A 2011 report from the US Office of the National Counterintelligence Executive titled "Foreign Spies Stealing US Economic Secrets in Cyberspace" used the findings of 14 US intelligence agencies to conclude that "Chinese actors are the world's most active and persistent perpetrators of economic espionage" against US government agencies and private companies.
The Dept. of Defense, which had previously identified attacks as coming from within China but didn't say from whom, narrowed down the suspects enough to conclude in a 2013 report to Congress that "China is using its computer network exploitation capability to support intelligence collection against U.S. diplomatic, economic and defense industrial base sectors."
The theft of intellectual property costs US businesses more than $300 billion per year, close to the total value of all US exports to Asia, according to a 2013 report from the White House-appointed Commission on the Theft of American Intellectual Property.
Russia, India, and other countries contribute to the problem, but China is responsible for between 50% and 80% of all IP theft from US companies, according to the commission, which based its conclusions on reports from the US Trade Representative and research from private companies.
In 2013, Verizon's annual Data Breach Investigations Report, which examined data on more than 47,000 attacks and 621 confirmed breaches that compromised 44 million records, estimated that 20% of successful data breaches were attempts by state-sponsored intelligence agencies to steal trade secrets.
Of the approximately 124 cyberespionage incidents it examined, Verizon concluded, China was behind 95%.
China is so persistent and aggressive about "technology transfer" by fair means or foul play that there's no doubt it is heavily involved in online industrial espionage against US companies, according to Jeffrey Carr, author of Inside Cyber Warfare: Mapping the Cyber Underworld and founder of Taia Global, a security firm specializing in cyberwar research.
It is not clear, however, how much of that spying is being done on the orders of the Chinese government, how much is being done by PLA hackers working on private side projects, or by the legions of civilian "hobbyist" hackers, or even by hackers whose only presence in China is a malware-infected machine enlisted as a proxy to hide the attacker's actual whereabouts, Carr said. He continued:
Both the PLA and hackers are causing problems, and not just for the U.S. China has a huge problem with hacking against its own networks, so there could be any number of rogue actors involved in the attacks listed in the indictment. But, in China, more than half the computers are running pirated software or are infected with malware – so it's pretty easy to own a computer inside China's IP space, which means you don't know what the actual origin [of the attack] is.
It's possible that some of the attacks are spoofed, according to Laura Galante, manager of threat intelligence at Mandiant, who worked on both the February 2013 APT1 and an update published in April of this year.
Galante said in an interview with EE Times:
It took years to put together the APT1 report because we wanted it to be definitive. It's a matter of following breadcrumbs to find the larger story. The persona called Ugly Gorilla, say, would sign his malware tools and we'd see that a lot in 2010 and 2009. Then those signatures would fade out in 2011 and 2012, but we continued to see the same tools, so we'd look to see where he had posted under that name in an email or a message bloc or a domain registry or anyplace he might have used that name.
Mandiant was able to identify between 20 and 25 separate groups launching attacks on its customers outside China. The group nicknamed Comment Crew for the notations made in their malware tools, however "blew everyone else out of the water," Galante said.
"They specifically were so pervasive in networks of clients in the Fortune 50 or Fortune 500 that we felt it was clear there was something different about them," Galante said.
It's impossible to know for certain that the Comment Crew was working on the orders of Chinese government officials, but evidence tying it to specific attacks, the companies chosen as targets and the type of information stolen match up so closely with priorities or goals announced by the central government that it's hard to imagine anyone not working for the government would go to the trouble.
"Making a specific attribution takes a lot of work because you want to be right," Galante said. "But we did the research and were able to make a solid judgment of who might be supporting that activity."
The Mandiant report made enough of a splash, however, that China's dismissal of it as "groundless accusations" came not from a Foreign Ministry spokesman, but from Chinese Premier Li Keqiang, just two days after taking office.
Hacking is a "worldwide problem and in fact China itself is a main victim of such attacks," Li said at a press briefing March 15 shortly after being sworn in as Premier. "China does not support -- in fact it is opposed to -- hacking attacks."
— Kevin Fogarty is a freelance writer for EE Times.
Tomorrow, part two: The decision to indict five members of the Chinese military for stealing trade secrets from US. companies may be many things, but a serious effort to jail Chinese hackers isn't one of them. Are the indictments a serious effort and are they worth our time and tax payer money?