While cybersecurity teams would be unwise to take their eyes off Russia, the evolving threat posed by China's massive hacking operation deserves more attention than it's getting among some targeted businesses — especially those involved in emerging technologies, experts told Protocol.
As the tech war between China and the U.S. heats up, cyber threat experts said the recent FBI warnings about the Chinese government's efforts to steal intellectual property line up with the realities they see.
"Our government is correct: Companies actually need to pay more attention," said Lou Steinberg, formerly the CTO at TD Ameritrade.
In recent years, threats from Russia have driven much of the cybersecurity attention and investment among businesses in the U.S. and Western Europe, especially after Russia’s invasion of Ukraine in February. Understandably, the threat of ransomware and disruption of critical infrastructure tends to provoke a response.
But when it comes to state-sponsored intrusions, China was behind a stunning 67% of the attacks between mid-2020 and mid-2021, compared to just 1% for the Russian government, according to data from CrowdStrike.
Without a doubt, China "stands out as the leading nation in terms of threat relevance, at least for America," said Tom Hegel, a senior threat researcher at SentinelOne.
In July, the FBI and MI5 issued an unprecedented joint warning about the threat of IP theft by China. During an address to business leaders in London, FBI Director Christopher Wray said that China's hacking program is "bigger than that of every other major country combined" and that the Chinese government is "set on stealing your technology — whatever it is that makes your industry tick."
"The Chinese government poses an even more serious threat to Western businesses than even many sophisticated businesspeople realize," Wray said.
During his three years as a researcher at Secureworks, Marc Burnard has seen Chinese government hackers go after customers in chemicals manufacturing, aviation, telecommunications and pharmaceuticals — to name just a few.
"It's quite difficult to point out what the key sectors are for China, because they target so many," Burnard said. "It's a scale that just completely dwarfs anything from the likes of Iran, North Korea and Russia."
One of the most brazen examples was China's release of bomber jets with strikingly similar designs to the F-35 starting in 2011, according to Nicolas Chaillan, former chief software officer for the U.S. Air Force. Documents leaked by former NSA contractor Edward Snowden appeared to confirm that Chinese government hackers stole data on the F-35 Lightning II, which is believed to have been used in the design of Chinese jets including the J-31 and J-20.
Chaillan — who resigned in protest over the military's progress on IT modernization amid the China threat — said the recent FBI warning on China is telling. "It takes a lot for the government to start saying stuff like that," he told Protocol. "That usually gives you a hint that it's really, really bad."
China "stands out as the leading nation in terms of threat relevance, at least for America."
Wray has made a number of public remarks on the China cyber threat this year. In a January speech, he said the FBI had 2,000 open investigations related to attempted theft of technology and information by the Chinese government. The FBI is opening a new case related to Chinese intelligence roughly every 12 hours, he said at the time.
In July 2021, the White House denounced the Chinese government over its "pattern of malicious cyber activity," in tandem with the European Union, the U.K. and NATO. The action made it clear that the Biden administration believes China has been ignoring its 2015 agreement to cease hacking activities meant to steal the IP of U.S. businesses.
Major incidents have included the Chinese government's widespread exploitation of vulnerabilities in Microsoft Exchange in 2021, which led to the compromise of 10,000 U.S. companies' networks, Wray said in January.
In analyzing the Chinese cyber threat, the key is to understand the larger context for why China is targeting Western IP, said Michael Daniel, formerly cybersecurity coordinator and special assistant to the president during the Obama administration.
"China is an expanding power that fundamentally sees itself as challenging the West, and challenging the world order that the Western European system has set up," Daniel said.
A central part of that aspiration is challenging the West economically, but China is prone to taking shortcuts, experts say.
China's shifting priorities
The Chinese government laid out its "Made in China 2025" strategy, which identifies the industries that it considers to be most important going forward, in 2015. The document is extremely helpful when it comes to defending against IP theft by China's government, said Daniel, who is now president and CEO of the Cyber Threat Alliance, an industry group.
"If your company is in one of those industries identified in that strategy, you are a target for Chinese intelligence," he said. "It's that simple, actually."
Some of the industries that now face the biggest threat of IP theft from China — such as energy, aerospace defense technology and quantum computing — are already well aware of it, according to Steinberg, now the founder of cybersecurity research lab CTM Insights.
But other industries should be paying closer attention than they are, he said. Those include the AI/robotics, agricultural technology and electric vehicle sectors — which are among the industries mentioned in the "Made in China 2025" plan.
"If you're on their list, they've got an army of skilled people who are trying to figure out how to get your intellectual property," Steinberg said.
"If your company is in one of those industries identified in that strategy, you are a target for Chinese intelligence."
Christian Sorensen, formerly a U.S. Cyber Command official and U.S. Air Force officer, said there's been a clear shift in China's IP theft priorities from its traditional focus on defense-related technologies — such as the designs for the F-35 — and into the high-tech and biotech sectors. For instance, in mid-2020, the U.S. accused Chinese government hackers of attempting to steal data from COVID-19 vaccine developer Moderna.
Threats of this sort can be more difficult for perennially overwhelmed security teams to prioritize, however, said Sorensen, who is now founder and CEO of cybersecurity vendor SightGain.
"Everybody pays attention to what's right in their face," he said. "Our intellectual property is just flying out of our borders, which is a serious strategic threat. But it's not always the front-burner threat."
That has been particularly the case in 2022 — the year of "Shields Up."
Documents leaked by former NSA contractor Edward Snowden appeared to confirm that Chinese government hackers stole data on the U.S.'s F-35 Lightning II. Photo: Robert Atanasovski/AFP via Getty Images
Following the invasion of Ukraine, there was a widespread expectation that the U.S. and other allies of Ukraine would face disruptive cyberattacks by Russia. So far, major retaliatory attacks from Russia have not materialized — though experts believe a Russian escalation of this sort could still come as soon as later this year, depending on how events play out with Ukraine and sanctions.
America's focus on its cyber adversaries tends to go in cycles, experts say. And even prior to the Ukraine war, Russian threat actors have been constantly in the spotlight, from the SolarWinds breach by Russia's intelligence forces in 2020 to the Colonial Pipeline and Kaseya ransomware attacks by cybercriminals operating out of the country in 2021.
It's not out of the question that China might pursue similar disruptive cyberattacks against the U.S. and Western Europe in the future, however, if China wants to prevent aid to Taiwan, Daniel said. It's believed that China has been seeking the ability to strike critical infrastructure for a situation such as that, he said.
To date, however, China's cyber activity has been "almost entirely covert cyber espionage campaigns," said Josephine Wolff, associate professor of cybersecurity policy at Tufts University.
Whereas Russian cyberattacks are often meant to create noise and chaos, Wolff said, China's attacks are "meant to happen undercover. They don't want anyone to know it's them."
U.S.-China tensions rose Tuesday as House Speaker Nancy Pelosi visited Taiwan. Mandiant's John Hultquist said in a statement that China is expected to carry out “significant cyber espionage against targets in Taiwan and the U.S.” related to the situation.
Notably, the Chinese government is very effective at organizing the hacking activities, said SentinelOne's Hegel. "It's a well-oiled machine for mass espionage."
While China's hacking program often does not perform the most technically advanced attacks, its sheer size and persistence allows it to be successful over the longer-term, he said.
But because China's motives are different compared to Russia, "you've got to defend yourself [in] a completely different way," said CTM Insights' Steinberg.
The go-to technologies in these situations are data-loss prevention, data exfiltration detection and deception technologies such as tripwires, he said. Rather than expecting to prevent an intrusion every time, the key to stopping IP theft is "Can you catch it happening and shut it down?"
Businesses should also concentrate on applying special protections to systems that are hosting IP, said Burnard, who is senior consultant for information security research at Secureworks. That might include network segmentation and enhanced monitoring for those parts of the system, he said.
One way that China’s hackers have been evolving can be seen in their methods for gaining initial access to corporate systems, experts say. Recent years have seen Chinese attackers increasingly exploiting vulnerabilities, instead of just relying on phishing, said Kevin Gonzalez, director of security at cybersecurity vendor Anvilogic.
China-based attackers exploited a dozen published vulnerabilities in 2021, up from just two the prior year, CrowdStrike reported — making the Chinese government's hacking operation the "leader in vulnerability exploitation."
The threat actors have shown capabilities for exploiting both previously unknown, zero-day vulnerabilities as well as unpatched known vulnerabilities, Hegel said.
Additionally, China’s government hackers are now scanning for vulnerabilities “the second they pop up online," he said — for instance, in the case of Log4Shell, a severe vulnerability in the widely used Apache Log4j software that was uncovered in December 2021. The Chinese government reportedly punished China-based tech giant Alibaba for informing the developers behind Log4j about the flaw prior to telling the government.
China has used more innovative techniques as well, such as software supply chain attacks. The compromises of CCleaner and Asus Live Update in 2017 are among the past instances.
Still, while China's focus on IP theft makes some defenses unique from those needed to stop ransomware, there are plenty of countermeasures that can help against both Russia- and China-style threats, experts said.
Placing an emphasis on strong security hygiene, vulnerability and patch management, identity authentication and zero-trust architecture will go a long way toward defending against attacks regardless of what country they're coming from, said Adam Meyers, senior vice president of intelligence at CrowdStrike.
Threat hunting is also a valuable investment, whether you're concerned about threats from Russia, China or anywhere else, Meyers said. "You have to be out there looking for these threats, because the adversary is constantly moving," he said.
But hacking is not the only cyber threat that China poses to the U.S. and the West, experts say. And it may not even be the most challenging, said Samuel Visner, a longtime cybersecurity executive and former NSA official, who currently serves as technical fellow at MITRE.
The harder question, according to Visner, is how to respond to China's initiative to build a "Digital Silk Road" across much of the globe using exported Chinese IT infrastructure. The technology is believed to be capable of facilitating surveillance on citizens. Ultimately, the fear is that the Digital Silk Road could be used to feed information about Americans or Europeans traveling abroad back to the Chinese government, he said.
While meeting a different definition of cybersecurity, Visner said, "that is also a security challenge."