Photographer: Andrey Rudakov/Bloomberg

China’s Hacking Decline Signals New Era or Just Shift in Tactics

  • Military pulls back from hacking, cybersecurity firm reports
  • Question is whether China’s hacking is being contracted out

The U.S. has curbed hacking by China’s military. The trouble is the battle may be moving to another front.

Chinese military hackers attempted to steal troves of confidential information from the U.S. Office of Personnel Management in 2014 and failed. But China got the data anyway: It passed the job to contractors -- a group code-named Coldcuts by the U.S. -- who worked on their own or for private companies to conduct a dragnet for sensitive data from government, airlines and health insurers.

The new information about those incursions, confirmed by two people involved in the investigation who asked not to be identified because the details remain confidential, suggest a possible shift in cyberstrategy by the Chinese government, which has long said its behavior is no different from that of the U.S.

That shift makes the question over whether China is keeping a promise that it won’t hack U.S. companies for technology and personal data a challenge to answer. The Chinese military’s pullback is quantified in a report issued Monday by security firm FireEye Inc., which shows a dramatic decline in hacking over three years. Since August, attacks from known Chinese hacking groups with a connection to state interests has dropped more than 80 percent, FireEye found.

QuickTake Cybersecurity

That’s a success for the Obama administration, which has ratcheted up pressure, including through criminal indictments and in meetings with top leaders, in the hope of lessening tensions in cyberspace between the countries.

‘Steep and Steady Decline’

"It’s a steep and steady decline, and a relatively abrupt one," Kevin Mandia, FireEye’s chief executive officer, said in an interview. "The bottom line is that based on all our observables -- our researchers, our Mandiant responders, the activity in customer networks -- the scale and scope of Chinese espionage has dramatically reduced."

What the report doesn’t answer is how much China-based hacking has moved to harder-to-track contractors who provide a level of deniability to the government. Some of the 72 groups tracked in the report are small or relatively new, and China’s hacking scene has become more fragmented as former military hackers set up business on their own, said Laura Galante, director of threat intelligence at FireEye.

It could take the U.S. years to infiltrate those networks and gauge their effectiveness, a task it will undertake even as it also tries to track increased activity from state-backed hackers from North Korea and Pakistan to Russia and Iran.

FireEye’s detection technology depends in part on matching breaches to a deep archive of tools and infrastructure used by state-sponsored groups. U.S. intelligence agencies use a classified version of similar data to track activity of those groups.

“It’s extraordinarily difficult to verify if that drop is real,” said Bob Stasio, a former member of the National Security Agency’s offensive cyber unit and a fellow at the Truman National Security Project. “It’s very easy to hide much of that activity by shifting it to the private sector, universities or unaffiliated actors.”

Contractor Model

One former intelligence official directly involved in the OPM investigation, who asked not to be identified because some details of the probe are still classified, said several countries, including Russia, make liberal use the contractor model.

FireEye’s new report has particular credibility coming from the company that purchased Mandiant Corp., which produced a ground-breaking report in 2013 on Shanghai-based hacking operations by China’s People’s Liberation Army and the targeting of commercial companies in the U.S. and Europe.

FireEye tracked cyber activity of 72 groups, suspected of being based in China or operating in support of Chinese interests, going back more than three years. The company, based in Milpitas, California, said it monitored 262 incidents of network compromise, in which groups got remote entry into a target’s network.

The company attributes the shift to measures taken in recent years by the Chinese government as well as the U.S. Starting in 2013, there was heightened exposure of Chinese hacking as more information became public and the U.S. took several steps, including indicting five Chinese military officials in 2014 on charges that they stole trade secrets from companies including Westinghouse Electric Co. and United States Steel Corp.

‘Widespread Exposure’

Last year, China’s President Xi Jinping and U.S. President Barack Obama reached an agreement vowing that they wouldn’t condone hacking to steal commercial secrets. After meeting with Xi, Obama pointedly said he hadn’t ruled out resorting to sanctions if their agreement was violated.

“We suspect that this shift in operations reflects the influence of ongoing military reforms, widespread exposure of Chinese cyber operations, and actions taken by the U.S. government,” FireEye said in its report.

Pledges to diminish Chinese intrusions were often met with skepticism by researchers and some in the U.S. intelligence community, who had seen China’s hacking operations over a decade hit thousands of companies, universities and research institutes in the U.S. and Europe.

The company said there are “strong indications” that the 72 groups it’s tracked are based in China or support Chinese interests, based on various indications, including similarities in the types of malware, language settings, hours of operation and the type of data targeted.

Despite the decline in threats from China, not all hacking has stopped. From late 2015 to the middle of this year, 13 suspected China-based groups have compromised corporate networks in the U.S., Europe and Japan as well as targeted government, military and commercial entities in countries surrounding China.

Recent Examples

The FireEye report cites several recent examples. From April to May, three groups compromised the networks of four firms based in the U.S., Europe and Asia that are involved in semiconductors, while one group compromised a network at a “high-tech” U.S. company by accessing login credentials and deploying backdoors into systems.

In another recent case, a group apparently tried to obtain information related to U.S. military projects, deploying backdoors into the target’s web servers and accessed credentials at a U.S. government services company.

“We are still seeing activity,” Jordan Berry, FireEye’s principal threat intelligence analyst, said in a an interview. “We see the same kind of activity but on a much lower scale.”

Even if China is changing tactics, Mandia said, the activity of new or upstart hackers is still less than the former operations of the military groups "by orders of magnitude."

"We would still detect the activity of contractors in some form," he said.

Before it's here, it's on the Bloomberg Terminal. LEARN MORE