Tensions with China Increase With Escalating Evidence of Chinese Army’s Cyber Espionage

Over the past two years, the United States has pushed China to be step forward and admit it was engaging in cyber espionage.  Despite a flurry of reports detailing the evidence detailed below, the Chinese government has refused to accept any responsibility leading to a Justice Department indictment of officers from China’s People’s Liberation Army (PLA) cyber espionage unit.

In addition, at least one of the businesses targeted by China’s cyber espionage is calling for retaliatory trade sanctions as a result.

These reports comes at the same time as allegations of Chinese cyber attacks against our allies such as Australia, Canada, Germany, Japan, New Zealand, Taiwan and the United Kingdom gain greater attention.

2013-14: Mandiant Exposes Chinese Army Cyber Unit 61398  as “Advanced Persistent Threat”

In 2013, Mandiant released a report directly linking a unit of the People’s Liberation Army to a massive cyber espionage campaign against foreign business operating in Shanghai.  Among the reports highlights were that:

• the PLA unit was a one of 20 such units identified operating within China;
• the unit has stolen hundreds of terabytes of data from at least 141 organizations across 20 industries worldwide since as early as 2006;  and
• 115 of the firms were U.S. based and were primarily blue-chip companies in important industries such as aerospace, satellite and telecommunications, and information technology (strategic industries that were identified in China’s five year plan for 2011 to 2015).

The Obama administration responded swiftly to the Mandiant report, with National Security Advisor Tom Donilon stating the following in a speech to the Asia Society: “Increasingly, U.S. businesses are speaking out about their serious concerns about sophisticated, targeted theft of confidential business information and proprietary technologies through cyber intrusions emanating from China on an unprecedented scale.  The international community cannot afford to tolerate such activity from any country.  As the President said in the State of the Union, we will take action to protect our economy against cyber-threats.

From the President on down, this has become a key point of concern and discussion with China at all levels of our governments.  And it will continue to be.  The United States will do all it must to protect our national networks, critical infrastructure, and our valuable public and private sector property.  But, specifically with respect to the issue of cyber-enabled theft, we seek three things from the Chinese side.  First, we need a recognition of the urgency and scope of this problem and the risk it poses—to international trade, to the reputation of Chinese industry and to our overall relations.  Second, Beijing should take serious steps to investigate and put a stop to these activities.  Finally, we need China to engage with us in a constructive direct dialogue to establish acceptable norms of behavior in cyberspace.”

April 2014: Mandiant Finds China Undeterred, Expanding Cyber Espionage

Mandiant believed its 2013 report provided “a unique opportunity to observe whether revelations of China’s state-sponsored cyber activity could spur a diplomatic solution to the problem of nation-state cyber espionage on behalf of private sector entities.”  Its 2014 annual report, however,  concluded that China had expanded its cyber espionage activities from primarily targeting U.S. defense industrial base to a large variety of industries to make Chinese state operated enterprises more competitive.  “This suggests the PRC believes the benefits of its cyber espionage campaigns outweigh the potential costs of an international backlash.”  Of course, the international backlash from the 2013 report was entirely blunted by Edward Snowden’s revelations.

May 2014:  DOJ Indicts 5 PLA Unit 61398 Officers for Cyber Crimes

In May the Justice Department announced the indictment of five (5) officers from PLA Unit 61398 identified in the Mandiant report for violations of the Computer Fraud and Abuse Act, aggravated identity theft, economic espionage and trade secret theft.  Companies targeted included Westinghouse Electric Co. (Westinghouse), U.S. subsidiaries of SolarWorld AG (SolarWorld), United States Steel Corp. (U.S. Steel), Allegheny Technologies Inc. (ATI), the United Steel, Paper and Forestry, Rubber, Manufacturing, Energy, Allied Industrial and Service Workers International Union (USW) and Alcoa Inc.

Attorney General Holder stressed that “the range of trade secrets and other sensitive business information stolen in this case is significant and demands an aggressive response.  Success in the global market place should be based solely on a company’s ability to innovate and compete, not on a sponsor government’s ability to spy and steal business secrets.  This Administration will not tolerate actions by any nation that seeks to illegally sabotage American companies and undermine the integrity of fair competition in the operation of the free market.”

The defendants remain at large within China, who dismissed the indictment as being based on “fabricated facts”.  The Chinese government added that “the Chinese government, the Chinese military and their relevant personnel have never engaged or participated in cyber theft of trade secrets.”

June 2014:  CrowdStrike Exposes Second PLA Cyber Unit, Operation “Putter Panda”

Just after the Justice Department announced its indictment, CrowdStrike released an even more damming reporting exposing a second PLA cyber espionage unit operating under the codename “Putter Panda” since it targeting executives on golf outings.  The report stressed:

We believe that organizations, be they governments or corporations, global or domestic, must keep up the pressure and hold China accountable until lasting change is achieved. Not only did the U.S. Government offer in its criminal indictment the foundation of evidence designed to prove China’s culpability in electronic espionage, but also illustrated that the charges are only the tip of a very large iceberg. Those reading the indictment should not conclude that the People’s Republic of China (PRC) hacking campaign is limited to five soldiers in one military unit, or that they solely target the United States government and corporations. Rather, China’s decade-long economic espionage campaign is massive and unrelenting. Through widespread espionage campaigns, Chinese threat actors are targeting companies and governments in every part of the globe.

The report exposed another PLA Unit Number  61486 which worked with Unit 61398 and served to “hack into victim companies throughout the world in order to steal corporate trade secrets, primarily relating to the satellite, aerospace and communication industries.”  CrowdStrike believed this was compelling evidence of China’s role in state-sponsored cyber espionage, noting “We’ve got the gun, the bullet and the body,”

Aug. 2014:  Community Health Systems Reports Massive Data Breach from China

Community Health Systems, which operates 206 hospitals in 29 states disclosed a data breach affect 4.5 million patient records which it said came from sources in China.  The hackers’ methodology was similar to that used by the PLA unit described in the Mandiant report.  As reported by Gizmodo, “the Chinese hackers didn’t seek out medical information but rather “non-medical patient identification data related to the Company’s physician practice operations.” So they’re either trying to steal identities or figure out how American doctors work.”

Sept. 2014: Senate Report Details Chinese Hacking of U.S. Defense Contractors

Hackers associated with the Chinese government successfully penetrated the computer systems of U.S. Transportation Command contractors at least 20 times in a single year, intrusions that show vulnerabilities in the military’s system to deploy troops and equipment in a crisis, a Senate Armed Services Committee investigation has found.  The year-long investigation found that TRANSCOM, which is responsible for global movement of U.S. troops and equipment, was only aware of two of those intrusions. It also found gaps in reporting requirements and a lack of information sharing among government entities that left the command largely unaware of computer compromises by China of contractors that are key to the mobilization and deployment of military forces.

The committee found that in a 12-month period beginning June 1, 2012, there were about 50 intrusions or other cyber events into the computer networks of TRANSCOM contractors. At least 20 of those were successful intrusions attributed to an “advanced persistent threat,” a term used to designate sophisticated threats commonly associated with governments. All of those intrusions were attributed to China. Among the investigation’s findings:

• A Chinese military intrusion into a TRANSCOM contractor between 2008 and 2010 that compromised emails, documents, user passwords and computer code.

• A 2010 intrusion by the Chinese military into the network of a CRAF contractor in which documents, flight details, credentials and passwords for encrypted email were stolen.

• A 2012 Chinese military intrusion into multiple systems onboard a commercial ship contracted by TRANSCOM.

“These peacetime intrusions into the networks of key defense contractors are more evidence of China’s aggressive actions in cyberspace,” said Sen. Carl Levin (D-MI)., the committee’s chairman. “Our findings are a warning that we must do much more to protect strategically significant systems from attack and to share information about intrusions when they do occur.”