China Continues Cyber Espionage Despite Summit Accord

Security firm says evidence shows Beijing hit seven firms

Barack Obama, Xi Jinping
Barack Obama and Xi Jinping / AP
• October 19, 2015 12:50 pm


China’s government continued economic cyber espionage attacks against businesses despite a pledge to halt the practice last month, a cyber security firm revealed on Monday.

The security company CrowdStrike stated in a blog post that seven companies were hit by hackers that "we have affiliated with the Chinese government."

The hacker group includes Deep Panda, a code name used by security researchers for Chinese military-affiliated hackers who have been linked to numerous covert information network intrusions.

The company said the recent intrusions were detected by software used to monitor and thwart sophisticated hacking attacks.

The Chinese cyber strikes contradict the informal agreement announced Sept. 25 during a summit in Washington between President Obama and President Xi Jinping.

The two leaders agreed that "neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors," according to a summit fact sheet.

Additionally, the two sides agreed to cooperate in investigating cyber crime and to hold high-level talks on the issue.

"The very first intrusion conducted by China-affiliated actors after the joint Xi-Obama announcement at the White House took place the very next day—Saturday, Sept. 26th," said Dmitri Alperovitch, a co-founder founder of CrowdStrike. "We detected and stopped the actors, so no exfiltration of customer data actually took place, but the very fact that these attempts occurred highlights the need to remain vigilant despite the newly minted cyber agreement."

"Our goal with reporting our observations of Chinese-affiliated hacking is to ensure companies remain vigilant and aggressively protect their assets from hacking and IP theft," he said.

A White House national security official declined to comment on the specific conclusions of the CrowdStrike report.

"We are aware of this report," the official said. "As a general matter, malicious cyber actors from a variety of nations find U.S. networks and companies attractive targets and seek access to sensitive or proprietary information for a variety of purposes, and we take seriously all reports of intrusions."

On China, the official said the administration will continue to raise its concerns about cyber actions by Beijing with Chinese officials.

"These efforts led to the set of key bilateral cyber security commitments we announced during the visit of President Xi, which included, among other things, bilateral commitments that neither government will conduct or knowingly support cyber-enabled economic espionage for commercial gain. As we move forward, we will monitor China's cyber activities closely and press China to abide by all of its commitments," the official said.

The U.S.-China cyber agreement, which lacks a formal text and was not signed, has been greeted with skepticism by U.S. national security officials.

James Clapper, the director of national intelligence, told the Senate Armed Services Committee on Sept. 29 that the agreement was a good first step in dealing with the issue but that he doubted that it would be effective in curbing Chinese cyber crime.

Adm. William Gortney, commander of the U.S. Northern Command in charge of homeland defenses, expressed even greater skepticism.

"They’re going to have to show me that they’re going to stop. I just don’t see that happening," Gortney said in remarks at the Atlantic Council

Gortney added that the Chinese were stealing large amounts of U.S. intellectual capital. "They can’t keep their industry moving without robbing our intellectual capital from our private industry. And they’re robbing us blind," he said.

CrowdStrike said it prevented an unspecified number of cyber intrusions over the past three weeks, including technology companies and pharmaceutical firms. The main objective of the attempted intrusions "seems clearly aligned to facilitate theft of intellectual property and trade secrets, rather than to conduct traditional national-security related intelligence collection which the cyber agreement does not prohibit," CrowdStrike said.

The cyber attacks were detected on Sept. 29 and 30, on Oct. 3 and 4, on Oct. 8 and 9, and finally on Oct. 13, 15, and 16.

The report did not include activities by all Chinese-government affiliated hackers and was limited to commercial businesses and entities that fit the definition of the U.S.-China cyber agreement.

"The intrusion attempts are continuing to this day, with many of the China-affiliated actors persistently attempting to regain access to victim networks even in the face of repeated failures," CrowdStrike stated.

Deep Panda has been identified by security researchers for many years as a Beijing hacking group that has conducted cyber attacks on national security targets and commercial industries, including companies specializing in agriculture, chemical, financial, healthcare, insurance, law, technology, and other sectors.

The cyber intrusions involved Internet web server compromises that allowed the introduction of malicious code that then sought to provide the hackers with remote access to targeted networks.

CrowdStrike’s George Kurtz said of the U.S.-China cyber accord last month that "even under the best of circumstances, industry is left to wonder how quickly China’s bold intelligence gathering apparatus might be dismantled."

Alpervitch said he is encouraged by the administration’s efforts to reduce Chinese cyber attacks in both number and scope and to prompt Beijing to distinguish publicly between intelligence-gathering cyber attacks and commercial cyber espionage.

Security researchers are divided over the players involved in Chinese cyber attacks.

Deep Panda is said to be part of the People’s Liberation Army General Staff 3rd Department, or 3PLA, which conducts electronic intelligence.

Five PLA hackers associated with a military hacking unit known as Unit 61398 were indicted by the Justice Department in May 2014 for hacking American nuclear, steel, and aluminum companies in Pennsylvania.

Recently, however other security researchers have linked the Office of Personnel Management cyber attacks, which resulted in the theft of more than 2 million records on federal workers, to a Chinese civilian intelligence hacking unit dubbed Axiom.

The Axiom group is said to be engaged in wide-ranging cyber intelligence activities and attacks aimed at gaining access to databases for use in spying and economic espionage, as well as for targeting perceived opponents of the Beijing communist government.

Axiom is said to be part of the Ministry of State Security, the civilian intelligence service.

In a related development, Chinese hackers were recently detected hacking the information systems of

Woods Hole Oceanographic Institution, a nonprofit research facility that does work for the U.S. Navy, including submarine warfare-related research and development.

Hackers conducted an aggressive cyber attack that is believed to have originated in China, Woods Hole’s president, Mark Abbot, told staff in a letter.

"The attack was similar to those that have been experienced by many federal agencies, defense contractors, and other businesses developing advanced technologies. The investigation of the attack is ongoing, however, the investigation indicates the intent was not to obtain financial or personal identity information," Abbott stated in the letter.

The cyber intrusion involved penetrations of information systems that took place over a long period of time.

Published under: China, Cyber Security