not guilty to 15 counts in July.<\/p>\n

\n
\n
In another major corporate espionage case that dates back to 2011, a grand jury indicted the Sinoval Wind Group, a Chinese company, for trade secret theft and wire fraud related to its partnership with American Superconductor. The indictment specifically alleged that Sinoval stole American Superconductor’s source code for its wind turbine, recruiting an employee to betray the Massachusetts-based company with promises of wealth and women. The two firms had been working together on massive wind farms in China; American Superconductor provided the software for the turbines, while Sinovel manufactured the turbines and did the construction work.<\/div>\n<\/div>\n<\/div>\n

American Superconductor managers had heard horror stories of American companies having their intellectual property stolen by Chinese business partners, so the company went to great lengths to lock down its software and allow access only by its own employees. Sinovel, instead, recruited Dejan Karabasevic, a Serbian employee based in Austria, to out-and-out steal the source code. Karabasevic pleaded guilty in an Austrian court in 2011.\u201cThey offered him women. They offered him an apartment. They offered him money. They offered him a new life,\u201d the head of American Superconductor, Daniel McGahn, later told 60 Minutes<\/a>.<\/p>\n

Karabasevic was quite clear about his motives: As detailed in court documents, he wrote in one email to his new Chinese business partners, \u201cAll girls need money. I need girls. Sinovel needs me.\u201d The Chinese firm ultimately offered Karabasevic $1.7 million to steal the turbine source code. He wrote to Sinovel in one text message: \u201cI will send the full code of course.\u201d<\/p>\n

American Superconductor only became aware of the theft when its engineers noticed that some of the turbines being installed in Sinovel\u2019s large wind farms in China were running a version of the operation software that hadn\u2019t yet been released; by then, it was too late. The collapse of the partnership forced the company to lay off 600 of its 900 employees; a federal jury found Sinovel guilty on counts of theft of trade secrets and wire fraud in January of this year.<\/p>\n

 <\/p>\n

Stage 3: Developing<\/h3>\n

Intelligence officers generally don\u2019t lead off by asking potential sources to betray their country or their employer. The third stage of espionage recruitment, instead, is known as \u201cdeveloping,\u201d when recruiters begin to ask for trivial requests or favors to establish rapport. As former CIA director John Brennan said<\/a> last year, \u201cFrequently, people who go along a treasonous path do not know they are on a treasonous path until it is too late.\u201d<\/p>\n

In one of its more daring efforts in recent years, Chinese intelligence tried to place an ambitious China-loving American student inside the CIA, hoping that the would-be mole could rise through the undercover ranks of the agency.<\/p>\n

Glenn Duffie Shriver, _a student from outside Richmond, Virginia, had become intrigued<\/a> with China during a 45-day summer study abroad program in 2001. He later returned for his junior year abroad, becoming fluent in Chinese, and moved to Shanghai, where he acted in Chinese films and commercials. Around 2004, he responded to a newspaper ad asking for someone to write a white paper about trade relations between the US, North Korea, and Taiwan; the woman who hired him, calling herself \u201cAmanda,\u201d paid him $120 for the essay. She told him she liked the work and asked if he\u2019d be interested in more\u2014and then introduced him to two men, \u201cMr. Wu\u201d and \u201cMr. Tang.\u201d<\/p>\n

Over time, those two encouraged Shriver to return to the US to join either the State Department or the CIA. \u201cWe can be close friends,\u201d they told him. Shriver flunked the foreign service exam twice, but the MSS paid him a combined $30,000 for the effort. In 2007, Shriver applied to the CIA\u2019s National Clandestine Service, the unit that runs its undercover foreign operatives, and received a $40,000 payment from the Chinese MSS.<\/p>\n

The US government ultimately arrested<\/a> Shriver, and the FBI even turned the incident into a low-budget movie<\/a> to warn other students studying abroad about Chinese friends bearing gifts. Shriver pleaded guilty to one count of conspiracy to communicate national defense information in 2010.<\/p>\n

\u201cIt started out fairly innocuous: \u2018Oh, you know, we really want to help young people here in China. You know, we realize sometimes you\u2019re far from home and the costs can be quite a bit, so here is just a little bit to help you out,\u2019\u201d Shriver said at his sentencing. \u201cAnd then it kind of spiraled out of control. I think I was motivated by greed. I mean, you know, large stacks of money in front of me.\u201d<\/p>\n

That subtle evolution and push over the line from personal or professional favor to outright espionage was also clearly evident in last week\u2019s case against MSS official Yanjun Xu, who had allegedly targeted GE Aviation. The GE case, which reads almost like a slow-motion David Ignatius espionage novel<\/a>, was somewhat unique: No documents or trade secrets were compromised\u2014the sting appeared to unfold with the cooperation of the company\u2014but the recruiter apparently followed a clear path of asking for small things before pushing the employee over the line to outright theft.<\/p>\n

Yanjun Xu began his recruitment efforts, officials said, by contacting American aerospace experts under the guise of an educational exchange; he worked with the Nanjing University of Aeronautics and Astronomics, one of China\u2019s top engineering schools, to invite the targeted aerospace engineers to give lectures on their work. The targeted GE employee, identified only as \u201cEmployee #1\u201d in court documents, was both reimbursed for travel expenses and paid a $3,500 \u201cstipend\u201d for the lecture at NUAA. The ploy was one Xu appeared to use routinely; court documents cite other examples of \u201cseminars\u201d and \u201ceducational exchanges\u201d with aerospace engineers that served as recruiting efforts for espionage.<\/p>\n

During the unnamed GE employee\u2019s visit to NUAA in June 2017, according to court records, Xu introduced himself, using the cover identity of \u201cQu Hui,\u201d and explained that he worked for the Jiangsu Science and Technology Promotion Association. The American engineer and Xu had multiple meals together, according to the indictment, and Xu invited the engineer to return for another lecture. By January 2018, Xu was regularly asking the GE engineer to pass along small details about system specifications and the company\u2019s design process, authorities say. He then provided what amounted to a shopping list of aviation design secrets, asking, \u201cCan you take a look and see if you are familiar with those?\u201d<\/p>\n

In February, Xu allegedly asked for a copy of the employee\u2019s file directory for his company-issued computer, explaining how to appropriately sort and save the directory for Xu\u2019s review. The two then began to make plans for Xu to access the company computer during a business trip to Europe; as Xu explained, according to court documents, \u201cWe really don\u2019t need to rush to do everything in one time because if we\u2019re going to do business together, this won\u2019t be the last time, right?\u201d It was on what Xu thought was that European business trip in April that the Chinese intelligence officer was arrested in Belgium.<\/p>\n

 <\/p>\n

Stage 4: Recruiting<\/h3>\n

The direct request to spy is often the most fraught moment of an espionage operation\u2014but sometimes it starts off easily enough. One-time CIA officer Kevin Mallory was recruited to spy for the Chinese right off LinkedIn in February 2017. Mallory, who was working as a consultant at the time, was contacted over the social network by someone from a Chinese think tank known as the Shanghai Academy of Social Sciences. The FBI said in court documents that the prestigious organization\u2014China\u2019s oldest social science think tank\u2014is regularly relied upon by MSS, who \u201c[use] SASS employees as spotters and assessors,\u201d and that MSS officers \u201chave also used SASS affiliation as cover identities.\u201d<\/p>\n

Mallory spoke by phone with the purported SASS employee, and subsequently traveled to China twice, in March and April 2017, for in-person meetings. There, he received a special phone and instructions on how to use its secure messaging capabilities to contact his Chinese \u201cclients.\u201d According to the criminal complaint<\/a>, Mallory also wrote two short white papers on US policy matters for his Chinese intelligence handlers.<\/p>\n

Mallory was caught, in part, because he didn\u2019t realize that the device didn\u2019t wipe sent secure messages, and FBI agents were able to peruse his communications with the Chinese intelligence officers. The deal was quite explicit: In one message, Mallory wrote, \u201cyour object is to gain information, and my object is to be paid for.\u201d Ultimately, the FBI believed that Mallory passed<\/a> at least three classified documents to the Chinese and was paid about $25,000.<\/p>\n

Mallory was found guilty<\/a> of conspiracy to commit espionage during a June trial, though the judge threw out two convictions related to sharing or trying to share national defense information.<\/p>\n

 <\/p>\n

Stage 5: Handling<\/h3>\n

The most delicate part of an espionage operation is always maintaining the regular, day-to-day communication between a spy and his or her assigned \u201chandler.\u201d Whereas previous generations often relied on the Cold War tradecraft of physical \u201cdead drops\u201d or in-person \u201cbrush passes\u201d for covert information exchanges, today\u2019s espionage often relies on encrypted communication tools, surreptitious cell phones, and emails left in draft folders.<\/p>\n

Some of that modern tradecraft was on display in the charges against another former CIA case officer, naturalized US citizen Jerry Chun Shing Lee, who is suspected of being perhaps the most devastating Chinese spy ever. According to court documents<\/a> released following his arrest in January, Lee met with two Chinese intelligence officers in April 2010, who promised him \u201ca gift of $100,000 cash in exchange for his cooperation and that they would take care of him for life.\u201d Beginning the very next month, the Chinese intelligence officers allegedly began passing \u201ctaskings\u201d to Lee in envelopes, delivered by one of his business associates, that asked him to reveal sensitive information about the CIA.<\/p>\n

Lee ultimately received requests for at least 21 different pieces of information, according to court documents. In response to one such request, Lee \u201ccreated on his laptop computer a document that included entries pertaining to certain locations to which the CIA would assign officers and a particular location of a sensitive operation to which the CIA would assign officers with certain identified experience.\u201d Communications flowed, in part, through an email address created using his daughter\u2019s name, the indictment says.<\/p>\n

It appears that Lee\u2019s alleged work may have helped devastate<\/a> America\u2019s own spy networks inside China. While the government\u2019s reliance on an insecure encrypted communications system exposed several of its own human assets, according to a recent report<\/a> in Foreign Policy<\/em>, its problems may not have only been high tech. When FBI agents covertly searched<\/a> Lee\u2019s luggage at one point, the Justice Department indictment<\/a> says, they discovered a \u201cDay Planner containing handwritten, classified information up to the Top Secret level pertaining to, but not limited to, operational notes from asset meetings, operational meeting locations, operational phone numbers, the true names of assets, and covert CIA facilities.\u201d<\/p>\n

 <\/p>\n

Read more at Wired<\/a>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

Originally published at Wired. Beware of Chinese\u00a0spies offering laptops, women, or educational stipends\u2014and especially watch out for odd LinkedIn requests. On Tuesday, the Justice Department unsealed new chargesagainst 10 Chinese intelligence officers and hackers who it says perpetrated a years-long scheme to steal trade secrets from aerospace companies. The case continues an impressive tempo from […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[10],"tags":[14,17],"acf":[],"_links":{"self":[{"href":"https:\/\/blackopspartners.com\/wp-json\/wp\/v2\/posts\/1938"}],"collection":[{"href":"https:\/\/blackopspartners.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blackopspartners.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blackopspartners.com\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blackopspartners.com\/wp-json\/wp\/v2\/comments?post=1938"}],"version-history":[{"count":0,"href":"https:\/\/blackopspartners.com\/wp-json\/wp\/v2\/posts\/1938\/revisions"}],"wp:attachment":[{"href":"https:\/\/blackopspartners.com\/wp-json\/wp\/v2\/media?parent=1938"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blackopspartners.com\/wp-json\/wp\/v2\/categories?post=1938"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blackopspartners.com\/wp-json\/wp\/v2\/tags?post=1938"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}