The last 6 months has seen a series of extraordinary revelations by US government officials who have revealed that China based actors are responsible for an extensive industrial cyber espionage campaign and, further, link this activity to the Chinese government itself. This started in October 2011 when the Office of the National Counterintelligence Executive issued the 2011 report on Foreign Economic Collection and Industrial Espionage which is available here. The report has many interesting details and is well worth reading but from the executive summary we have the key paragraph.
"Chinese actors are the world’s most active and persistent perpetrators of economic espionage. US private sector firms and cybersecurity specialists have reported an onslaught of computer network intrusions that have originated in China, but the IC cannot confirm who was responsible.”
This is the first time the US government has officially named Chinese actors as carrying out extensive cyber espionage, but it is worded carefully to not say the Chinese government or name any entities within China. Then in January 2012 Mike McConnell,Michael Chertoff, and William Lynn writing in the Wall Street Journal stated something stronger, naming the Chinese government as responsible.
"Evidence of China’s economically devastating thefts of proprietary technologies and other intellectual property of U.S. companies is growing exponentially, and only in October 2011 were the details declassified in a report to Congress by the Office of the National Counterintelligence Executive. By contrast, as a matter of official national policy, the United States does not engage in or allow economic espionage.”
The full article is available here.
Then from a Senate Armed Service Committee hearing on Cyber Command from March 2012(transcript and video is available here) we have the following.
From Chairman Levin's opening remarks.
Chairman LEVIN."...General Alexander has stated that the relentless industrial espionage being waged against U.S. industry and Government chiefly by China constitute ‘‘the largest transfer of wealth in history.’’ The committee needs to understand the dimensions of this technology theft and its impact on our national security and prosperity..."
From an exchange between Chairman Levin and General Alexander(commander Cyber Command and Director NSA).
General ALEXANDER. "...We are seeing a great deal of DOD-related equipment stolen by the Chinese. I cannot go into the specifics here, but we do see that from defense industrial base companies throughout. There are some very public ones, though, that give you a good idea of what is going on. The most recent one, I think, was the RSA exploits. RSA creates the two-factor authentication for things like PayPal. So when you get on and order something and pay for it over the network, the authentication is done by encryption systems that RSA creates. The exploiters took many of those certifications and underlying software which makes it almost impossible to ensure that what you are certifying or what someone else is certifying is in fact correct.
Now, RSA acted quickly and is replacing all those certificates and has done that in priority order for the Defense Department and others.
But when you think about it, the ability to do it against a company like RSA is such a high-order capability, RSA being one of the best, that if they can do it against RSA, that makes most of the other companies vulnerable."
(The Chinese state actor then used the stolen RSA information to attempt to breach Lockheen Martin and other Defense contractors, see for example this article in the New York Times.)
From an exchange between Senator McCain and General Alexander.
Senator MCCAIN. "I want to thank the witnesses. I would ask General Alexander. Do you agree that Secretary Panetta and the FBI have said that cyberattacks may soon be the number one threats to the United States?"
General ALEXANDER. "Absolutely, Senator."
Senator MCCAIN. "And would you agree that the major threats to our national security come from outside the United States specifically, obviously from unclassified information, from China"
General ALEXANDER. "Absolutely."
In late April 2012 Rep. Mike Rogers (R-Mich,chairman) and Rep. Dutch Ruppersberger (D-Md,ranking member) of the House Permanent Select Committee on Intelligence wrote an op-ed for Politico which opens with a very strongly worded article.
"The Chinese government has been quietly pursuing a strategy to help project that nation into superpower status. China steals as much intellectual property as it can from U.S. companies and uses it to artificially and unfairly compete in the global marketplace. Beijing uses this information to further its military modernization and, most important, to help fuel economic growth."
"Every morning in China, thousands of highly trained computer spies now wake up with one mission: Steal U.S. intellectual property that the Chinese can use to further their economic growth. American companies are hemorrhaging research and development on products ranging from fighter engines, to pesticides, to cutting-edge information technology."
The full op-ed is available here.
Then on the 18, May 2012 the Department of Defense released its 2012 report on "Military and Security Developments involving the People's Republic of China" which mentions concerns regarding China and cyber espionage. At the news conference launching this report there was the following exchange between a reporter and Dave Helvey, the acting deputy assistant secretary of defense for East Asia. The official is much more cautious than the members of congress and only talks about China based actors.
Q:David, Bob Burns from AP."On the topic of cyber espionage, which you mentioned very prominently in the report, do you see signs of them accelerating this capability, in particular as it could be applied against U.S. targets?"
MR. HELVEY:"Well, we continue to highlight in this report some of the concerns that we have about China's investment in cyber capabilities.We note that China's investing in not only capabilities to better defend their networks but also they're looking at ways to use cyber for offensive operations.We also highlight a number of areas where we see China engaging in cyber activity focused on computer network exploitation.That continues to be a concern of ours, and we've raised it and we've talked to the Chinese about it, most recently during the Strategic Security Dialogue in Beijing.As well, Secretary Panetta raised that with General Liang in their visit. So this is something that we continue to pay very careful attention to, and we've raised these concerns with the Chinese."
The full transcript is available here.
Turning now to non-government sources we have the following from the March 26,2012 testimony of Richard Bejtlich, CSO,Mandiant before the U.S.-China Economic and Security Review Commission.
"For the most part, our team and I use the strict definition of APT as created by the Air Force in 2006, namely as an unclassified reference to intrusions sets ultimately traced back to actors in China. Our intelligence team currently tracks approximately twenty distinct APT groups. These groups include all of the parties identified by reports publicly released by other security companies, as well as actors that we believe are unknown to many of those other companies. “
"Most of the APT groups we track target the US defense industrial base (DIB). Some of these groups also target US government agencies, think tanks and political organizations, and other commercial or private targets.”
So there are at least 20 distinct groups of cyber espionage actors tied to China. Is further attribution possible? Yes of course, despite what is commonly said regarding the difficultly of attribution. A Reuters report based on authoritative information clearly attributes at least some Chinese cyber espionage activity to the People's Liberation Army's Third Department Technical Reconnaissance Bureaus. The report also links this activity with the intrusions detailed within the 2009 Information Warfare Monitor report “Tracking GhostNet: Investigating a Cyber Espionage Network”, the subsequent IWR report “Shadows in the Cloud: Investigating Cyber Espionage 2.0” details similar activity. These reports make for fascinating reading and are available here. A couple of actors involved in these activities have even been named, in particular, Lost33 and Yinan Peng. An excellent report on the PLA Third Department is available from the Project 2049 Institute, “The Chinese People's Liberation Army Signals Intelligence and Cyber Reconnaissance Infrastructure”. Further information on the PLA and Cyber Espionage is available from a report prepared for the U.S.-China Economic and Security Review Commission, “Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage”.
Early reporting on Titan Rain suggest Chinese based cyber operations have been underway for many years.
Here is some links to useful summaries of significant cyber events over the last few years.
- Center for Strategic and International Studies, cyber events since 2006 report.
- Jamie Metzl at the Asia Society on China and cyber espionage.
- Foreign Policy's The Cable's Top 10.
- Bloomberg report on 760 companies which have experienced cyber espionage intrusions.
- Command Five consulting research papers, here.
Of course others do it too, see reports below on Buckshot Yankee.