Chinese intelligence increasingly setting sights on Estonia

5G testing park at Huawei's headquarters in Shenzhen.
5G testing park at Huawei's headquarters in Shenzhen. Photo: Jason Lee / Reuters / Scanpix

In December of 2013, an Estonian foreign ministry official discovered a document that had been attached to an email they had received. At that precise moment, their computer was taken over by a group of hackers who are believed to be working with the blessing of the Chinese government. The hackers’ goal was to gain access to cryptographic keys Estonian diplomats use when communicating with partners.

Estonian authorities discovered the incident over a month later, in early 2014. Even though Chinese hackers managed to access the computer, they did not find what they were looking for.

It has been claimed that the cyberattack against the Estonian Ministry of Foreign Affairs was part of a wider Ke3Chang operation aimed at the foreign ministries of several EU member states that began in 2010 but reached its zenith in 2013-2014. Phishing letters aimed at specific public servants promised nude photos of the wife of a former French president and model Carla Bruni in some cases. In others, letters seemed to offer delicate information on international relations – for example, US military plans in Syria.

Security of vital infrastructure, including cyberspace, is one problematic area of EU-China relations, a European Commission strategy document concludes. Diplomatic and security sources confirm that Chinese intelligence is becoming more active in the region, whereas Beijing is mainly interested in EU and NATO topics.

In a situation where the Baltic countries lack sufficient technological know-how and where our main ally USA is applying pressure, Estonia, Latvia and Lithuania must make an important decision in the midst of clashing world superpowers: whether to allow Huawei to participate in the building of the next-generation 5G network or not. The decision seems to be gravitating toward an “indirect no” right now.

New possibilities, new dangers

5G networks will soon connect billions of different objects, from self-driving cars to toasters on kitchen tops so to speak. Compared to 4G technology, 5G speeds and data volume will grow by multitudes. This makes them more difficult to protect from eavesdropping and data theft.

“In the internet of things, every device will be connected. This means that causing chaos and panic in society will become very easy. What would happen if someone took down all ATMs and card terminals? A country could be brought to its knees in two days,” said head of State Information System’s Authority (RIA) Margus Noormaa. “It is likely that the Chinese could not keep tabs on all 5G traffic. But if you can get your technology into networks when they are still being built, you will stay there for a very long time.”

Huawei Technologies is the world’s leading telecommunications equipment manufacturer that has come under criticism following claims the Chinese government can use its technology to further its intelligence agenda. There are serious concerns of whether Huawei can be trusted in many countries, while USA and Australia have already decided not to allow the company’s hardware to be used in its 5G networks.

Estonia is about to become the first Baltic country to decide to keep Huawei away from its networks. Postimees was told this much by three sources.

The decision was made by the government’s security committee in early July. The working group will publish its official recommendations in September that will be followed by a government regulation. Because the government does not want to anger China, it is possible the red tape surrounding the decision will be left up to the Technical Inspectorate. “The phrasing will likely be very vague and avoid mentioning China or Huawei,” a source told Postimees. It is probable that companies whose products will be used to construct the network will need a European security certificate.

“Our main problem is that we do not have the capacity to independently test the technology. This means that we need to rely on the assessments of USA and other Western allies when making decisions; for example, concerning Huawei,” Noormaa said. Even though Huawei devices are cheap and often of higher quality than those of its main competitors, “decisions regarding China will be made based on the example of our partners in Europe and America.”

Latvia and Lithuania remain indeterminate

Latvia and Lithuania are avoiding making public statements on the issue. “5G is a control system, not just a communications network. A hole in such a system would spell trouble,” Minister of Defense for Lithuania Raimundas Karoblis said in June.

The Lithuanian defense ministry has pointed out that Chinese technology will not be used in sensitive military structures. In its 5G threat assessment sent to Brussels, Lithuania urges the EU to compile a blacklist of tech companies.

Latvia’s transport ministry that is also responsible for telecommunications told Re:Baltic that it has no evidence to suggest Huawei has misused its technology, while the ministry is waiting for the issue to be raised on the EU level.

Latvia’s solution might be akin to what Estonia is set to do first and others might decide to do later. The European Commission is considering amending the 2016 cybersecurity act that obligates vital infrastructure companies to comply with certain security requirements. “Adding 5G networks to the list of vital infrastructure would make it impossible for member states to use devices from countries or companies suspected of espionage and sabotage,” Reuters reported.

Despite its public restraint, Latvian security services have been wary of Chinese technology for years. When President Valdis Zatlers visited China in 2010, he was given a Huawei video conferencing system. “Using it inside state infrastructure would not have been a good idea,” Zatlers recalled the reaction of security services. The president gave the present to two hospitals for improved consultations. “The Chinese ambassador and I were on the first call. Everything worked well,” he said.

However, Huawei is not without levers. Latvian mobile phone operator Bite Latvia has a 5G network contract with the Chinese company. In Estonia, Elisa planned to sign a similar agreement. Bite claims it has not found security flaws with Huawei products and is not planning to go back on the contract. The company recently announced it will be joining forces with Tele2 for the construction and operation of its 5G network and that the cooperation would also concern Lithuania.

To promote the safety of using Huawei technology, the company’s Vice President for Cybersecurity Mika Lauhde visited Riga this February. He met with representatives of the media and, according to a Huawei spokesperson, also with members of the government. Representatives of the ministries for transport, defense and interior as well as the prime minister’s office denied having met with Lauhde. Huawei’s Baltic headquarters did not answer questions by Postimees and Re:Baltica.

In order to develop next-gen networks, telecoms need access to 5G frequencies that are distributed at national auctions. So far, auctions have only been held in Latvia, with LMT and Tele2 getting the frequencies.

The 5G auction in Estonia became mired in litigation as Levikom is demanding four permits instead of the planned three. The auction has been halted twice also in Lithuania. Operators are nevertheless testing networks in Estonia and Lithuania.

Defense forces data moved through Chinese cables

Chinese state-owned CITIC Telecom CPC acquired Dutch Linx Telecommunications two years ago, also gaining Linx’s Estonian branch. This means that the Chinese now own a part of undersea data cables connecting Estonia to Finland and Sweden as well as, equally importantly, the devices at either “end” of the cables.

RIA holds a tender to find an external connections service provider every two or three years and always involves two bidders to manage risks. While CITIC is not offering that service at present, the Estonian Defense Forces has a direct contract with the Chinese firm and three-quarters of the army’s external internet connection moves through CITIC’s devices and cable.

“You need to trust both the service provider and device manufacturer as both can play dirty,” said head of RIA’s Computer Emergency Response Team (CERT) Tõnu Tammer. He added that the unit has had unpleasant experiences with the Chinese. “They have the ability. There is history to suggest they are doing it. And they have a law obligating companies to work with intelligence services. These are the three preconditions.”

Tammer admitted that a sufficient level of encryption of the data moved through the cables should mitigate threats. “The service provider can copy the data and forward it to someone else, but if they do not know how to read it, there is little they can achieve.”

The defense forces told Postimees that the contract is from the mid-1990s and is open-end. “The defense forces cyber command has the tools and measures required to manage risks and ensure cybersecurity,” the army communicated.

The state has no clear overview of industrial and economic espionage aimed against Estonian companies as companies are not obligated to report incidents. But there have been several.

“Phishing attempts are an everyday occurrence,” said Taavi Madiberk, one of the founders of supercapacitors manufacturer Skeleton Technologies. For Madiberk, who has invested heavily in cybersecurity and hygiene, other tricks are equally frustrating.

“There was an incident at our plant in Germany where a Chinese delegation wearing suits demanded to access the production floor, pointing to an alleged agreement with the board,” Madiberk said. Other cases have seen representatives of Chinese companies shadow Skeleton’s employees at conferences and even attempt to record private conversations.

Arno Kütt, founder and head of package delivery robots manufacturer Cleveron, said how a company called Hangzhou Dongcheng Electronic stole one of Cleveron’s designs and patented it in China. Kütt said the Chinese company then tried to sell Cleveron the right to market the product in China, asking for the company’s European and US patents in return. “Naturally, we did not agree.”

Warnings but no spies

Both the Estonian Internal Security Service (ISS) and the Foreign Intelligence Service recently warned against recruitment attempts by Chinese intelligence that are becoming more frequent. The ISS warned that public servants and specialists are approached in online environments and offered well-paid work and trips abroad.

“The security service believes these attempts are made mostly by Chinese special services and that compiling seemingly innocent summaries or analyses for money might lead to deeper cooperation where the other side might ask for or demand state secrets or other confidential information.”

There is no information of a Chinese spy having been caught and convicted in any of the Baltic countries.

Five sources told Postimees that the Chinese embassy in Estonia and its two dozen diplomats “is unexpectedly large”, while its public activity does not seem to reflect it. The Chinese embassy rivals those of USA and Russia in terms of the number of accredited diplomats. The UK embassy is noticeably smaller. Postimees received any reply from the Chinese embassy in the past week.

The Estonian Foreign Intelligence Service wrote in its recent report that China has become more active in conducting influence operations and spreading propaganda, is looking for contacts and closer communication with public servants, local government representatives and politicians of other countries and consolidating their influence over them. According to the report, China is consolidating contact between society and scientists and developing cooperation between think tanks. “Contacts born out of positive involvement might lead to recruitment attempts by special services.”

Chinese recruiters are aggressive when their target is in China. That is where attempts take place. “When the target makes a mistake, they are quickly approached. If you don’t make a mistake, you are invited back,” an expert source said.

Rules in place for Estonian top politicians and officials visiting China require them to have two phones one of which has no data and is only used to conduct private business. Communication can only follow secure channels, such as the Signal or FaceTime apps.

Members of delegations are strongly recommended not to take with them personal phones or computers that hold sensitive data. When President Kersti Kaljulaid visited China a year ago, a member of the delegation ignored the warning. Their computer crashed so thoroughly in Beijing that it was impossible to restore. No one knows why it happened.

In March of 2019, when the Huawei drama was unfolding between USA and China, PM of Lithuania Saulius Skvernelis met with the US ambassador. Even though the topics were not made public, Reuters reported that the ambassador urged Lithuania to block Huawei, saying that “the company’s 5G devices could endanger allied troops.” The PM met with the Chinese ambassador a week later. While Skvernelis admitted the ambassador broached to topic of Huawei, he believes the matter should be discussed on the EU level.

The meeting took place right after Lithuanian security services published their first warning about Chinese intelligence. After the report was published, the Chinese embassy in Vilnius expressed its “shock and surprise” and said that China was not a threat for Lithuania. “The report on the so-called threat of Chinese intelligence is completely unprofessional, unobjective and irresponsible,” the embassy’s statement read.