Russian hackers get the headlines. But China is the bigger threat to many US enterprises.

Experts told Protocol that the Chinese government’s efforts to steal intellectual property require more attention from targeted businesses — and in some cases, a different approach to cyber defense.

A model of a Chinese J-31 stealth fighter of AVIC at the Airshow China 2014 in Zhuhai

China's priorities in IP theft have shifted from defense-related technologies — such as the designs for the F-35 jet, believed to have been used in those for China's J-31 — and into the high-tech and biotech sectors.

Photo: Johannes Eisele/AFP via Getty Images

While cybersecurity teams would be unwise to take their eyes off Russia, the evolving threat posed by China's massive hacking operation deserves more attention than it's getting among some targeted businesses — especially those involved in emerging technologies, experts told Protocol.

As the tech war between China and the U.S. heats up, cyber threat experts said the recent FBI warnings about the Chinese government's efforts to steal intellectual property line up with the realities they see.

"Our government is correct: Companies actually need to pay more attention," said Lou Steinberg, formerly the CTO at TD Ameritrade.

In recent years, threats from Russia have driven much of the cybersecurity attention and investment among businesses in the U.S. and Western Europe, especially after Russia’s invasion of Ukraine in February. Understandably, the threat of ransomware and disruption of critical infrastructure tends to provoke a response.

But when it comes to state-sponsored intrusions, China was behind a stunning 67% of the attacks between mid-2020 and mid-2021, compared to just 1% for the Russian government, according to data from CrowdStrike.

Without a doubt, China "stands out as the leading nation in terms of threat relevance, at least for America," said Tom Hegel, a senior threat researcher at SentinelOne.

In July, the FBI and MI5 issued an unprecedented joint warning about the threat of IP theft by China. During an address to business leaders in London, FBI Director Christopher Wray said that China's hacking program is "bigger than that of every other major country combined" and that the Chinese government is "set on stealing your technology — whatever it is that makes your industry tick."

"The Chinese government poses an even more serious threat to Western businesses than even many sophisticated businesspeople realize," Wray said.

Lightning strikes

During his three years as a researcher at Secureworks, Marc Burnard has seen Chinese government hackers go after customers in chemicals manufacturing, aviation, telecommunications and pharmaceuticals — to name just a few.

"It's quite difficult to point out what the key sectors are for China, because they target so many," Burnard said. "It's a scale that just completely dwarfs anything from the likes of Iran, North Korea and Russia."

One of the most brazen examples was China's release of bomber jets with strikingly similar designs to the F-35 starting in 2011, according to Nicolas Chaillan, former chief software officer for the U.S. Air Force. Documents leaked by former NSA contractor Edward Snowden appeared to confirm that Chinese government hackers stole data on the F-35 Lightning II, which is believed to have been used in the design of Chinese jets including the J-31 and J-20.

Chaillan — who resigned in protest over the military's progress on IT modernization amid the China threat — said the recent FBI warning on China is telling. "It takes a lot for the government to start saying stuff like that," he told Protocol. "That usually gives you a hint that it's really, really bad."

China "stands out as the leading nation in terms of threat relevance, at least for America."

Wray has made a number of public remarks on the China cyber threat this year. In a January speech, he said the FBI had 2,000 open investigations related to attempted theft of technology and information by the Chinese government. The FBI is opening a new case related to Chinese intelligence roughly every 12 hours, he said at the time.

In July 2021, the White House denounced the Chinese government over its "pattern of malicious cyber activity," in tandem with the European Union, the U.K. and NATO. The action made it clear that the Biden administration believes China has been ignoring its 2015 agreement to cease hacking activities meant to steal the IP of U.S. businesses.

Major incidents have included the Chinese government's widespread exploitation of vulnerabilities in Microsoft Exchange in 2021, which led to the compromise of 10,000 U.S. companies' networks, Wray said in January.

In analyzing the Chinese cyber threat, the key is to understand the larger context for why China is targeting Western IP, said Michael Daniel, formerly cybersecurity coordinator and special assistant to the president during the Obama administration.

"China is an expanding power that fundamentally sees itself as challenging the West, and challenging the world order that the Western European system has set up," Daniel said.

A central part of that aspiration is challenging the West economically, but China is prone to taking shortcuts, experts say.

China's shifting priorities

The Chinese government laid out its "Made in China 2025" strategy, which identifies the industries that it considers to be most important going forward, in 2015. The document is extremely helpful when it comes to defending against IP theft by China's government, said Daniel, who is now president and CEO of the Cyber Threat Alliance, an industry group.

"If your company is in one of those industries identified in that strategy, you are a target for Chinese intelligence," he said. "It's that simple, actually."

Some of the industries that now face the biggest threat of IP theft from China — such as energy, aerospace defense technology and quantum computing — are already well aware of it, according to Steinberg, now the founder of cybersecurity research lab CTM Insights.

But other industries should be paying closer attention than they are, he said. Those include the AI/robotics, agricultural technology and electric vehicle sectors — which are among the industries mentioned in the "Made in China 2025" plan.

"If you're on their list, they've got an army of skilled people who are trying to figure out how to get your intellectual property," Steinberg said.

"If your company is in one of those industries identified in that strategy, you are a target for Chinese intelligence."

Christian Sorensen, formerly a U.S. Cyber Command official and U.S. Air Force officer, said there's been a clear shift in China's IP theft priorities from its traditional focus on defense-related technologies — such as the designs for the F-35 — and into the high-tech and biotech sectors. For instance, in mid-2020, the U.S. accused Chinese government hackers of attempting to steal data from COVID-19 vaccine developer Moderna.

Threats of this sort can be more difficult for perennially overwhelmed security teams to prioritize, however, said Sorensen, who is now founder and CEO of cybersecurity vendor SightGain.

"Everybody pays attention to what's right in their face," he said. "Our intellectual property is just flying out of our borders, which is a serious strategic threat. But it's not always the front-burner threat."

That has been particularly the case in 2022 — the year of "Shields Up."

A. U.S. Air Force F-35 Lightning II aircraft from the Vermont Air National Guards 134th Fighter Squadron Documents leaked by former NSA contractor Edward Snowden appeared to confirm that Chinese government hackers stole data on the U.S.'s F-35 Lightning II. Photo: Robert Atanasovski/AFP via Getty Images

Following the invasion of Ukraine, there was a widespread expectation that the U.S. and other allies of Ukraine would face disruptive cyberattacks by Russia. So far, major retaliatory attacks from Russia have not materialized — though experts believe a Russian escalation of this sort could still come as soon as later this year, depending on how events play out with Ukraine and sanctions.

America's focus on its cyber adversaries tends to go in cycles, experts say. And even prior to the Ukraine war, Russian threat actors have been constantly in the spotlight, from the SolarWinds breach by Russia's intelligence forces in 2020 to the Colonial Pipeline and Kaseya ransomware attacks by cybercriminals operating out of the country in 2021.

It's not out of the question that China might pursue similar disruptive cyberattacks against the U.S. and Western Europe in the future, however, if China wants to prevent aid to Taiwan, Daniel said. It's believed that China has been seeking the ability to strike critical infrastructure for a situation such as that, he said.

To date, however, China's cyber activity has been "almost entirely covert cyber espionage campaigns," said Josephine Wolff, associate professor of cybersecurity policy at Tufts University.

Whereas Russian cyberattacks are often meant to create noise and chaos, Wolff said, China's attacks are "meant to happen undercover. They don't want anyone to know it's them."

Countering China

U.S.-China tensions rose Tuesday as House Speaker Nancy Pelosi visited Taiwan. Mandiant's John Hultquist said in a statement that China is expected to carry out “significant cyber espionage against targets in Taiwan and the U.S.” related to the situation.

Notably, the Chinese government is very effective at organizing the hacking activities, said SentinelOne's Hegel. "It's a well-oiled machine for mass espionage."

While China's hacking program often does not perform the most technically advanced attacks, its sheer size and persistence allows it to be successful over the longer-term, he said.

But because China's motives are different compared to Russia, "you've got to defend yourself [in] a completely different way," said CTM Insights' Steinberg.

The go-to technologies in these situations are data-loss prevention, data exfiltration detection and deception technologies such as tripwires, he said. Rather than expecting to prevent an intrusion every time, the key to stopping IP theft is "Can you catch it happening and shut it down?"

Businesses should also concentrate on applying special protections to systems that are hosting IP, said Burnard, who is senior consultant for information security research at Secureworks. That might include network segmentation and enhanced monitoring for those parts of the system, he said.

One way that China’s hackers have been evolving can be seen in their methods for gaining initial access to corporate systems, experts say. Recent years have seen Chinese attackers increasingly exploiting vulnerabilities, instead of just relying on phishing, said Kevin Gonzalez, director of security at cybersecurity vendor Anvilogic.

China-based attackers exploited a dozen published vulnerabilities in 2021, up from just two the prior year, CrowdStrike reported — making the Chinese government's hacking operation the "leader in vulnerability exploitation."

The threat actors have shown capabilities for exploiting both previously unknown, zero-day vulnerabilities as well as unpatched known vulnerabilities, Hegel said.

Additionally, China’s government hackers are now scanning for vulnerabilities “the second they pop up online," he said — for instance, in the case of Log4Shell, a severe vulnerability in the widely used Apache Log4j software that was uncovered in December 2021. The Chinese government reportedly punished China-based tech giant Alibaba for informing the developers behind Log4j about the flaw prior to telling the government.

China has used more innovative techniques as well, such as software supply chain attacks. The compromises of CCleaner and Asus Live Update in 2017 are among the past instances.

Still, while China's focus on IP theft makes some defenses unique from those needed to stop ransomware, there are plenty of countermeasures that can help against both Russia- and China-style threats, experts said.

Placing an emphasis on strong security hygiene, vulnerability and patch management, identity authentication and zero-trust architecture will go a long way toward defending against attacks regardless of what country they're coming from, said Adam Meyers, senior vice president of intelligence at CrowdStrike.

Threat hunting is also a valuable investment, whether you're concerned about threats from Russia, China or anywhere else, Meyers said. "You have to be out there looking for these threats, because the adversary is constantly moving," he said.

But hacking is not the only cyber threat that China poses to the U.S. and the West, experts say. And it may not even be the most challenging, said Samuel Visner, a longtime cybersecurity executive and former NSA official, who currently serves as technical fellow at MITRE.

The harder question, according to Visner, is how to respond to China's initiative to build a "Digital Silk Road" across much of the globe using exported Chinese IT infrastructure. The technology is believed to be capable of facilitating surveillance on citizens. Ultimately, the fear is that the Digital Silk Road could be used to feed information about Americans or Europeans traveling abroad back to the Chinese government, he said.

While meeting a different definition of cybersecurity, Visner said, "that is also a security challenge."

Sponsored Content

How cybercrime is going small time

Blockbuster hacks are no longer the norm – causing problems for companies trying to track down small-scale crime

Cybercrime is often thought of on a relatively large scale. Massive breaches lead to painful financial losses, bankrupting companies and causing untold embarrassment, splashed across the front pages of news websites worldwide. That’s unsurprising: cyber events typically cost businesses around $200,000, according to cybersecurity firm the Cyentia Institute. One in 10 of those victims suffer losses of more than $20 million, with some reaching $100 million or more.

That’s big money – but there’s plenty of loot out there for cybercriminals willing to aim lower. In 2021, the Internet Crime Complaint Center (IC3) received 847,376 complaints – reports by cybercrime victims – totaling losses of $6.9 billion. Averaged out, each victim lost $8,143.

Keep Reading Show less
Chris Stokel-Walker

Chris Stokel-Walker is a freelance technology and culture journalist and author of "YouTubers: How YouTube Shook Up TV and Created a New Generation of Stars." His work has been published in The New York Times, The Guardian and Wired.


SEC cyber reporting regs may be stuck. CISA is poised to do better.

CISA’s initiative to regulate critical infrastructure on incident reporting is just beginning. The focus on industry engagement by CISA and its director, Jen Easterly, could be about to pay off.

CISA director Jen Easterly is focusing on cyber industry engagement.

Photo: Kevin Dietsch/Getty Images

As the chief information security officer of a large, publicly traded tech company, Drew Simonis has been keeping a close eye on the SEC's proposed rules to require reporting of major cyberattacks.

Simonis, who works at Juniper Networks, has some serious concerns shared by many executives in U.S. private industry. Some of the proposed cyber incident reporting rules seem like they'd be counterproductive to the goal of creating transparency, and would likely just increase confusion for corporate shareholders, he said. Overall, by requiring public disclosure of major cyber incidents within four business days, the approach seems to lack a basic understanding of the "fluid nature of security events," Simonis said.

Keep Reading Show less
Kyle Alspach

Kyle Alspach ( @KyleAlspach) is a senior reporter at Protocol, focused on cybersecurity. He has covered the tech industry since 2010 for outlets including VentureBeat, CRN and the Boston Globe. He lives in Portland, Oregon, and can be reached at kalspach@protocol.com.


EA mobile chief Jeff Karp on EA’s live service future

Electronic Arts is faring better than its rivals. The company’s mobile chief knows why.

FIFA Mobile, a new version of which launched in January, just had its best-ever quarter.

Photo: Electronic Arts

Electronic Arts, the sports game publisher that spent years neglecting the mobile gaming market, couldn’t have picked a better time to jump in the deep end.

Last year, EA spent close to $4 billion acquiring its way to a stronger position in mobile. This year, it launched a new iteration of its popular FIFA franchise for smartphones and released a mobile spinoff of its hugely successful Apex Legends battle royale. The company's competitors have also followed suit with even more eye-popping acquisitions, including Take-Two Interactive’s purchase of Zynga for nearly $13 billion back in January and Microsoft’s record $69 billion acquisition of Activision Blizzard, which includes Candy Crush studio King, soon after.

Keep Reading Show less
Nick Statt

Nick Statt is Protocol's video game reporter. Prior to joining Protocol, he was news editor at The Verge covering the gaming industry, mobile apps and antitrust out of San Francisco, in addition to managing coverage of Silicon Valley tech giants and startups. He now resides in Rochester, New York, home of the garbage plate and, completely coincidentally, the World Video Game Hall of Fame. He can be reached at nstatt@protocol.com.


NYC's bungled monkeypox vaccine rollout has a familiar ring

The failures raise questions about the due diligence undertaken by officials in awarding contracts.

The tech failures are part of a broader mishandling of the monkeypox outbreak at all levels of government, which is causing public health experts to fear that the virus could already be out of hand.

Photo: Kobi Wolf/Bloomberg via Getty Images

In 2016, New York's state Attorney General Eric Schneiderman reached a settlement with a company known as MedRite Urgent Care, after Yelp caught the company paying for fake positive reviews. At the time, the attorney general's office accused MedRite of "misrepresentation and deceptive acts," for which the urgent care provider agreed to pay a $100,000 fine.

And yet, just six years later, in the midst of its fast-growing monkeypox outbreak, New York City chose MedRite to operate its monkeypox vaccine scheduler. The first day of the rollout, MedRite's system crashed, leaving New Yorkers scrambling to get access to a vaccine that is already in limited supply.

Keep Reading Show less
Kwasi Gyamfi Asiedu

Kwasi (kway-see) is a fellow at Protocol with an interest in tech policy and climate. Previously, he covered global religion news at the Associated Press in New York. Before that, he was a freelance journalist based out of Accra, Ghana, covering social justice, health, and environment stories. His reporting has been published in The New York Times, Quartz, CNN, The Guardian, and Public Radio International. He can be reached at kasiedu@protocol.com.

Latest Stories