Chinese hackers might not shrug off US indictments after all

When Attorney General William Barr announced indictments of four members of the Chinese military for hacking Equifax, you could have dismissed it as toothless hand-waving — or worse, as counterproductive to U.S. cybersecurity.

But several Chinese hacking units have ceased operations following a series of U.S. indictments over the years, Dmitri Alperovitch, co-founder of cybersecurity firm CrowdStrike, said Wednesday at the RSA security conference in San Francisco.

Sign up for Protocol newsletters

That runs counter to conventional wisdom on the topic, which says doing so is ineffective as a deterrent, invites retribution against U.S. intelligence officials, and can tip off attackers to what the government knows.

Get what matters in tech, in your inbox every morning. Sign up for Source Code.

"Indicting nation-state hackers is like pissing your pants," said Christopher Ahlberg, chief executive of the threat intelligence company Recorded Future. "At first it feels great, but then you realize it's cold and yucky."

Ahlberg says he opposes the tactic because the indictments go after the wrong people — the individuals behind the keyboards instead of Chinese government officials who are making the orders — and paints a target on U.S. counterparts. "Should we indict Chinese government employees? I don't think so. Eventually, the same thing will happen to us: Every NSA employee would need to worry about traveling around the world, I don't know how brilliant that is," he said.

But Alperovitch, who helped investigate some of the most high-profile nation-state cyberattacks, including the 2016 Democratic National Committee cyberattacks and the 2014 Sony Pictures attack, said the tactic seems to be working with China.

In 2014, for example, the U.S. indicted five Chinese military hackers for attacking and stealing information from six U.S. companies, including Westinghouse Electric, U.S. Steel and Alcoa. "Ever since that indictment, that [People's Liberation Army] unit has basically backed off. That's been really, really remarkable," said Alperovitch, who recently announced he was stepping down from his role as CrowdStrike's chief technology officer to launch a policy-focused nonprofit.

In 2017 and 2018, the U.S. issued two more indictments against individuals from two Chinese hacking groups that were accused of attacking Moody's Analytics, Siemens and dozens of other U.S. technology companies. The groups were not explicitly part of the Chinese military, but prosecutors and security researchers say they had indirect ties to the Chinese government, and in some cases passed sensitive information along to China's intelligence service.

"Both of these groups, from what I've seen, have pretty much disappeared shortly after those indictments," Alperovitch said.

His comments will likely surprise many in the security industry; Alperovitch acknowledged that he was dropping a controversial bomb on the audience and that he "encouraged folks to come find me afterwards and try to convince me this is not the case."

One shortcoming of the government's so-called "name and shame" strategy is that it doesn't actually stop the attackers, Ahlberg said. Nation-state hackers shrug their shoulders at the indictments, and the charges don't do anything to stop future attacks. An even more cynical take is that the indictments actually benefit nation-state hackers. The detailed charges can tip countries off to what exactly the U.S. knows about their operations, allowing them to change their playbook and avoid detection in the future.

Even if indictments might not stop nation-state hackers, security researchers say they're a good way for the industry to learn about attackers and the techniques they use. "Indictments can be helpful in publishing data about techniques that were employed. It's all details on how these adversaries operate, which is typically left under the covers and no one can learn from it," said Ryan Olson, vice president of threat intelligence at Palo Alto Networks.

Get in touch with us: Share information securely with Protocol via encrypted Signal or WhatsApp message, at 415-214-4715 or through our anonymous SecureDrop.

The indictment of the Equifax hackers, for example, revealed how the operatives concealed their location by routing traffic through servers in 20 countries and wiped server logs on a daily basis to hide their activity, among other details.

U.S. prosecutors have also argued that the strategy helps highlight emerging cyberthreats for businesses, and could have a chilling effect on nation-state attacks. When the government charged nine Iranians in 2018 for conducting a cyber theft campaign on behalf of the Islamic Revolutionary Guard Corps, FBI Director Christopher Wray said it would send a message, even if law enforcement was not able to arrest the attackers. "Today, not only are we publicly identifying the foreign hackers who committed these malicious cyber intrusions, but we are also sending a powerful message to their backers, the Government of the Islamic Republic of Iran: Your acts do not go unnoticed," he said in a statement at the time.

Alperovitch said it's possible that the Chinese hacking units formed other organizations or retooled after being disbanded, but said this could be seen as a victory because it disrupts operations and makes their lives harder.

While the indictments might have a chilling effect on the groups that are caught, China as a whole has not ceased its hacking operations — as evidenced by the indictment of the Equifax hackers.

"The Justice Department has pointed a finger at the [People's Liberation Army] and its operatives for being responsible for the Equifax breach, and it will be really interesting to see what happens" with the group and the named attackers, Alperovitch said.