Successful cyberattacks by China hacker groups targeting corporate networks in the US and other regions have dramatically decreased since mid-2014, a new report finds. Even so, China continues to wage attacks in order to steal intellectual property despite political pressure by the US government -- and China's cyber espionage campaigns appear to be more streamlined.
So in case you were wondering whether the historic “no-hack” pact in September 2015 between President Barack Obama and Chinese president Xi Jinping -- where the two leaders promised not to wage cyberattacks for economic gain -- has made a difference, the answer is both yes and no. While no one expected major change in the wake of the pact, there have been some noticeable shifts in the volume of attacks by China in the past couple of years, according to new findings from FireEye. The pact is one of several factors, including earlier political and economic forces that were already under way beforehand, according to FireEye.
FireEye concluded that since 2013 when it first exposed China’s infamous APT1 cyber espionage operation led by the PLA, China’s hacking is “less voluminous but more focused, calculated, and still successful in compromising” companies’ networks. Of a total of 262 compromises, FireEye found that China had executed more than 70 successful attacks in April 2014; 40 in July 2015; and fewer than five in May 2016.
Jordan Berry, principal threat analyst with FireEye, says the findings show some changes in the way China’s hacking machine operates, but the groups are still very much active and targeting companies’ intellectual property and personally identifiable information. “We observed an overall cyber activity decline in mid-2014 [by China], although they did not cease operations and they continue … albeit in lower volume,” Berry says. “A confluence of events” drove the decline in attacks, he says.
FireEye studied the number of network compromises by suspected China-based hackers starting in early 2013 through June 2016, drawing from its Mandiant incident response cases, and FireEye’s cloud-based network monitoring as well as its threat intelligence data. They found 262 successful network attacks by 72 different suspected China-based groups: of those attacks, 182 hit US companies.
From September 2015 until this month, FireEye says just 13 suspected China-based hacking teams broke into corporate networks in the US, Europe, and Japan, as well as commercial, government, and military organizations in nations near China, including Russia. “However, since mid-2014, we have observed an overall decrease in successful network compromises by China-based groups against organizations in the U.S. and 25 other countries. These shifts have coincided with ongoing political and military reforms in China, widespread exposure of Chinese cyber activity, and unprecedented action by the U.S. government,” FireEye’s report says.
Among the factors likely behind the decline in the number of cyberattacks on the US, according to FireEye: Xi’s military reforms as well as centralization of China’s cyber operations since he first took office in 2012; research exposing Chinese cyber espionage activity; and intensified US pressure on China, including the US indictment of five members of the Chinese military for allegedly hacking and stealing trade secrets of major American steel, solar energy, and other manufacturing companies, including Alcoa, Westinghouse Electric, and US Steel.
“Although many in the U.S. initially doubted that these actions would have any effect, they may have prompted Beijing to reconsider the execution of its network operations,” according to FireEye's report.
Other security research firms have seen some shifts in China’s intellectual theft hacking over the past year as well. Costin Raiu, director of the global research and analysis team at Kaspersky Lab, in an interview in February said his firm’s researchers witnessed a dramatic drop in Chinese-speaking APTs going after US and UK organizations’ intellectual property in the wake of the Obama-Xi pact. But Kaspersky Lab also witnessed at 300% increase in attacks on Russian targets by Chinese groups in a period of two months.
“Immediately after the signing of the agreement, there was silence” in attacks against the US, Raiu said. “Then there were some small bits and pieces of random noise … but after that, they [Chinese-speaking APTs] completely went silent in the US and UK,” Raiu said, referring to Xi’s similar no-hack deal in October with Prime Minister Cameron in the UK.
CrowdStrike also saw an uptick in Chinese attacks on Russia, specifically from Hammer Panda against Russian Federation countries. But it also saw continued attacks on US companies by China-based groups.
Meanwhile, there’s no sign of various China-based hacking groups becoming more coordinated in their tactics. “Some groups have changed quite a bit over the past year, and some have [remained] the same over the past two years,” says Mike Oppenheim, senior manager of threat intelligence at FireEye.