Chinese public databases leaks reveal growing dissatisfaction with authorities
"Hacktivism" is becoming more common in China in recent years as hackers take advantage of insufficient security measures to leak government data, says Antonia Hmaidi.
Chinese hackers, who until recently firmly sided with or at least tolerated the Communist Party of China (CCP), are now increasingly leaking government data. "Hacktivists", as they are often called, do not hack for commercial gain, but instead for political and social goals. Hacktivism has increased in recent years in China. At the beginning of July, Shanghai’s police database was apparently breached by an unknown hacker, ChinaDan.
One month later, someone calling themselves XJP (the abbreviation for Xi Jinping) started selling data from Shanghai’s health code app, Suishenma. The fact that they used the children’s character Winnie the Pooh as their profile picture suggests that the seller was familiar with the Chinese internet and its memes. In addition, the database is also listed as a public database on a blog of the Chinese hacking/Open-Source Intelligence group ffffffff0x. It is the latest and largest in a series of attacks and leaks, with some even perpetrated by people working within the government apparat. The recent string of leaks could be read as a sign of growing dissatisfaction with Chinese authorities’ handling of data.
Shanghai police database reveals the haphazard nature of Chinese large-scale data collection efforts
The Shanghai police database leak is the largest in the history of the People’s Republic (and probably in the history of government database leaks globally). The leak pertains to several different sources: personal files including date of birth, ID number, and ethnicity; the database of a delivery service; and a database of police calls. The delivery service database contains instructions on where to leave parcels, thus giving authorities clues about where people are during the day. The police database mainly contains police calls and allows authorities to look for prior police interactions with specific people. It also allows authorities to find out a person’s nationality and ethnicity, phone number, and date of birth.
However, the data quality in the leak is not great: 76 per cent of people in the sample of 250,000 do not have an ethnicity ascribed to them, making automated analysis difficult. The data is also poorly integrated: it uses three different date formats, limiting its potential usefulness for China’s government. While the database can very easily be used to look for data on a specific person, automatically analysing the data is not possible without investing significant resources. For instance, the database could not easily be used for predictive policing, since most of the data is unstructured. Journalists, in trying to understand the veracity of the database, called multiple people and found the data in the sample to be accurate.
Data security as an after-thought, if at all
Data security measures have been abysmal: the database containing 30 TB of data collected by the Shanghai police was accessible via a dashboard without needing authentication. Calling this leak a hack is thus misleading, as no one needed to breach any system. In addition, the data was not properly secured by authentication or encryption: everyone who was able to find the IP address (which one can do by a simple scan of the internet) could access all the data. According to LeakIX, multiple people were able to download the data. After first taking the data ransom and wanting 10 Bitcoins (approximately EUR 200,000) from the Shanghai police to recover it, someone then offered them on BreachForum — a forum that is not on the darknet — for the same price.
While China has shored up data security and punished private companies for their failings in keeping user data safe, the same apparently does not apply to the government. China’s government has tried to curb companies’ hunger for data, as evidenced by the latest fine (CNY 8 billion, the equivalent of approximately EUR 1.2 billion) imposed on Didi Chuxing, a Chinese vehicle for hire company. The goal of the 2021 Personal Information Protection Law was to address citizens’ concerns about data security, and it officially also applies to government organisations like the Ministry of Public Security (MPS).
In practice, however, national security always trumps data security, and authorities are eager to blame their failings on companies. Alibaba (a Chinese multinational technology company), whose cloud services hosted the Shanghai police data, was deemed negligent for using a version of the database from 2017 that was not secured. Alibaba’s alleged dereliction of duty arose from the unsecured database’s accessibility via the internet. However, in any cloud hosting agreement, the ultimate responsibility for data security lies with the owner, and there had been available means to secure the data on Alibaba’s cloud.
China’s government is losing control of some of its hackers
A large proportion of Chinese hackers remain firmly pro-Beijing, as is evidenced by the number of them currently attacking Taiwan’s cyberspace. However, we see evidence of an increasing disconnect between China’s government and a small subset of hackers. In 2014, some of them breached a TV station in Wenzhou and displayed anti-CCP messages on air. In 2020, after the leak of data collected by Zhenhua (a company with links to PRC military and intelligence networks), Christopher Balding, a researcher to whom the leak was provided, said “[the leak] is proof that many inside China are concerned about CCP authoritarianism and surveillance”.
While insiders selling access to government databases in China is nothing new — and, in fact, one of the main sources for the black market — we increasingly see the "leakers" targeting specific international media outlets or contacts who would be able to make the data available. This suggests that their goal is not simply monetary gain, but instead to spell trouble for the CCP. With China becoming increasingly closed off and insular, leaks like the Shanghai database leak have become an important way for those outside of China to learn about China’s governance. Most of the reporting on human rights violations in Xinjiang is based on leaked data, and a group calling itself "CCP Unmasked" has leaked data from the Cyber Administration of China revealing how the government used “paid internet trolls” to censor coronavirus information.
For the Chinese government, it will be difficult to attribute data leaks to specific hacking groups. For instance, ChinaDan has gone completely underground. Hackers originally from China or of Chinese heritage have been active in English on the global internet, some with the declared goal of humiliating the CCP. For instance, the not-so-aptly named hacker group AgainstTheWest is out to get attention. They started out focusing only on China but have since broadened their sights to other autocracies. Lately, AgainstTheWest has been focused on tracking Chinese state-sponsored Advanced Persistent Threat Actors (APTs), identifying shell companies that employ them, and even publishing the names of hackers involved.
At the same time, the Chinese state is professionalising its hacker force. The previous state of affairs in which China’s criminal hackers were accepted by the government, as long as they did not attack the government directly, is beginning to wane. Instead, China’s leadership is educating hackers within cadre schools, and criminal hackers, who are currently operating a thriving black market for data in China, are being prosecuted. This, to some degree, mirrors the tech crackdown, where China is increasingly nationalising science, data, and technology.
White-hat hackers, who use their skills to improve cyber security, are being suppressed in China. Wuyun, a white hat forum, was closed in 2016. Now, when hackers find vulnerabilities — even if they just want to make sure that these get patched — there is no safe way of submitting them to companies or the government without implicating themselves. While the Chinese government increasingly educates people in defensive cyber security, it is very difficult to find and disclose vulnerabilities in an environment of fear, and in-house cyber security professionals often do not find the same kinds of vulnerabilities as freelancers would.
China’s thirst for data
The growing number of actors whose main goal seems to be to discredit the Chinese government, as well as the number of Chinese databases available online, suggests a new level of dissatisfaction among some Chinese hackers. But it is not only hackers who are worried about China’s thirst for data. It is also increasingly alarming Chinese netizens: some, for instance, spoke up anonymously after a local government used a red health code to keep people from travelling to Henan for a protest to get access to their frozen funds. In addition, Chinese artists staged performances to highlight the ubiquity of surveillance cameras. In online forums like Zhihu, Chinese users trade advice on how to evade surveillance. The open-source intelligence group ffffffff0x has received 4,100 stars for offering tools for digital privacy, and many of the positive reviews stem from profiles using simplified characters and who identify themselves as Chinese.
China’s large-scale data-collection efforts led by the government have been well-documented. The recent string of leaks could be read as a sign of growing dissatisfaction with the Chinese authorities’ handling of data. China's hackers have, for the longest time, been in an unspoken agreement with the government, moonlighting for the state in exchange for the freedom to pursue commercial activities. With Xi Jinping’s nationalisation of all types of activity, we increasingly see a split: while the majority of Chinese hackers remain firmly pro-CCP, some are increasingly disconnected from the government. They share information on how to evade government surveillance and increasingly use their hacking skills to expose Chinese authorities’ mismanaging of data with leaks.
This article was first published by 9DashLine on September 05, 2022.