NEW YORK – Nearly a decade ago, the United States began naming and shaming China for an onslaught of online espionage, the bulk of it conducted using low-level phishing e-mails against American companies for intellectual property theft.
On Monday, the US again accused China of cyberattacks. But these attacks were highly aggressive, and they reveal that China has transformed into a far more sophisticated and mature digital adversary than the one that flummoxed US officials a decade ago.
The Biden administration’s indictment for the cyberattacks, along with interviews with dozens of current and former US officials, shows that China has reorganised its hacking operations in the intervening years. While it once conducted relatively unsophisticated hacks of foreign companies, think tanks and government agencies, China is now perpetrating stealthy, decentralised digital assaults of American companies and interests around the world.
Hacks that were conducted via sloppily worded spearphishing e-mails by units of the People’s Liberation Army (PLA) are now carried out by an elite satellite network of contractors at front companies and universities that work at the direction of China’s Ministry of State Security (MSS), according to US officials and the indictment.
While phishing attacks remain, the espionage campaigns have gone underground and employ sophisticated techniques. Those include exploiting “zero-days,” or unknown security holes in widely used software like Microsoft’s Exchange e-mail service and Pulse VPN security devices, which are harder to defend against and allow China’s hackers to operate undetected for longer periods.
“What we’ve seen over the past two or three years is an upleveling” by China, said Mr George Kurtz, CEO of the cybersecurity firm CrowdStrike.
“They operate more like a professional intelligence service than the smash-and-grab operators we saw in the past.”
China has long been one of the biggest digital threats to the US. In a 2009 classified National Intelligence Estimate, a document that represents the consensus of all 16 US intelligence agencies, China and Russia topped the list of America’s online adversaries. But China was deemed the more immediate threat because of the volume of its industrial trade theft.
But that threat is even more troubling now because of China’s revamping of its hacking operations. Furthermore, the Biden administration has turned cyberattacks – including ransomware attacks – into a major diplomatic front with superpowers like Russia, and US relations with China have steadily deteriorated over issues including trade and tech supremacy.
China’s prominence in hacking first came to the fore in 2010 with attacks on Google and RSA, the security company, and again in 2013 with a hack of The New York Times.
Those breaches and thousands of others prompted the Obama administration to finger China’s PLA hackers in a series of indictments for industrial trade theft in 2014. A single Shanghai-based unit of the People’s Liberation Army, known as Unit 61398, was responsible for hundreds – some estimated thousands – of breaches of American companies, the Times reported.
In 2015, Obama officials threatened to greet President Xi Jinping of China with an announcement of sanctions on his first visit to the White House, after a particularly aggressive breach of the US Office of Personnel Management. In that attack, Chinese hackers made off with sensitive personal information, including more than 20 million fingerprints, for Americans who had been granted a security clearance.
White House officials soon struck a deal that China would cease its hacking of American companies and interests for its industrial benefit. For 18 months during the Obama administration, security researchers and intelligence officials observed a notable drop in Chinese hacking.
After President Donald Trump took office and accelerated trade conflicts and other tensions with China, the hacking resumed. By 2018, US intelligence officials had noted a shift: People’s Liberation Army hackers had stood down and been replaced by operatives working at the behest of the MSS, which handles China’s intelligence, security and secret police.
Hacks of intellectual property, that benefited China’s economic plans, originated not from the PLA but from a looser network of front companies and contractors, including engineers who worked for some of the country’s leading technology companies, according to intelligence officials and researchers.