State Department Report Says Chinese Cyber Attacks ‘Ongoing’

Better concealment of hacking linked to reported decline in Beijing cyber strikes

Barack Obama, Xi Jinping
Barack Obama, Xi Jinping / AP
June 29, 2016

Chinese cyber attacks against American firms are "ongoing" and the use of covert cyber tools and methods by Beijing hackers led to a statistical decline in cyber activities, according to an internal State Department security report.

The report by the State Department-led Overseas Security Advisory Council, or OSAC, a public-private partnership, challenges the findings of a recent study by the private cyber security firm FireEye that says the decline in the number of Chinese-origin cyber attacks indicated China has cut back from large-scale cyber attacks.

"While media reporting has emphasized this alleged decrease in malicious activity, cases of Chinese espionage campaigns against the U.S. private sector are ongoing," the report said, adding that "OSAC constituents should remain aware that China is still considered a highly capable and motivated cyber threat actor."

The three-page report highlighting ongoing Chinese cyber threats is a setback for White House efforts to portray President Obama’s September 2015 deal with China to curb cyber economic espionage as a diplomatic breakthrough.

Since the deal, various private security firms offered differing assessments of whether China is curtailing large-scale cyber attacks, the report said.

The report notes that Chinese cyber attacks in 2015 were particularly damaging. "At a higher level, paramount attacks against various U.S. organizations continued in 2015 and Chinese hackers exceeded other nation-state actors for consistency, volume, and severity of cyber attacks during the past year," the report, dated June 27, says.

"This included intrusions into healthcare systems Anthem and Premera, and the Office of Personnel Management, collectively compromising the sensitive data of over 100 million U.S. citizens."

Until the OSAC report, senior U.S. intelligence officials have sought to hedge their conclusions about the September agreement, stating publicly that it is not clear whether China is curbing cyber intrusion activity.

According to the OSAC report, the large-scale attacks in 2015 "suggests some China-based hacking groups may have shifted their focus from data theft for economic gain to national security interests and personally identifiable information (PII)."

According to OSAC, Chinese cyber attacks also have been focused on "continuously leveraging U.S. network infrastructure for offensive operations."

"Actors have been observed using servers of small businesses in the U.S. to plan and execute attacks against manufacturing firms, financial organizations, and the technology sector," the report said.

Rick Fisher, a China specialist, said China’s Communist Party leaders see no current positive or negative inducement to halting the use of cyberspace for global intelligence gathering that can be used to prepare attacks on cyber-electronic infrastructures.

"American verbal argument or political pressure is not going convince the [Chinese Communist Party] leadership to stop waging its global cyber war," said Fisher, a senior fellow at the International Assessment and Strategy Center.

"Washington has been trying to engage the Chinese on its cyber war for nearly 20 years and has basically gotten nowhere," he noted.

The FireEye report was based on a study of network intrusions and compromises from China-based cyber actors since mid-2014. It tracked 262 cases to Beijing hackers carried out in 26 countries. The majority of the attacks took place against U.S. information networks.

The targets included aerospace companies, healthcare providers, manufacturers, including those building semiconductors and chemical compounds, along with media, software, and technology firms.

"Chinese targeting (and in some cases, successful stealing) of data from various public and private sector organizations is assessed to serve military, security, and economic interests equally," the report says. "This ambiguity makes it difficult for analysts to characterize the objective of recent Chinese cyber espionage operations."

OSAC analysts said the attention given to the FireEye study is based in part on a sharp decrease in the number of detected cyber attacks compared to the larger number of cyber intrusions logged by researchers three years ago.

The apparent decline in Chinese cyber activities was attributed to the Justice Department’s high-profile indictment of five PLA military hackers in 2014, and the September 2015 meeting between Obama and Chinese leader Xi Jinping when the informal accord was struck calling for both governments not to engage in or "knowingly support" cyber economic espionage.

"While interpreted by some as nothing more than a political maneuver, other analysts believe the 2015 agreement may have somewhat influenced the decrease in malicious intrusions conducted by China-based groups," the OSAC report said.

However, the cutback could be the result of FireEye’s lack of visibility of more recent Chinese cyber activities or the computer forensic investigators’ inability to detect new cyber attack methods used by the Chinese.

"Public exposures [of Chinese hacking] have prompted some observed China-based hacking groups to develop new tools and incorporate anti-detection techniques into their offensive cyber operations," the report said.

Contrasting FireEye’s assessment of a decline, the OSAC report said multiple studies confirm that "China-based network intrusions are still ongoing, only a fraction of which may be detected by researchers."

The council report also said the cyber security firm CrowdStrike reported three weeks after the Obama-Xi agreement that China was continuing cyber attacks on U.S. organizations.

Most of the targeted companies were engaged in technology or the pharmaceutical industries, an indication the goal is theft of American intellectual property.

The CrowdStrike report concluded that the U.S.-China agreement was ineffective, and that if the Chinese government were abiding by the agreement it would have controlled the central group of Chinese hackers behind the continued attacks.

The decline of attacks seen in metrics has not diminished the threat, the OSAC report said, noting, "China remains a serious cyber threat actor to U.S. firms."

China’s hacking community is made up of government and military hackers, those who engage in cyber attacks on a contract basis, so-called "hacktivists," and criminals.

The report said competing interests between the groups has made it difficult for analysts to determine if there is a "top-down direction" for Chinese cyber attacks. The various cyber actors also "may mask continued attempts of cyber espionage," the report noted.

The OSAC report warned American companies to remain up to date in understanding ongoing Chinese network compromises against both private and public entities.

"Employing multi-layered network defense and detection systems, maintaining regular updates, and mandating employee cyber threat awareness programs can help OSAC constituents defend against threats of cyber espionage, crime, and other malicious network activity," it said.

Fisher, the China specialist, said the United States will not dissuade China from aggressive cyber attacks until Beijing is made to pay a price for digital aggression.

An initial step would be for the United States and NATO members to join together in expelling all Chinese nationals studying abroad in the field of computer science. Another would be to embargo all Chinese computer hardware and software from those countries, Fisher suggested.

"Chinese electronic infrastructure leaders like Huawei and computer manufacturers like Lenovo have long been identified by U.S. government agencies as cyber espionage threats so the justification for such an embargo exists already," he said.

Published under: China , Cyber Security