Politics

Chinese hackers might not shrug off US indictments after all

Conventional wisdom holds that nation-state hackers are unaffected by indictments, but a prominent expert thinks it's working against China.

Attorney General William Barr

Conventional wisdom holds that indicting nation-state hackers, as Attorney General William Barr did earlier this month, isn't effective.

Photo: Sarah Silbiger/Getty Images

When Attorney General William Barr announced indictments of four members of the Chinese military for hacking Equifax, you could have dismissed it as toothless hand-waving — or worse, as counterproductive to U.S. cybersecurity.

But several Chinese hacking units have ceased operations following a series of U.S. indictments over the years, Dmitri Alperovitch, co-founder of cybersecurity firm CrowdStrike, said Wednesday at the RSA security conference in San Francisco.

That runs counter to conventional wisdom on the topic, which says doing so is ineffective as a deterrent, invites retribution against U.S. intelligence officials, and can tip off attackers to what the government knows.

Get what matters in tech, in your inbox every morning. Sign up for Source Code.

"Indicting nation-state hackers is like pissing your pants," said Christopher Ahlberg, chief executive of the threat intelligence company Recorded Future. "At first it feels great, but then you realize it's cold and yucky."

Ahlberg says he opposes the tactic because the indictments go after the wrong people — the individuals behind the keyboards instead of Chinese government officials who are making the orders — and paints a target on U.S. counterparts. "Should we indict Chinese government employees? I don't think so. Eventually, the same thing will happen to us: Every NSA employee would need to worry about traveling around the world, I don't know how brilliant that is," he said.

But Alperovitch, who helped investigate some of the most high-profile nation-state cyberattacks, including the 2016 Democratic National Committee cyberattacks and the 2014 Sony Pictures attack, said the tactic seems to be working with China.

In 2014, for example, the U.S. indicted five Chinese military hackers for attacking and stealing information from six U.S. companies, including Westinghouse Electric, U.S. Steel and Alcoa. "Ever since that indictment, that [People's Liberation Army] unit has basically backed off. That's been really, really remarkable," said Alperovitch, who recently announced he was stepping down from his role as CrowdStrike's chief technology officer to launch a policy-focused nonprofit.

In 2017 and 2018, the U.S. issued two more indictments against individuals from two Chinese hacking groups that were accused of attacking Moody's Analytics, Siemens and dozens of other U.S. technology companies. The groups were not explicitly part of the Chinese military, but prosecutors and security researchers say they had indirect ties to the Chinese government, and in some cases passed sensitive information along to China's intelligence service.

"Both of these groups, from what I've seen, have pretty much disappeared shortly after those indictments," Alperovitch said.

His comments will likely surprise many in the security industry; Alperovitch acknowledged that he was dropping a controversial bomb on the audience and that he "encouraged folks to come find me afterwards and try to convince me this is not the case."

One shortcoming of the government's so-called "name and shame" strategy is that it doesn't actually stop the attackers, Ahlberg said. Nation-state hackers shrug their shoulders at the indictments, and the charges don't do anything to stop future attacks. An even more cynical take is that the indictments actually benefit nation-state hackers. The detailed charges can tip countries off to what exactly the U.S. knows about their operations, allowing them to change their playbook and avoid detection in the future.

Even if indictments might not stop nation-state hackers, security researchers say they're a good way for the industry to learn about attackers and the techniques they use. "Indictments can be helpful in publishing data about techniques that were employed. It's all details on how these adversaries operate, which is typically left under the covers and no one can learn from it," said Ryan Olson, vice president of threat intelligence at Palo Alto Networks.

Get in touch with us: Share information securely with Protocol via encrypted Signal or WhatsApp message, at 415-214-4715 or through our anonymous SecureDrop.

The indictment of the Equifax hackers, for example, revealed how the operatives concealed their location by routing traffic through servers in 20 countries and wiped server logs on a daily basis to hide their activity, among other details.

U.S. prosecutors have also argued that the strategy helps highlight emerging cyberthreats for businesses, and could have a chilling effect on nation-state attacks. When the government charged nine Iranians in 2018 for conducting a cyber theft campaign on behalf of the Islamic Revolutionary Guard Corps, FBI Director Christopher Wray said it would send a message, even if law enforcement was not able to arrest the attackers. "Today, not only are we publicly identifying the foreign hackers who committed these malicious cyber intrusions, but we are also sending a powerful message to their backers, the Government of the Islamic Republic of Iran: Your acts do not go unnoticed," he said in a statement at the time.

Alperovitch said it's possible that the Chinese hacking units formed other organizations or retooled after being disbanded, but said this could be seen as a victory because it disrupts operations and makes their lives harder.

While the indictments might have a chilling effect on the groups that are caught, China as a whole has not ceased its hacking operations — as evidenced by the indictment of the Equifax hackers.

"The Justice Department has pointed a finger at the [People's Liberation Army] and its operatives for being responsible for the Equifax breach, and it will be really interesting to see what happens" with the group and the named attackers, Alperovitch said.

Fintech

Plaid is striking back after Stripe entered its core business

Onboarding customers through identity verification and ACH transfers is a hot sector in fintech, and the two fast-growing fintechs are set to battle it out.

Plaid is looking to help banks and fintech companies with anything related to the onboarding of a customer onto a financial product, said Plaid CTO Jean-Denis Greze.

Photo: Plaid

Plaid is moving into identity verification in a crucial expansion beyond its roots connecting banks and fintechs — a move that could put it in more direct competition with Stripe, another company known for its financial software tools.

In conjunction with its Plaid Forum customer conference this week, the company is also announcing two products focused on ACH transfers as it moves into payments.

Keep Reading Show less
Tomio Geron

Tomio Geron ( @tomiogeron) is a San Francisco-based reporter covering fintech. He was previously a reporter and editor at The Wall Street Journal, covering venture capital and startups. Before that, he worked as a staff writer at Forbes, covering social media and venture capital, and also edited the Midas List of top tech investors. He has also worked at newspapers covering crime, courts, health and other topics. He can be reached at tgeron@protocol.com or tgeron@protonmail.com.

Sponsored Content

Foursquare data story: leveraging location data for site selection

We take a closer look at points of interest and foot traffic patterns to demonstrate how location data can be leveraged to inform better site selecti­on strategies.

Imagine: You’re the leader of a real estate team at a restaurant brand looking to open a new location in Manhattan. You have two options you’re evaluating: one site in SoHo, and another site in the Flatiron neighborhood. Which do you choose?

Keep Reading Show less
Workplace

Getting reproductive benefits at work could be a privacy nightmare

A growing number of tech companies are extending abortion-related travel benefits. Given privacy and legal fears, will employees be too scared to use them?

How employers can implement and discuss reproductive benefits in a way that puts employees at ease.

Photo: Sigrid Gombert via Getty Images

It’s about to be a lot harder to get an abortion in the United States. For many, it’s already hard. The result is that employers, including large companies, are being called upon to fill the abortion care gap. The likelihood of a Roe v. Wade reversal was the push some needed to extend benefits, with Microsoft and Tesla announcing abortion-related travel reimbursements in recent weeks. But the privacy and legal risks facing people in need of abortions loom large. If people have reason to fear texting friends for abortion resources, will they really want to confide in their company?

An employee doesn’t have “much to worry about” when it comes to health privacy, said employee benefits consultant Jessica Du Bois. “The HR director or whoever's in charge of the benefits program is not going to be sharing that information.” Employers have a duty to protect employee health data under HIPAA and a variety of state laws. Companies with self-funded health plans — in other words, most large companies — can see every prescription and service an employee receives. But the data is deidentified.

Keep Reading Show less
Lizzy Lawrence

Lizzy Lawrence ( @LizzyLaw_) is a reporter at Protocol, covering tools and productivity in the workplace. She's a recent graduate of the University of Michigan, where she studied sociology and international studies. She served as editor in chief of The Michigan Daily, her school's independent newspaper. She's based in D.C., and can be reached at llawrence@protocol.com.

Enterprise

VMware CEO Raghu Raghuram: Edge is growing faster than cloud

The now-standalone company is staking its immediate future on the multicloud era of IT and hybrid work, while anticipating increased demand for edge-computing software.

VMware CEO Raghu Raghuram spoke with Protocol about the company's future.

Photo: VMware

Nearly a year into his tenure as CEO, Raghu Raghuram believes VMware is well-positioned for the third phase of its evolution, but acknowledges its product transformation still needs some work.

The company, which pioneered the hypervisor and expanded to virtualized networking and storage with its vSphere operating environment, now is helping customers navigate a distributed, multicloud world and hybrid work with newfound freedom as an independent company after being spun off from Dell Technologies last November.

Keep Reading Show less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.

Workplace

Black colleges are still an underutilized market for recruiting tech talent

Big Tech is still trying to crack the code on hiring more Black workers despite years of partnerships with HBCUs.

Pictured is the first cohort in Accenture's Level Up program.

Photo: Accenture

As a business major at Prairie View A&M University in Prairie View, Texas, Sean Johnson had been on track to work in finance after graduating. But then his adviser mentioned a program that the historically Black university had with Accenture and Microsoft that was meant to function as a direct pipeline from Prairie View into roles in tech. It changed his entire career course.

Johnson had always had an interest in tech, and the prospect of being able to get a glimpse into the industry, as well as gain real, hands-on experience, appealed to him. By the end of the program, he had a full-time job offer at Accenture.

Keep Reading Show less
Amber Burton

Amber Burton (@amberbburton) is a reporter at Protocol. Previously, she covered personal finance and diversity in business at The Wall Street Journal. She earned an M.S. in Strategic Communications from Columbia University and B.A. in English and Journalism from Wake Forest University. She lives in North Carolina.

Latest Stories
Bulletins