Note: The author, Devin Thorne, thanks Alex Joske for his support in developing this research. More information about the author can be found at the end of this report.

Executive Summary

The Beijing Institute of Electronics Technology and Application (BIETA), a communications technology and information security research organization previously unexplored in public reporting, is almost certainly affiliated with China’s principal civilian intelligence service, the Ministry of State Security (MSS). Based on publicly available sources, it is very likely led by the MSS and likely a public front for the MSS First Research Institute. BIETA and its subsidiary, Beijing Sanxin Times Technology Co., Ltd. (CIII), research, develop, import, and sell technologies that almost certainly support intelligence, counterintelligence, military, and other missions relevant to China’s national development and security. Their activities include researching methods of steganography that can likely support covert communications (COVCOM) and malware deployment; developing and selling forensic investigation and counterintelligence equipment; and acquiring foreign technologies for steganography, network penetration testing, and military communications and planning.

BIETA and CIII almost certainly form part of the very likely vast but underexplored (in public sources) network of front organizations contributing to the modernization of the MSS and wider Chinese state security apparatus, which challenges the interests of both foreign governments and private businesses. BIETA’s almost certain MSS affiliation supports assessments of how the MSS very likely supports cyber-enabled intelligence operations by developing tools for use by intelligence officers and their proxies. Neither BIETA nor CIII are known to engage in illicit activity, but foreign export control authorities, academic institutions, and businesses should consider restricting transactions and other engagements with both BIETA and CIII. Engagement risks contributing to the capabilities of the MSS and People’s Liberation Army (PLA), and could arise through joint research opportunities, overlap at international academic conferences, and product sales channels. Conducting due diligence investigations on any party interested in technologies discussed in this report is vital.

Key Findings

• BIETA’s almost certain ties to the MSS are inferable from the background of four BIETA personnel (three of which are almost certainly or very likely MSS personnel), its relationship with an MSS-run university (the University of International Relations in Beijing), and the scope of its research and other activities.
• BIETA’s research almost certainly contributes to the MSS’s steganographic capabilities that Chinese intelligence officers and contractors likely use to covertly communicate or deploy malware, while other products from BIETA and CIII almost certainly enable MSS and wider state and public security counterintelligence investigations.
• BIETA’s almost certain MSS affiliation offers clarity into the very likely enablement role that the MSS plays with regard to Chinese cyber-espionage and cyber-enabled intelligence operations, wherein the MSS and subordinate state security departments develop and distribute technologies to operational actors.
• Discovery of BIETA also offers new insight into the MSS’s organizational structure: BIETA was likely part of the MSS’s former 13th Bureau, the remit of which was likely much broader than commonly recognized in connection to CNITSEC; it is also plausible that BIETA was part of the former 9th Bureau, which is now 14th Bureau.
• BIETA’s research likely benefits from collaboration with international academics and exposure to international academic conferences, and very likely from foreign steganography technology acquired by CIII. CIII has attempted to support China’s military modernization with foreign software for simulating and modeling communication networks and battlefield environments.

Organizational Overview

The Beijing Institute of Electronics Technology and Application (北京电子技术应用研究所) is a research organization primarily engaged in applied research of communication technology, multimedia information processing, and multimedia information security technology. It has at least one wholly owned subsidiary: Beijing Sanxin Times Technology Co., Ltd. (CIII; 北京三信时代科技有限公司). The activities of BIETA and CIII almost certainly contribute to the capabilities of the MSS and, likely, to those of China’s wider security apparatus and military. The MSS (国家安全部) oversees a nationwide system of semi-autonomous units that constitute a domestic police force and China’s primary civilian intelligence service responsible for human-source and cyber-enabled political and domestic security, counterintelligence and counterespionage, non-military foreign strategic intelligence, and foreign economic and technological intelligence. BIETA and CIII are profiled below.

BIETA

BIETA was established no later than 1990, almost certainly existing in some form as early as 1983 — the year the MSS was created. It is located, per its website, at No. 15 Xinjian Gongmen Road, Haidian District, Beijing (北京市海淀区新建宫门路15号). As shown in Figure 1, this address is adjacent to or within the MSS’s almost certain headquarters compound at Xiyuan (West Garden). BIETA is almost certainly state-owned, given that the website of BIETA’s subsidiary, CIII, describes itself (CIII) as an “enterprise that is owned by the whole people” (全民所有制企业). BIETA is almost certainly affiliated with the MSS, very likely led by the MSS, and likely a front for the MSS First Research Institute.

Figure 1: BIETA’s location in relation to the approximate location of the MSS’s Xiyuan headquarters compound
(Source: Baidu Maps, Google Earth)

BIETA comprises at least four laboratories and one testing center. Its laboratories include the Communication Technology Research Lab, Multimedia Information Security Technology Research Lab, Electromagnetic Compatible Technology Research Lab, and the Hybrid Integrated Circuits Development Research Lab. BIETA’s Quality Testing Center (质量检测中心) is further composed of the Integrated Circuits Testing Experimental Lab, the Network Technology Testing Experimental Lab, the Multi-Media Technology Testing Experimental Lab, the Audio-Visual Subjective Evaluation Room, and the Product Integrated Testing Center Experimental Lab.

BIETA asserts that its “primary research directions," among others, include:

• Wireless, satellite, spread spectrum, and microwave communication technologies
• Information processing and multimedia information security technologies
• Computer vulnerability, information security, signal positioning, and signal jamming technologies

Steganography is another of BIETA’s “primary research directions," and a major focus based on the organization’s publicly visible academic activities. This line of research is discussed in the Steganography section. Other areas of research by BIETA and its researchers include forensics technology (including methods of identifying video files that have been tampered with, text forgeries, fabricated images, source cameras, and source printers), cryptography, networking, and technology miniaturization (of antennas, for example). In 2016, for example, as China’s counter-terrorism campaign in Xinjiang began escalating to include mass detentions of Uyghur and ethnic minorities, BIETA researchers co-authored an academic article on Uyghur text recognition. These areas of research support the assessment that BIETA is almost certainly affiliated with the MSS.

Given BIETA’s almost certain affiliation with the MSS, as well as the remit of the MSS and wider state security apparatus to investigate and mitigate domestic and foreign threats to the Chinese Communist Party (CCP) and China, it is almost certain that the organization’s research directly or indirectly enables MSS operations across a range of activities. It is noteworthy in this context that BIETA contracted project(s) with NSFocus (北京神州绿盟信息安全科技股份有限公司) between 2013 and 2017. The nature of the project or projects is unknown, but NSFocus is among China’s leading cybersecurity companies and the first founded by early patriotic hackers (specifically those associated with the “Green Army”).

Ties to the MSS

The assessment that BIETA is almost certainly affiliated with the MSS, very likely led by the MSS, and likely a front for the MSS First Research Institute is primarily supported by evidence that several of BIETA’s personnel (with varying degrees of certainty) are MSS officers, research staff, or otherwise affiliated with China’s principal intelligence service. The assessment is also supported by BIETA’s engagement with an MSS-subordinate university, the University of International Relations (UIR; 国际关系学院).

Personnel

Though the MSS is a highly secretive organization, at least four BIETA personnel have clear or potential links to the MSS, based on publicly available information. This supports the assessment that BIETA itself is almost certainly affiliated with China’s principal civilian intelligence service. Of more than twenty individuals currently or formerly affiliated with BIETA, at least three individuals are almost certainly or very likely MSS personnel. There is evidence that points to one other BIETA employee having a possible MSS affiliation. The evidence linking these personnel to the MSS is surveyed below.

Wu Shizhong (吴世忠)

Figure 2: Wu Shizhong (Source: Cyberspace Administration of China)

Multiple public profiles identify Wu Shizhong as a BIETA researcher, one profile from as early as 2011. In 2009, and likely as late as 2016, Wu Shizhong was the head of the “MSS Science and Technology Bureau” (国家安全部科技局). Between 2005 and 2013, Wu was also the director of the China Information Technology Security Evaluation Center (CNITSEC; 中国信息安全测评中心). Wu was further the secretary of CNITSEC’s CCP committee between 2014 and 2018. CNITSEC is almost certainly a public face of the MSS’s former 13th Bureau that specialized (in part) in network security and exploitation. According to one profile, Wu was employed at BIETA while also holding directorship of CNITSEC. Wu’s background supports the assessment that BIETA is almost certainly affiliated with the MSS.

He Dequan (何德全)

Figure 3: He Dequan (Source: Shanghai Jiao Tong University)

Beginning in 1983 — the year the MSS was created — He Dequan was almost certainly employed as a senior engineer at BIETA. Academic publications indicate that, as late as 2009, He still used a BIETA affiliation. He was almost certainly a career intelligence officer in China, prior to and after the MSS’s establishment. In 1983, He was also deputy bureau chief (副局长) for “some security department” (某安全部) and a researcher with and director of the Beijing Information Technology Research Institute (BITRI; 北京信息技术应用研究所). Although public profiles do not explicitly say that from 1983 to 2000, He was employed with the MSS, he won a “Ministry of State Security Science and Technology Advancement Award” (国家安全部科技进步奖) in 1989, supporting this conclusion. He’s links to the MSS are also seen in his consulting position with CNITSEC. Further, he has had an advisory role with the China International Public Relations Association (中国国际公共关系协会), an outwardly Ministry of Foreign Affairs-affiliated organization that is reportedly run by the MSS and used by MSS officers to interact with multinational corporations. Moreover, He’s BITRI affiliation is notable because this research organization has had other employees associated with the MSS. Specifically, BITRI appears in the work history of former Huawei executive Sun Yafang (孙亚芳), who worked for the MSS in a role related to communications after college. He’s background supports the assessment that BIETA is almost certainly affiliated with the MSS and that BIETA is very likely led by the MSS.

You Xingang (尤新刚)
You Xingang has published academic research using a BIETA affiliation since at least 2001. You was the head of BIETA between 2008 and 2023. You is very likely an MSS officer. In 2012, You was described as a CNITSEC deputy director. References from 2018 and 2019 continue to affiliate You with CNITSEC in an unspecified capacity. Furthermore, in 2003, an individual named You Xingang was awarded a China Youth Science and Technology Innovation Award (中国青年科技创新奖) and identified as a researcher with the MSS First Research Institute (国家安全部第一研究所). This You is likely BIETA’s You Xingang. Having reportedly graduated from university in 1984, BIETA’s You would likely have been around the age of 39 at the time of the award and therefore eligible for it. Evidence supporting the assessment that BIETA is likely a front for MSS First Research Institute are indications that the MSS First Research Institute’s activities overlap with those of BIETA. A patent filed in 2007 references the MSS First Research Institute as having tested an “MT-type nickel-based conductive coating … used for electromagnetic wave shielding." Correspondingly, BIETA has an Electromagnetic Compatible Technology Research Lab (电磁兼容技术研究室) and conducts research into electromagnetic signal security protection technology. You’s background supports the assessment that BIETA is almost certainly affiliated with the MSS, very likely led by the MSS, and likely a public front for the MSS First Research Institute.

Zhou Linna (周琳娜)

Figure 4: Zhou Linna (Source: UIR School of Cyber Science and Engineering)

Zhou Linna reportedly worked at BIETA between 1999 and approximately 2017, publishing academic research under this affiliation at least as late as 2011. Evidence supports an assessment that Zhou may also be an MSS officer or otherwise affiliated with the intelligence service. First, Zhou is a professor with the MSS-subordinate UIR. As early as 2017, she was, more specifically, identified as the dean of UIR’s School of Information Science and Technology (信息科技学院; now the School of Cyber Science and Engineering [网络空间安全学院]). An individual named Zhou Linna was also recognized in 2017 among the recipients of the Central State Institutions Ninth National Five Good Civilized Household Award (中央国家机关第九届全国五好文明家庭获奖) and identified as a member of the MSS (国家安全部干部). As of writing, however, this potential direct reference to BIETA’s Zhou as an MSS member cannot be corroborated through other publicly available information. Zhou’s background supports the assessment that BIETA is almost certainly affiliated with the MSS.

Activities

BIETA’s organizational links and activities in relation to the MSS-subordinate UIR also support the assessment that BIETA is almost certainly affiliated with the MSS. UIR promotional materials for prospective graduate students assert “year-round” and “very close cooperation” between the university and BIETA. Between at least 2011 and 2018, BIETA was a “joint training” partner for the university’s Communications and Information Systems (通信与信息系统) discipline. Specifically, BIETA supported modern communications technology and information security as areas of study. UIR’s School of Cyber Science and Engineering further asserts that it has an “intern base” at BIETA where graduates can attain practical industry experience. UIR’s School of Cyber Science and Engineering only publicly names intern bases at two other organizations, one of which is CNITSEC.

CIII

CIII, also known as Beijing Sanxin Times Technology Co., Ltd., and formerly known as Beijing Sanxin Times Information Company (北京三信时代信息公司), is a technology company established in 1994. CIII is a state-owned enterprise and a subsidiary of BIETA. It is located in Beijing and has offices in Shanghai and Hangzhou (incorporated in October 2023), a likely office in Hong Kong, and former offices (now closed) in Xinjiang. CIII claims its clients include party-state government and military organizations as well as organizations in the broadcasting, finance, environment, insurance, electricity, transport, and oil industries. While CIII has shared several employees with BIETA, publicly available information does not identify links between CIII employees and the MSS. Nevertheless, CIII is also almost certainly affiliated with the MSS through its relationship to BIETA.

On its website, the company claims to be engaged in several disparate activities that include operating an internet data center (IDC) in Beijing; maintaining Beidou Satellite Navigation-enabled platforms for police and campus security organizations; developing enterprise and social applications for Windows, Android, and iOS — including those for uploading files to Baidu Cloud and OneDrive and for genealogy, photography, voice recording, and locating and communicating with friends — and conducting network simulations and penetration testing against websites, mobile applications, enterprise systems, servers, databases, cloud platforms, and internet-of-things equipment. How recently CIII’s website has been updated is unknown, but software copyright registrations indicate activities since 2020 (see Table 1). CIII also registered a copyright for a “mesh detection system” (网眼检测系统) in 2017 and a “penetration testing analysis system” (渗透测试分析系统) in 2013.

Table 1: Select software developed by CIII since 2020 (Source: Insikt Group)

Limited information is publicly available on most of these activities and whether or how they may support the MSS. Most are likely aimed at generating income for BIETA, commercializing state-funded research, and supporting state-led technology initiatives. For example, CIII likely contributed to the development of “Time Capsule” (时间舱), a mobile application that claims to be China’s “first smart information rights protection certificate ledger” (智慧信息权益保全存证) platform. “Time Capsule” was developed by a joint laboratory established by CIII, other companies, and various government agencies and research institutes. CIII’s ownership of an IDC and publication of user applications as recently as 2021 suggests the MSS may have, or once have had, easy access to user data via CIII. The extent to which the public adopted CIII’s applications is unknown.

CIII also sells a wide range of security products, services, and solutions that are relevant to the facility and operational security needs of the MSS and other Chinese military and security services. These are further discussed in the Security Products section. CIII further claims to be an “agent [or representative; 代理] for network testing, network monitoring, cybersecurity, network communications simulation, and other software and hardware products developed by the United States [US], Europe, and other countries.” CIII’s acquisition of foreign technologies (whether as an agent or through other means) almost certainly enables the company’s activities related to network simulation, penetration testing, and various Chinese military needs. The Technology Transfer section discusses this aspect of CIII’s business in more detail.

Ties to the MSS

Publicly available information does not reveal direct links between CIII and the MSS. In describing its work related to Beidou navigation, CIII refers to CNITSEC as a “related unit” (关系单位) that provides information security services for CII’s Beidou platform and terminals. Whether this language has any additional meaning or significance with regard to institutional ties between CIII and the MSS is unclear. Since at least 2017, CIII has been a CNITSEC-recognized “unit [that has] passed the national information security evaluation/information security service qualification (security engineering level 1) evaluation” (通过国家信息安全测评/信息安全服务资质(安全工程类一级）测评的单位). The potential significance of this qualification in relation to CIII’s potential ties to the MSS is also unclear.

Support to the MSS and Wider Security Apparatus

In addition to other support, BIETA and its subsidiary, CIII, almost certainly facilitate the MSS’s and state security system’s missions by developing steganographic capabilities and selling security equipment. CIII claims to further support the PLA (人民解放军) with its products and services. It is likely that technologies developed or sold by BIETA and CIII also support public security operations. Notably, both BIETA and CIII almost certainly constitute a vector for technology transfer from the US and Europe that directly or indirectly benefits the MSS and PLA.

Steganography

Publicly available information demonstrates that steganography (信息隐藏; 数据隐藏; 隐写术) is a major focal point of BIETA’s research efforts. Steganography is the practice of hiding information within otherwise ordinary data, such as secret messages embedded in text, photo, audio, or video files. Of 87 academic publications with at least one BIETA-affiliated author between 1991 and 2023, at least 40 (46%) are related to steganography, based on keyword searches of their titles and abstracts. Various government funding programs, including the National Natural Sciences Fund (国家自然科学基金), 973 Program (973计划), and 863 Program (863计划), have supported BIETA’s steganography research as recently as 2019. UIR interns have also worked on steganography issues. In addition to academic publishing, BIETA has also sponsored or participated in related conferences, such as a national conference on “the future development of information hiding” in 2017 and the “18th national information hiding and multimedia information security” conference in October 2024. Based on BIETA’s almost certain affiliation with the MSS and evidence that Chinese state security intelligence officers have “received malware from the MSS to be used against foreign victims” in known cyber espionage cases, BIETA’s research almost certainly contributes to the MSS’s technical capabilities for detecting hidden information and communicating covertly that are likely to be shared with other actors in the state security system.

CIII has also received copyrights for software related to steganography. Examples include an “audio-visual-to-voice conversion secrets deep analysis system” (音图转换语音隐密深度分析系统) and a “JPEG image forensics differentiation method based on characteristics optimization” (基于特征优化选择的JPEG图像取证鉴别方法软件), both registered in 2017.

BIETA and CIII’s steganography work almost certainly has the potential to support defensive and offensive MSS operational activities. Defensively, access to effective steganalysis methods across mediums and file types could aid the state security system in detecting hidden information that threatens CCP political power and national security, such as among would-be dissidents and foreign intelligence services. Offensively, the MSS, state security departments and bureaus, and their contractors or proxies could use steganography to covertly transmit information of value in support of their operations. Chinese advanced persistent threats (APTs) have been observed doing so and have also used steganography to deploy malware (see Steganography in Chinese Cyber Operations below). Officers from the Shanghai State Security Bureau (SSSB) also provided former US intelligence officer Kevin Mallory a mobile phone with COVCOM capabilities and trained him how to embed documents within images as part of a scheme in which Mallory sold the SSSB classified information.

BIETA’s steganography research covers a range of topics across different media: text, image (such as JPEG), audio (such as MP3), and video (HEVC). Public BIETA-affiliated academic articles almost certainly cover topics that are relevant to both defensive and offensive applications, such as the detection of messages within MP3 files and preventing the detection of information hidden in images. BIETA’s research also includes developing methods of covertly transmitting information. Figure 5 provides examples of methods explored by BIETA researchers for coding messages into seemingly ordinary digital online communications. During a 2019 conference panel on steganography and artificial intelligence (AI), an associate researcher with BIETA introduced Generative Adversarial Networks (GAN), suggesting this is another area of research for the organization.

Figure 5: Steganographic methods researched by BIETA personnel; left: mis-ordered letters in an ostensible internet chat message communicate a message disguised as a typo (2009); right: iconographic library used to communicate secret messages (2019) (Source: Insikt Group)

Steganography in Chinese Cyber Operations

Several Chinese APTs have used steganography in their operations. APT40, which operates under the direction of the Hainan State Security Department (海南国家安全厅), used this technique to transmit “stolen trade secrets and proprietary hydroacoustic data” via innocuous images (Figure 6). APT15, which has been tentatively attributed to Xi’an Tianhe Defense Technology Co., Ltd. (西安天和防务技术股份有限公司), has used steganography to stealthily deploy malware while avoiding detection (Figure 7). APT1, attributed to PLA Unit 61398 (61398部队), likely also used steganographic techniques.

Figure 6: Images used by APT40 to transmit trade secrets (Source: US Department of Justice)

Figure 7: Image used by APT15 to deliver the payload of the Okrum malware (Source: ESET Digital Security)

Security Products

CIII advertises numerous security and forensic investigation products, services, and solutions relevant to the MSS’s missions and those of the wider state security and public security apparatus. These devices cover use cases including conducting forensic or counterintelligence investigations of a given venue; preventing electronics from entering a given area; preventing data (in the form of signals and recordings) from being collected; and identifying, intercepting, and jamming mobile phones across the spectrum (2G-5G). Examples of these devices are listed in Table 2. Most are likely devices that CIII resells from other developers and manufacturers, but at least two are CIII- or BIETA-developed devices. Another product almost certainly developed by CIII or BIETA, but not advertised on CIII’s website, is a fingerprint-secured USB drive, which BIETA certified with CNITSEC in 2006.

Table 2: Select security products advertised by CIII (Source: CIII)

Technology Transfer

Through BIETA and CIII, the MSS and PLA almost certainly benefit from access to international expert communities and foreign technology. BIETA and CIII’s activities are likely legal or were legal at the time the evidence described below was created — much of which comes from CIII’s website and likely dates to approximately 2017 or earlier. Nevertheless, BIETA and CIII’s operations likely continue to create technology transfer risks.

BIETA’s Academic Activities

BIETA’s researchers likely benefit directly or indirectly from international collaboration with other academics. Articles co-authored by BIETA personnel and others have been presented at various international conferences since at least 2012. Topics include “high capacity coverless image steganography," models for studying network worms targeting social media users, and “audio signal authentication." A limited number of BIETA-affiliated articles presented internationally have further included co-authors at foreign academic institutions, specifically Deakin University in Australia and State University of New York at Buffalo in the US.

Whether BIETA researchers personally attend international conferences, such as the 2017 European Signal Processing Conference and those hosted by the Institute of Electrical and Electronics Engineers (IEEE), is unknown. Given BIETA’s almost certain affiliation with the MSS, if they do, these conferences very likely enable BIETA — and therefore China’s primary intelligence service — to elicit feedback from foreign experts on topics of interest. Direct participation abroad would also very likely enable BIETA to spot experts working on similar issues that could be approached for collaboration or targeted by state security agents at a later date. Even if BIETA researchers do not travel abroad, BIETA can likely still benefit from international exposure in expert circles that legitimizes the organization if it reaches out to foreign universities or individuals. Past research into MSS tactics has found the intelligence service almost certainly relies “on genuine and internationally recognised academics to open doors, make introductions and gather intelligence." In this context, the Chinese and foreign co-authors who work with BIETA could become conduits between the MSS and foreign expert communities.

CIII’s Imports

As noted, CIII claims it acts as an agent for US and European network testing, security, and simulation software products. A variety of foreign software is advertised on its website, suggesting (in some cases even stating) that these are the products CIII resells — and those that it almost certainly works with — in providing services related to network environment simulation, penetration testing, and military equipment and operations modeling. Note that CIII may not have direct relationships with the foreign companies named on its website; its aforementioned claims of being an agent for various companies are not verified. As indicated above, the information on CIII’s website may not be current.

Steganography Software

One of the technologies CIII advertises is WetStone Technologies’s StegoHunt, which enables the discovery of steganography in a range of file types. StegoHunt as allegedly sold by CIII almost certainly includes WetStone’s StegoAnalyst and StegoBreak programs. These enable further analysis of and information extraction from investigated files. BIETA very likely benefits from CIII’s access to this suite of foreign steganography tools.

Military Simulation and Modeling

CIII advertises a range of foreign software and services related to communication simulation, 3D modeling, and operational planning for military and defense-industry use cases. These include “consulting and development” for third-party applications using Systems Tool Kit (STK) and Orbit Determination Tool Kit (ODTK), programs developed by the US-based Ansys Government Initiatives (AGI). Atoll, OPNET, RCS-Analyzer, WRAP, VEGA Prime, and MAK VR-Forces are other foreign software advertised on CIII’s website. CIII also offers a “3D digital electronic sand table," claiming “full military simulation production technology." If the digital sand table referred to on CIII’s website is not itself a foreign product, it almost certainly benefits from the foreign software to which CIII has access and for which CIII develops applications.

In about 2010, and no earlier than 2009, CIII very likely gave a presentation to the PLA or China’s defense industry on QualNet and EXata. Developed by the US-based Scalable Network Technologies (SNT), these software enable simulation, emulation, and analysis of communication networks. The almost certain purpose of the presentation was to sell the value of these and related software programs — such as VisNet Defense, Network Centric Forces, and VR-Forces — for China’s military and defense industry modernization. One slide in the presentation is titled “Start Our Complex Network — LandWarNet," which explains how the US Army’s LandWarNet is structured. According to the presentation, CIII’s clients include PLA Electronic Engineering Institute (解放军电子工程学院; now part of the National University of Defense Technology [国防科技大学]); several of the group of universities known as the “Seven Sons of National Defense” (国防七子); and the state-owned defense contractor China Electronics Technology Group Corporation (CETC; 中国电子科技集团公司).

Network Simulation and Penetration

CIII advertises a number of “network functionality testing tools” and a “network offense-defense electronic range” from foreign providers. CIII almost certainly uses these products in its penetration testing activities and sells them to others engaged in similar activities. Products in the former category include a “network application layer functionality testing tool” called IxChariot that was developed by the US-based business Ixia, which was acquired by Keysight Technologies in 2017. Among other products, CIII also advertises equipment from Spain’s ALBEDO Telecom, including Net.Storm “network impairer," Net.Hunter “network monitor and analyzer," and Ether.Giga “gigabit ethernet tester."

In the latter category — “network offense-defense electronic range” — CIII advertises Ixia’s (now Keysight’s) BreakingPoint cyber range. Cyber ranges have legitimate defensive applications, such as simulating cyberattacks to strengthen an organization’s cybersecurity posture. They can also be used for training capabilities related to “‘target scouting, information theft, network intrusion … information or service destruction, and other attack methods’, as well as for evaluating the ‘attack effects’ of various attacks," according to authoritative Chinese military sources.

Other Applications

In 2016, CIII registered a “Datacrypt Hummingbird online storage upload software” (Datacrypt蜂鸟网盘上传软件) for copyright. “Hummingbird” is likely a reference to “a lightweight encryption and message authentication” base-level algorithm (a “primitive”) first published during a 2009 conference organized by the Research Institute for Symbolic Computation in Austria.

According to CIII’s website, the IDC it operates in Beijing makes use of these open-source and US technologies: a Cacti “network traffic monitoring platform," Multi Router Traffic Grapher (MRTG) “network traffic monitoring," and a SolarWinds “network load monitoring platform."

In addition to the aforementioned lines of business, BIETA and CIII also have or once had production lines for producing thick film circuits, micro-circuits, surface mounts, and bare chip mounts that relied on imported foreign machines from the US and Japan. BIETA and CIII claim to produce communication equipment interface circuits, automobile ignition circuits, process-controlled switching and military-use analogue-digitial/digital-analogue (AD/DA) converters, and “public security security inspection circuits" (公安安检电路) among other items. All of the machines and images related to this activity on BIETA’s and CIII’s websites are older, likely dating at least to the 1990s or early 2000s. How active these production lines are as of this writing is unknown.

Implications for Understanding the MSS

Discovery of BIETA’s almost certain affiliation with the MSS brings additional clarity to the MSS’s role in offensive Chinese cyberspace and cyber-enabled intelligence activities, and to the MSS’s organizational structure. The MSS — which sits atop a network of sub-national, semi-autonomous state security organizations — very likely plays a supporting role in cyberspace operations. BIETA’s research is almost certainly used to create technologies that enable the MSS’s mission. The MSS then likely makes capabilities benefiting from BIETA’s achievements available to subordinate state security departments, bureaus, and officers, which in turn provide them to their contractors or proxies. In the field of steganography, these technologies likely include programs to covertly transmit information and programs to detect information covertly transmitted by the CCP’s adversaries.

This model, wherein the MSS’s research institutions or partners very likely support the development of technology that is distributed to others throughout the state security apparatus, is supported by prior research and evidence. First, the MSS very likely evaluates vulnerabilities submitted to national vulnerability databases, including one run by the MSS-subordinate CNITSEC, for their utility in cyber espionage, almost certainly to distribute these to Chinese APTs. Second, as mentioned, state security intelligence officers have reportedly “received malware from the MSS to be used against foreign victims” in known cyber espionage cases. Third, state security intelligence officers have provided malware to cyber threat actors and provided recruited foreign assets with COVCOM devices and steganography training. Cyber talent at the provincial level of the state security system — which is more directly involved in managing offensive cyber operations — likely also develops tools for operational use.

Additionally, the overlap between BIETA and CNITSEC personnel likely indicates that both organizations were organized under the former 13th Bureau, and that this bureau’s remit was likely much broader than just network security as most public attention to CNITSEC suggests. Aligning with the aforementioned references to former CNITSEC Director Wu Shizhong as the head of the “MSS Science and Technology Bureau," the MSS’s former 13th Bureau likely also oversaw the development of various technologies relevant to the MSS’s intelligence, counterintelligence, and investigative responsibilities, likely to include some biomedical research. However, the remit of the MSS’s former 9th Bureau likely covered communications surveillance and security, surveillance and forensic technology, and cybersecurity research through the Nanjing Institute of Information Technology (南京信息技术研究院). It is, therefore, also plausible that BIETA was organized under the 9th Bureau. The MSS’s organizational structure has changed since 2018; the former 13th Bureau’s new number is unknown, and the former 9th Bureau has become the 14th Bureau, though it is unconfirmed whether the new 14th Bureau retains a cybersecurity remit.

Outlook

Public evidence of the MSS’s very likely vast network of front organizations and co-optation of entities for intelligence activities is increasing. This evidence includes cybersecurity companies engaged in offensive operations, universities leveraged for intellectual property theft, non-profit organizations used for social influence, and now — almost certainly — research institutes and their subordinate firms established to provide technology enablement.

BIETA and CIII almost certainly pose technology transfer risks. How often BIETA and CIII conduct business outside of China or collaborate with foreign experts is unknown. However, foreign export control authorities concerned about the Chinese intelligence community and military’s access to COVCOM technologies like steganography, network simulation, penetration testing, and 3D and communications modeling technologies should review these entities. They should consider warning government and military officials in their countries about these organizations’ assessed links to the MSS and PLA and potentially add them to lists of organizations for which approval is needed to export sensitive technology.

Foreign academic institutions and businesses with activities related to COVCOM, network penetration, network simulation, advanced modeling, and forensic technologies should, during security training, advise staff about risks stemming from engagement with anyone asserting a BIETA or CIII affiliation to avoid inadvertently contributing to the capabilities of the MSS, PLA, and wider Chinese party-state security apparatus. Academics or staff who are approached by either organization should be instructed to report this to appropriate security contacts. More generally, before agreeing to any transaction involving sensitive or potentially sensitive technologies, academic institutions and businesses should attempt to thoroughly investigate their would-be partners or clients.