ASERT provides a weekly threat bulletin for Arbor customers that highlights and analyzes the week’s top security events and provides other pertinent infosec material. Recently, we covered the public notification of a United Airlines breach by possible Chinese state-sponsored threat actors. In this blog, we offer an alternative hypothesis to the conclusions many have drawn regarding the motivation behind this and other recent attacks.
For those keeping score, the United States Office of Personnel Management (OPM), Anthem, Premera, and Carefirst Blue Cross all reported large data breaches, seemingly perpetrated by the same possible Chinese state-sponsored threat actors . Research into the OPM breach provided information leading investigators to believe the same group of threat actors also compromised additional companies . These investigators released IOC’s that United Airlines used to detect their own data breach in late May/early June of 2015. The data stolen reportedly included passenger manifests containing travel information and basic demographics about travelers. Additionally, according to Bloomberg, one of the individuals familiar with the case indicated information regarding United’s corporate merger and acquisition strategy was also possibly compromised.
Considering the context discussed so far, let’s highlight the current train of thought amongst many in the security industry. Most people believe this information is likely being used by China’s intelligence apparatus to develop a sort of “Facebook” repository of U.S. government personnel possibly to be used in ongoing and future intelligence gathering operations. Indeed, all the medical data and OPM information would be of great use to any nation desiring to gather intelligence or support operations against the United States. Individuals have gone on to suggest the United Airlines breach may have supported human intelligence (HUMINT) collection operations, since it would have potentially allowed threat actors to track traveler movement.
While this popular intelligence angle certainly represents a valid assessment, what if the United Airlines breach, and possibly the healthcare breaches, were motivated by an alternative objective? In May of 2014, a U.S. grand jury indicted five Chinese military hackers (the APT1 group) on 31 counts of corporate cyber espionage related charges . According to the U.S. Federal government, China is known to use government assets to support their commercial and economic endeavors.
China’s current “Five-Year” strategic plan has a focus on developing their booming aviation market and will have likely invested over $230 billion for said efforts  . The current plan reaches completion in 2015, making way for their 13th five-year planning effort. In the 2011 plan, China intended to construct 56 additional commercial airfields, re-locate 16 airports, and renovate/expand 91 airports . According to public information , in 2010, China had roughly 175 active civil aviation airports, with around 45 of those used by both military and civilian sectors. This is in comparison to China’s world power competitor, the United States, with over 15000 active airfields .
China is host to the world’s second busiest airport, (measured by number of passengers), located in Beijing. In 2014, this airport handled over 84 million passengers, even though it was only designed for 75 million  . Out of the top ten busiest airports by passenger count, the United State’s has the top spot (Atlanta International) with three additional airports in the top 10 . China boasts Beijing and Hong Kong. Additionally, out of the top 25 busiest airports in 2014 by passenger count, the U.S. accounted for over 36% of the total traffic. China came in with just over 16% . Also, while the U.S. had two airlines in the top 10 for total international travelers, China had none. However, with that, they are still the second largest aviation transport sector in the world .
In 2010 the Chinese government established their first national-level aviation focused fund, China Aviation Industry Fund . Lead by the state run Aviation Industry Corporation of China (AVIC), the fund was designed to bolster the investment into and globalization of China’s aviation industry. With the support of the national government and large scale investment programs, Boeing suggested in 2013, Chinese airlines would require more than 6000 new commercial aircraft by 2033 to handle new demands, more than doubling the current fleet total for all Chinese airlines . Limited information suggests similar percentage increases in private aircraft usage and requirements as well.
Why United You Ask?
When thinking about why United Airlines information would be of value to China’s aviation sector, consider how United is the 4th largest airline globally by total passengers, domestic and international. They are the 9th largest carrier of international passengers in the world and the United State’s largest international carrier . According to their own website, they also run the “world’s most comprehensive global route network.”
United, is the United State’s third largest airline overall by revenue and passengers, employs over 84,000 people, operates over 1260 mainline and regional aircraft, had $38.9 billion in revenue and a profit of $1.1 billion in 2014 . China Southern, China’s largest airline by revenue and passengers, employs approximately 82,000 people, operates just over 420  aircraft, had revenue of $17.6 billion and a profit of only $288 million last year . United is also the global leader in international flights between China and the United States, ongoing for over five years .
While the compromise of any U.S. airline information would and, likely will, aid China’s growth and development efforts, United is a complete package. Currently they are the largest U.S. airline partner in China. They have major agreements with two of the three largest Chinese airlines. They offer the most available seats on a weekly basis for flights between China and U.S. destinations and they are the primary stakeholder in the “Sky Alliance” airline partnership program, which counts China’s third largest airline as one of many Chinese partners. Also, prior to the merger of American Airlines and U.S. Airways, United was the largest airline in the world by seats available .
Already Tracking Passengers
Investigators and analysts alike have surmised the likelihood of using information obtained in the United compromise to track persons unaware, possibly on international flights, to support more CIA-type HUMINT gathering efforts. However, nations possibly already have access to travel details across the globe through databases called “Computer Reservations Systems” (CRS). These private corporate systems, with only a handful serving the global market, contain a wealth of traveller information called Passenger Name Records (PNR) . For more information on PNR and how Europe uses the information, see law enforcement’s use of PNR. Travel agencies and airlines use these systems to store and retrieve information and conduct transactions related to air travel, hotels and car rentals. Given how China’s three largest airlines are all majority owned by the Chinese government, it is quite likely they are already able to leverage these information repositories to track individuals without having to compromise a specific airline. Indeed, the Snowden leaks highlighted how the United State’s National Security Agency (NSA) accessed and used these very same travel records . A country with less concern for privacy would likely attempt to do at least as much. To compound matters, it is likely these private firms sell PNRs to other companies and airlines . Also, it might make more sense to target sites and their subsequent databases like www.viewtrip.com, www.checkmytrip.com or www.virtuallythere.com. All three of these sites are direct links into major CRSs and subsequent travel data.
Global airline partnerships, like “Star Alliance” also foster additional potential avenues for access to international flight information without the requirement of a major cyber compromise . Air China, another one of China’s largest airlines and majority-owned by the Chinese government, is part of Star Alliance, which includes United Airlines. Additionally, United has what is known as a Codeshare Agreement with China Southern wherein they share business obligations on select flights . This, once again, likely provides China with access to United’s passenger information without the need for a major cyber compromise.
As the incident with United is being linked to threat actors responsible for the major healthcare breaches and the OPM breach, it is understandable why the focus is on “Spy vs. Spy” intelligence gathering. However, economic espionage is a more likely motivation. As noted, China likely already has access to traveler-specific information without the need for a breach. More likely, the information gleaned from a United breach would be useful in developing a better understanding of how to cope with large amounts of air travelers, develop international flight programs, better understand network requirements, pricing data, marketing efforts and other techniques useful in the development of their own civil aviation markets. It seems China could learn a lot from U.S. civil aviation businesses in short order to support their own expansion goals in accordance with their five-year strategic plan. If merger and acquisition information were also compromised, China could use that data to make better business decisions or push foreign competitors to devise a more China-friendly business plan.
As for the breached medical data? A parallel argument supporting how economic healthcare industry espionage is equally if not more likely than “Spy vs. Spy” intelligence gathering can be made. Start with this document outlining the Chinese National Health Plan and work your way to an additional source describing China’s 12th five-year plan for the Healthcare sector to get an understanding of the economics at play. People tend to put on blinders when thinking of Government agencies and cyber, assuming it’s always focused on “Spy vs. Spy” efforts. In reality, China’s economic might and future likely relies on government-sponsored corporate espionage more than the rest of the world would like to admit.