Expert Commentary

Chinese Cyber-Spies Target Asian Neighbors

John Hultquist
Manager of Analysis, FireEye

It has been three years since the Obama Administration publically indicted five Chinese military officials for hacking U.S. companies, a move that prompted negotiations to halt economic cyber espionage intended to benefit Chinese economic competitiveness. The Cipher Brief spoke with John Hultquist, the Manager of Analysis at FireEye, about the current state of Chinese economic espionage and its apparent decline in the West despite being previously referred to as the most significant transfer of wealth in modern history.

The Cipher Brief: Could you describe, from a historical perspective, how Chinese cyber espionage has evolved over time? What is it primarily trying to accomplish, and where are attacks occurring?

John Hultquist: Chinese actors have relied on cyber as a tool of espionage for well over a decade now. Like most actors, national security has always been a major concern of theirs. This has consequentially resulted in them targeting both neighboring nations and internal dissident problems, such as Tibetan leaders, Falun Gong, and Hong Kong democracy activists. It has also involved targeting foreign governments with an interest in the region, such as the United States.

But what always set China apart is their willingness to use cyber espionage to target the private sector, which flouts international norms. China is absolutely a global menace targeting the private sector, as well as civil society, and their cyber campaigns can be found virtually anywhere. The sheer scope of their espionage against the private sector clearly distinguishes them.

There have been several attempts to rein in Chinese cyber espionage, such as diplomatic overtures, indictments and other efforts. But it was not until 2014 that we saw a decline, which actually preceded the September 2015 agreement between former President Barack Obama and Chinese President Xi Jinping, known as the Xi Agreement. Since then, with only a few exceptions, we have not seen significant evidence of economic espionage in the West. We still see pockets of activity in Scandinavia, for instance, but that is the exception, not the rule. In Asia, economic espionage continues unabated.

We also continue to monitor cyber activity that doesn’t appear to be for competitive industrial advantage, but rather political, diplomatic, or military espionage. Additionally, we still see pockets of activity against the private sector. Another current focus area for them is Scandinavia, though we see activity across the globe, even in the United States. However, generally in the West, we are primarily looking at political and diplomatic espionage following the Xi Agreement.

TCB: Multiple Western countries have made the distinction between economic and political cyber espionage, leading to some – such as the U.S., U.K., Germany, and, more recently, Australia – to foster agreements with China to stop economic espionage. How does economic espionage look in practice that distinguishes it from political espionage?

JH: There are very few cyber espionage actors that also conduct economic espionage against the private sector. In practice, there are two forms of economic espionage. First, there is the theft of intellectual property. This includes anything from business plans to blueprints, which are stolen from an organization for the creation of similar products and exploitation of their products. Second, there is the theft of business intelligence, which can be used for competitive advantage in the marketplace. This type of activity could be as simple as gaining access to some of the emails of a competing organization and leveraging that information in a negotiation. For example, we have seen incidents where Chinese and American organizations are in the midst of negotiations for a major deal that goes south after there was a compromise of the American company’s systems.

TCB: Does China spy on industry for political, rather than economic, reasons?

JH: Yes, we do see targeting of the defense industrial base, which straddles the line between the private industry and the government space. A lot of the private intellectual property the defense industrial base is working with has military applications, and several actors in this space regularly target them. For example, in South Korea – where there is no agreement against this kind of activity – we have seen private firms targeted. Also in Japan, we regularly see large conglomerates targeted by these same actors. But it is important to remember that those South Korean and Japanese conglomerates are also part of the defense industrial base. Many of their products have military applications, so even with an agreement to stop economic espionage, they could find themselves straddling that line between political and economic value, which is outside of the intent of the diplomatic agreements.

TCB: Can you talk about economic espionage through proxy, such as through criminal groups or private companies?

JH: The hand of the government in these incidents can be very difficult to find. We often see these actors use third parties such as government contractors to conduct their cyber espionage campaigns. There is a robust marketplace for defense and intelligence contractors in China, which are likely connected to this activity. Similarly, we have seen the Russians dip into their criminal underground on several occasions, where there is a plethora of talent and capabilities.

Regarding attribution despite use of proxies, there are several occasions where we have been fortunate enough to identify government organizations and their association to the cyber activity in question. In other cases, we have to make a judgment based on the evidence available by asking ourselves who would be the most likely end user of this activity. If we have been watching this activity for several years, we can get a pretty good idea of what kind of end users could be engaged.

For instance, when we look at things like the targeting of internal dissidents, the list of groups with an interest in spying on Tibetan dissidents in China is fairly short. The list of organizations that could take advantage of plans to build a next-generation fighter jet is also fairly short. This is one of the factors that really separates espionage activity from criminal activity. While criminal activity is focused on interchangeable commodity data that has a fairly fixed price in the underground, espionage targets static data that is advantageous for only a few people.

TCB: Do you think China could eventually see economic espionage as counter to its own interests in that it eventually wants to be an innovation hub and therefore doesn’t want to normalize the idea of economic espionage?

JH: Even the most advanced countries can make some use of the fruits of economic espionage. Even a country with the most advanced intellectual property may still find itself in a situation where they can leverage economic espionage to their advantage in the marketplace and when negotiating with others. The real downside to conducting economic espionage is the diplomatic costs to the sponsoring country. If the diplomatic costs are greater than the fruits of economic espionage, countries may choose not to take part.

TCB: Would the best deterrence strategy then be to publicly announce when countries engage in economic espionage?

JH: Yes, or use other national tools to pressure countries as they carry out this activity. The problem, of course, lies in the attribution of this activity – or at least to a level of attribution acceptable internationally. Cyber economic espionage is also a very efficient and inexpensive means for countries to get ahead. The talent that carries out this activity can cost next to nothing – lots of times they are actually military conscripts. The tools can be gathered right out of the underground from criminals who may already be indebted to the state after being caught in the act. Even so, these cheap tools and talent can return value literally overnight – a better prospect than traditional intelligence collection methods like human intelligence, which are time-consuming, resource-intensive, and costly. 

The Author is John Hultquist

John Hultquist is the Manager of Analysis at FireEye where leads the intelligence analysis team that tracks cyber espionage threats for government and commercial clients. Prior to its acquisition by FireEye, Hultquist lead iSIGHT Partners' cyber espionage practice and was responsible for creating the Cyber Espionage reporting line. He has over nine years' experience in covering emerging threats in cyber espionage and hacktivism, working in senior intelligence analysis positions in the... Read More

Learn more about The Cipher's Network here