A new industry report says that the Chinese government has expanded the scope of its cyber espionage despite the greater public scrutiny these operations received in 2013.
The new report was published by Mandiant, now part of FireEye, the same company that in February 2013 published the much discussed APT1 report directly linking a unit of the People’s Liberation Army to a massive cyber espionage campaign against foreign businesses. APT1 was the hacking unit the report profiled.
The APT1 report was one of a number of very public exposures of China’s cyber operations in 2013. Others included the New York Times revealing its website had been repeatedly targeted by China-based hackers (a unit called APT-12) after the newspaper published an article tracing the the massive wealth senior Chinese leaders accumulated while in power. The Mandiant and New York Times’ reports led the Obama administration to raise the profile of cyber issues in U.S.-China relations, an effort that was partially undercut by the subsequent Edward Snowden leaks. The U.S. Defense Department also began more openly discussing Chinese cyber operations against the U.S. military and defense industrial base.
In its new annual report, M-trends, Mandiant explains that the “release of the APT1 report in February 2013 provided a unique opportunity to observe whether revelations of China’s state-sponsored cyber activity could spur a diplomatic solution to the problem of nation-state cyber espionage on behalf of private sector entities.”
It concludes that the exposure has failed to do so thus far. In the report, Mandiant states that APT1 and APT12 responded to being exposed in two ways: first, the units delayed restarting operations ; second, “both groups quickly shifted their operational infrastructure to continue their activities.” Notably, Mandiant found that in the case of APT1, the group had only changed the parts of its infrastructure that Mandiant had exposed in the report, while keeping the rest of its infrastructure in place.
More importantly, despite waiting between one and two months to resume any operations following each of their exposures, and waiting roughly six-months to resume operations at the same tempo as before, Mandiant’s observations suggest that the APT1 and APT 12 have neither ceased nor scaled back their activities. In fact, by mid-summer of last year, APT12’s activities were well above the baseline averages Mandiant had observed in 2011 and 2012.
Moreover, Mandiant has observed from its clients that the Chinese government is actually expanding its industrial cyber espionage activities. As the report explains, “The Chinese government is expanding the scope of its cyber operations, and China-based advanced threat actors are keen to acquire data about how businesses operate — not just about how they make their products.” In other words, instead of simply targeting intellectual property, the suspected state-run Chinese hackers are now trying to steal “information about how these businesses work and how executives and key figures make decisions.”
Examples of the kind of data the Chinese hackers are now targeting include: executive emails, business processes, negotiations plans, budgetary information, organizational charts, meeting minutes, human resources records, and programs and initiatives. The expansion beyond stealing just intellectual property comes at a time when the Chinese government is hoping to make their large state-owned enterprises run more efficiently, which this type of data would facilitate.
In earlier reports, Mandiant observed that China’s cyber espionage had expanded from operations primarily targeting the U.S. defense industrial base to ones targeting a large variety of industries. In the report, Mandiant includes examples of some of the industries Chinese cyber spies targeted in 2013. They include everything from energy companies to media organizations to non-governmental organizations (NGO). It is widely believed that the Chinese government passes the data it steals via cyber espionage to Chinese SOEs to make them more competitive with foreign companies.
Mandiant’s overall conclusion from its observations in 2013 is that China is unlikely to yield to foreign pressure on cyber spying. As the report puts it, “Despite the recent accusations and subsequent international attention, APT1 and APT12’s reactions indicate a PRC interest in both obscuring and continuing its data theft. This suggests the PRC believes the benefits of its cyber espionage campaigns outweigh the potential costs of an international backlash.”