Hacking America

Top China College Linked to Cyber-Spying Unit

Photographer | Collection | Getty Images

Faculty members at a topChinese university have collaborated for years on technicalresearch papers with a People's Liberation Army (PLA) unitaccused of being at the heart of China's alleged cyber-waragainst Western commercial targets.

Several papers on computer network security and intrusiondetection, easily accessed on the Internet, were co-authored byresearchers at PLA Unit 61398, allegedly an operational unitactively engaged in cyber-espionage, and faculty at ShanghaiJiaotong University, a center of academic excellence with tiesto some of the world's top universities and attended by thecountry's political and business elite.

The apparent working relationship between the PLA unit andShanghai Jiaotong is in contrast to common practice in mostdeveloped nations, where university professors in recent decadeshave been reluctant to cooperate with operational intelligencegathering units.

The issue of cyber-security is testing ties between theworld's two biggest economies, prompting U.S. President BarackObama to raise concerns over computer hacking in a phone callwith new Chinese President Xi Jinping. Chinadenies it engages in state-sponsored hacking, saying it is avictim of cyber-attacks from the United States.

There is no evidence to suggest any Shanghai Jiaotongacademics who co-authored papers with Unit 61398 worked withanyone directly engaged in cyber-espionage operations, asopposed to research.

"The issue is operational activity - whether these researchinstitutions have been involved in actual intelligenceoperations," said James Lewis, director of the Technology andPublic Policy Program at the Center for Strategic andInternational Studies. "That's something the U.S. does not do."

"(In the U.S.) there's a clear line between an academicresearcher and people engaged in operational (intelligencegathering) activities."


In reviewing the links between the PLA and Shanghai Jiaotong- whose alumni include former President Jiang Zemin, the head ofChina's top automaker and the former CEO of its most popularInternal portal - Reuters found at least three papers on cyber-warfare on a document-sharing web site that were co-authored byuniversity faculty members and PLA researchers.

The papers, on network security and attack detection, stateon their title pages they were written by Unit 61398 researchersand professors at Shanghai Jiaotong's School of InformationSecurity Engineering (SISE).

In one 2007 paper on how to improve security by designing acollaborative network monitoring system, PLA researcher ChenYi-qun worked with Xue Zhi, the vice-president of SISE and theschool's Communist Party branch secretary. According to hisbiography on the school's website, Xue is credited withdeveloping China's leading infiltrative cyber-attack platform.

Calls and emails to Xue were not answered. Reuters wasunable to find contact details for Chen.

Fan Lei, an associate professor at Shanghai Jiaotong whosemain research areas are network security management andcryptography, also co-authored a paper with Chen. Fan toldReuters he has no links with Unit 61398 and his work with Chenin 2010 was because Chen was a SISE graduate student. Fan saidhe was unaware Chen was with the PLA when they collaborated.Both of the papers Chen co-wrote with SISE professors stated hewas with the PLA unit.

Cyber-security experts say the publicly available papers andChina's National Information Security Engineering Centre areostensibly about securing computer networks.

"The research seems to be defensive, but cyber-securityresearch in general can be dual purpose," said Adam Meyers,director of intelligence at CrowdStrike, a security technologycompany based in Irvine, California. Figuring out how best todefend networks, by definition, means thinking about the mosteffective means of attack, he noted.

Efforts to reach the PLA for comment on its collaborationwith Shanghai Jiaotong were unsuccessful.

Tech Park Neighbors

Set amid manicured lawns, Shanghai Jiaotong University isone of China's top four colleges, turning out brillianttechnical engineers much in demand by both domestic companiesand foreign multinationals. Its reputation has led to tie-upswith elite universities abroad.

Last month, Mandiant Corp, a private U.S.-based securityfirm, accused China's military of cyber-espionage on U.S. andother English-speaking companies, identifying Unit 61398 and itslocation at a building on the outskirts of Shanghai. China saidthe report was baseless and lacked "technical proof".

"SISE at Shanghai Jiaotong has provided support" to PLA Unit61398 - known more formally as General Staff Department (GSD),Third Department, Second Bureau - said Russell Hsiao, author ofpapers on China's cyber-warfare capabilities for Project 2049Institute, a Virginia-based think-tank, who drew his researchfrom the technical papers and government reports.

He said another Shanghai Jiaotong department, the Departmentof Computer Science and Engineering, also did research work withanother PLA unit. A Project 2049 report last year found theGSD's Third Department had oversight of "information securityengineering bases" in Shanghai, Beijing and Tianjin.

The GSD Third Department's Shanghai base is in an industrialpark housing mainly government research institutes and high-techfirms. The SISE building is in the same development, 40 kms fromthe university's main Minhang campus. Across the street fromSISE is the National Information Security Engineering Center, abuilding commissioned in 2003 by PLA Unit 61398. Also part ofthe base is the Ministry of Public Security's Third ResearchInstitute, which researches digital forensics and networksecurity.

Auto Research

Shanghai Jiaotong is not officially linked to China'smilitary. SISE says on its website its goal is to speed up thedevelopment of China's information security sector and addressthe national shortage of information security professionals.

Shanghai Jiaotong set up a joint institute in China's secondcity in 2006 with the University of Michigan - seeking, it sayson its web site, to "develop innovative and highly reputableeducation and research programs in various engineering fields."A spokesman for the U.S. college said it has no relationshipwith SISE. Carnegie Mellon University in Pittsburgh also had apartnership with Shanghai Jiaotong's School of Electronic,Information and Electrical Engineering, and Singapore ManagementUniversity said it ended a tie-up with SISE last June.

Among the industries in the United States allegedly targetedby Unit 61398, as recently as last year according to Mandiant,is transportation, including the auto sector.

The University of Michigan collaborates closely withDetroit-based automakers on research projects, and is one ofthree colleges that comprise the University Research Corridor,which spent $300 million on R&D projects over the last fiveyears. Nearly a third of that was funded by private industry,according to local consultant the Anderson Economic Group.

"There was no indication in 2010 that the joint institutewas involved in any way and that also is the case today. We do,of course, watch the news reports on these issues carefully,"said Rick Fitzgerald, a University of Michigan spokesman,referring to a New York Times report in 2010 citinginvestigators' claims to have tracked cyber-attacks againstGoogle Inc to Shanghai Jiaotong and an eastern Chinesevocational school