China’s military intelligence services use Western online job platforms to lure Five Eyes nationals with access to sensitive information

The threat 

China’s military intelligence services are using an increasingly wide array of professional networking sites and online job platforms to target Five Eyes government and military personnel—and anyone with access to classified or privileged information.

These actors use an aggressive online recruitment strategy whereby intelligence officers or their affiliates pose as employees of private consultancies, think tanks or human resources (HR) firms, and place online job advertisements for foreign policy and defence analysts (or similar).

Successful candidates are pressured to provide “non-public” information for unspecified clients who are associated with the Chinese government. China's military intelligence services ultimately seek to acquire privileged military, political and economic intelligence that can provide China with a strategic and tactical advantage over the Five Eyes.  

Who is at risk?

Chinese intelligence officers attempt to recruit and cultivate long-term relationships with the following types of individuals in exchange for classified or priviledged information:

• Security clearance holders, particularly those who specialize in defence, foreign affairs and security & intelligence.
• Military personnel, including those stationed in the Indo-Pacific Region with knowledge of regional capabilities and general activities.
• Persons with either indirect or peripheral access to government information, e.g., academics, journalists, freelance writers, think tank employees, or anyone with links to defence, security, policy and economic sectors.

Recruitment

Chinese intelligence officers pose as online HR recruiters or consultants who represent fake, but often legitimate-looking, “cover companies” and claim to be located in countries other than China.

1. First contact
   Recruiters post job ads on professional networking platforms and online hiring and freelance “gig work” websites like LinkedIn, Indeed and Upwork. Resumes are ranked based on likelihood of access to sensitive information; recruiters begin their contact strategies.
2. Interview
   When they are required, interviews are held virtually. Recruiters conceal their identity, and may start probing applicants about access to government contacts. Military members may be asked about their roles and unit activities, home base or naval vessel.
3. Initial testing
   Candidates are asked to write a trial report on a topic such as China’s bilateral relations, the Indo-Pacific Region and related defence issues, or international trade.
4. Subsequent requests and platform shift
   Recruits are informed that for additional reports, the client requires more privileged information. At some point in the recruitment process, intelligence officers typically move the conversation to a more “secure” platform, such as encrypted messaging applications.
5. Payment
   Recruits receive anywhere from a few hundred to several thousand dollars per report, and may be offered more money in return for increasingly sensitive information. Payment methods include third-party payment platforms, such as PayPal, Payoneer, Zelle, Skrill, and Wise, as well as Western Union, e-transfer and cryptocurrency. Recruits will often be compensated by an account belonging to an individual they had not met as part of the recruitment process.

Why does it matter?

While applicants often have no direct access to classified information, even unclassified information on government policy, or on military strategy, capabilities and installations, can be collected and combined with more sensitive reporting to form a comprehensive operational picture.

Certain types of data can place the lives of frontline military or other personnel at risk, can weaken our economic prosperity, and enable interference in our democratic processes.

Applicants who provide their resumes and other personally identifiable information risk compromises of personal privacy.

Individuals engaged in the unauthorized disclosure of sensitive or classified information could face a number of consequences including prosecution under national laws such as those relating to espionage.

Five Eyes agencies have identified individuals who have undertaken these activities, leading to criminal prosecutions, job losses, and security-clearance revocation.

Reporting incidents

If you or someone you know is being targeted via any of the means listed above, contact your institution or department’s corporate security office for further guidance and direction. Our respective agencies are liaising with corporate security offices regarding this threat. 

Canada:

• To report non-immediate threat information related to national security, contact the Canadian Security Intelligence Service by phone at 613-993-9620 or online at www.canada.ca/en/security-intelligence-service/corporate/reporting-national-security-information.html

How foreign intelligence services recruit Canadians

1. Online targeting
   Recruitment targets are identified and researched by collaborating proxies.
2. Approach
   Initial approaches are conducted under cover via recruitment websites, with follow-up communication moved to secondary platforms (e.g., social media) or email at earliest opportunity.
3. Initial testing
   Target is asked to write reports for clients in exchange for payment.
   Target may be invited to a virtual meeting or an in-person meeting in a foreign state and formally introduced to clients who are actually foreign intelligence officers.
4. Recruitment
   Recruited individuals begin receiving regular payments in exchange for privileged, sometimes confidential, information.
   Recruiters may not reveal their true affiliation in order to preserve targets’ plausible deniability.

How to recognize recruiters

The following characteristics and tactics are highly typical of foreign intelligence services’ recruiter profiles.

Make a habit of evaluating the profiles associated with new networking requests before accepting them.

Profile picture

• Attractive individual
• Standard business setting
• Can often be reverse image-searched
• Young profile photo and senior job title do not match

Profile name

• Commonly used name

Company affiliation

• Generic consultancy or recruitment company
• Reference to government contacts, state-owned enterprises
• Spelling mistakes

Contacts

• Contacts, many of them mutual friends, added to enhance the legitimacy of the profile

How to recognize job posters

The following characteristics and tactics are highly typical of foreign intelligence services’ recruiter job posters

Look and feel

• Spelling or grammatical mistakes
• Generic job description
• Unrealistic or “too good to be true”

Areas of interest

• Issues related to Indo-Pacific region, including Western military activities
• Bilateral trade relations and policy
• Interest in non-public information and insights
• Individual’s network for further potential recruitment opportunities

Skills and expertise

• Seeking analysts specializing in “risk,” “geopolitics,” “defence,” or “foreign affairs”
• Limited experience required for an “expert” position

Payment methods

• Unconventional payment methods (e.g., cryptocurrency)
• Payments from accounts lacking clear connection to the company
• Promise of higher pay for “non-public information”

Company background

• Limited history, website or online presence
• Company website contains broken links
• No physical address 

What to do if you think you have been targeted

If you are unsure about the legitimacy of a potential employer, demand more information. If they cannot provide basic details about their company and there is limited corporate information available on the Internet, the company may be fake. 

CSIS

For national security threats

• Phone: 613-993-9620
• Web: www.canada.ca/en/security-intelligence-service/corporate/reporting-national-security-information.html

RCMP 

Law enforcement matters

• RCMP National Security Information Network: 1-800-420-5805
• Online crime reporting portal: rcmp.nsin-risn.grc@rcmp-grc.gc.ca