Cyber Threat Report: China
As tensions between the US and China escalate, business should prepare themselves for increased cyber attacks coming out of Beijing. China has extremely advanced cyber capabilities and a long history of corporate Intellectual Property (IP) theft. Much of this activity is state-sponsored, and it is estimated that the People's Liberation Army (PLA) employs between 50,000 and 1000,000 professional hackers that carry out cyber attacks to further China's economic and political goals.
Motivations for Chinese Hacking Campaigns
Unlike North Korea and Russia, the focus of state-sponsored Chinese hacking is primarily information theft, not disruption or direct financial gain. Chinese hacking groups such as APT1, APT3, NCHP, and Elderwood target American businesses, defense companies, government agencies, and political candidates with the goal of stealing information to increase China’s political and economic standing. It is estimated that over half of Chinese technology was stolen from American sources.
China’s Five-year Plan
Planning is a key component of socialist economies, and China relies heavily on its five-year plan to centralize its social and economic growth efforts. China's current five-year plan, which spans from 2016-2020, focuses on technological and socioeconomic advances, including massive advances of wind power technology. Many experts argue that the advances being pushed by Xi's regime are not possible in that timeline without stealing intellectual property.
One of the primary motivations for Chinese hacking campaigns is political retaliation. In the early 2000s, Chinese hackers were extremely politically motivated and frequently defaced American websites as tensions escalated. More recently, China has turned its cyber efforts to information theft, specifically the intellectual property of American businesses. The Bush administration's steel tariffs in 2002 coincided with an uptick in Chinese IP theft. Trade tensions between 2011-2015 correlated with aggressive increase in cyber attacks attributed to Chinese threat actors, including Shady RAT and Operation Aurora, which targeted IP from Google and more than 20 other high-profile companies.
Historically, improvements in US/China relations have reduced the number of cyber attacks against the US. In 2015, President Obama signed an agreement with Chinese President Xi Jinping, leading to a 90% decrease in Chinese hacking campaigns targeting American businesses and government agencies. This direct correlation between trade relations and cyber attacks suggests that as trade uncertainty between China and the US intensifies, Chinese hacking activity will also escalate.
Recent tensions between the US and China have already potentially spurred new cyber-attacks against the US including a variation of the HyperBro RAT, which gained access to a government data center.
In addition to the socioeconomic and political motivations for Chinese cyber activity, some of the issue is cultural. China does not view information ownership in the same way that most western countries do. Instead, they rely on a first-to-file patent system, which can result in major companies losing out on patents for their own IP.
Additionally, Chinese PLA documents focus heavily on "informatization"- the peacetime manipulation of information- and many Chinese academics argue that technological advances blur the boundaries between peacetime and wartime. This attitude is therefore taught in schools and widely adopted by Chinese citizens.
"It is necessary in peacetime to undertake information warfare in the political, economic, technical, and military realms, as only then can one scientifically establish operational plans, appropriately calculate gains and losses in a conflict, appropriately control the level of attack, precisely strike predetermined targets, and seek the best strategic interest and long-term benefit."
- Li Naiguo on China’s concept of military strategy
Because of this cultural clash between China and the US about the concept of information ownership, Chinese hackers do not necessarily view their actions as immoral, but rather see hacking as a legitimate way to earn a living and support their government.
Risk Factors for Chinese Cyber Espionage
Because much of China's hacking efforts directly benefit Chinese companies, the economy is a significant risk factor for increased cyber activity targeting American businesses. China’s economy is currently experiencing a decline in growth, slipping from 6.8 to 6.7%, and investment spending, including real estate, has also stagnated. If China’s economy continues to decline, especially if it declines due to trade relations with the US, Chinese hackers will have greater incentive to target American IP. It is unlikely, but depending on the severity of the decline, state-sponsored hackers may also turn to more disruptive and financially-motivated attacks like the deployment of ransomware or cryptojackers.
The United States and China are the two largest global economies, respectively. Therefore, any tensions between the two will have a world-wide impact. If the trade war escalates, it is likely that China will increase its hacking efforts, not only against the US, but against other major economies as well. President Trump has already enacted a 25% tariff on over $50B worth of Chinese goods, and has threatened additional sanctions. China has retaliated with a 25% tariff on over $16B of American goods including vehicles, fuel, and fiber optic cables.
Though the frequency of cyber attacks by the PLA and Chinese hacking groups has declined since the early 2000s, the sophistication and success rate of these attacks has increased dramatically. If increased trade tensions do lead to a significant upsurge in cyber attacks against the US, most businesses will not have adequate defenses in place.
The Chinese government has a long history of sponsoring cyber campaigns to make political statements and further their economy. Bluestone Analytics has noticed an uptick in Chinese IP addresses targeting American businesses, and this will likely escalate if the tariff war continues. Both US businesses and state and local governments should double-down on cyber defenses, focusing on proactive detection and layered solutions to protect themselves from even the most advanced Chinese cyber attacks.