Russian hackers get the headlines. But China is the bigger threat to many US enterprises.

Experts told Protocol that the Chinese government’s efforts to steal intellectual property require more attention from targeted businesses — and in some cases, a different approach to cyber defense.

A model of a Chinese J-31 stealth fighter of AVIC at the Airshow China 2014 in Zhuhai

China's priorities in IP theft have shifted from defense-related technologies — such as the designs for the F-35 jet, believed to have been used in those for China's J-31 — and into the high-tech and biotech sectors.

Photo: Johannes Eisele/AFP via Getty Images

While cybersecurity teams would be unwise to take their eyes off Russia, the evolving threat posed by China's massive hacking operation deserves more attention than it's getting among some targeted businesses — especially those involved in emerging technologies, experts told Protocol.

As the tech war between China and the U.S. heats up, cyber threat experts said the recent FBI warnings about the Chinese government's efforts to steal intellectual property line up with the realities they see.

"Our government is correct: Companies actually need to pay more attention," said Lou Steinberg, formerly the CTO at TD Ameritrade.

In recent years, threats from Russia have driven much of the cybersecurity attention and investment among businesses in the U.S. and Western Europe, especially after Russia’s invasion of Ukraine in February. Understandably, the threat of ransomware and disruption of critical infrastructure tends to provoke a response.

But when it comes to state-sponsored intrusions, China was behind a stunning 67% of the attacks between mid-2020 and mid-2021, compared to just 1% for the Russian government, according to data from CrowdStrike.

Without a doubt, China "stands out as the leading nation in terms of threat relevance, at least for America," said Tom Hegel, a senior threat researcher at SentinelOne.

In July, the FBI and MI5 issued an unprecedented joint warning about the threat of IP theft by China. During an address to business leaders in London, FBI Director Christopher Wray said that China's hacking program is "bigger than that of every other major country combined" and that the Chinese government is "set on stealing your technology — whatever it is that makes your industry tick."

"The Chinese government poses an even more serious threat to Western businesses than even many sophisticated businesspeople realize," Wray said.

Lightning strikes

During his three years as a researcher at Secureworks, Marc Burnard has seen Chinese government hackers go after customers in chemicals manufacturing, aviation, telecommunications and pharmaceuticals — to name just a few.

"It's quite difficult to point out what the key sectors are for China, because they target so many," Burnard said. "It's a scale that just completely dwarfs anything from the likes of Iran, North Korea and Russia."

One of the most brazen examples was China's release of bomber jets with strikingly similar designs to the F-35 starting in 2011, according to Nicolas Chaillan, former chief software officer for the U.S. Air Force. Documents leaked by former NSA contractor Edward Snowden appeared to confirm that Chinese government hackers stole data on the F-35 Lightning II, which is believed to have been used in the design of Chinese jets including the J-31 and J-20.

Chaillan — who resigned in protest over the military's progress on IT modernization amid the China threat — said the recent FBI warning on China is telling. "It takes a lot for the government to start saying stuff like that," he told Protocol. "That usually gives you a hint that it's really, really bad."

China "stands out as the leading nation in terms of threat relevance, at least for America."

Wray has made a number of public remarks on the China cyber threat this year. In a January speech, he said the FBI had 2,000 open investigations related to attempted theft of technology and information by the Chinese government. The FBI is opening a new case related to Chinese intelligence roughly every 12 hours, he said at the time.

In July 2021, the White House denounced the Chinese government over its "pattern of malicious cyber activity," in tandem with the European Union, the U.K. and NATO. The action made it clear that the Biden administration believes China has been ignoring its 2015 agreement to cease hacking activities meant to steal the IP of U.S. businesses.

Major incidents have included the Chinese government's widespread exploitation of vulnerabilities in Microsoft Exchange in 2021, which led to the compromise of 10,000 U.S. companies' networks, Wray said in January.

In analyzing the Chinese cyber threat, the key is to understand the larger context for why China is targeting Western IP, said Michael Daniel, formerly cybersecurity coordinator and special assistant to the president during the Obama administration.

"China is an expanding power that fundamentally sees itself as challenging the West, and challenging the world order that the Western European system has set up," Daniel said.

A central part of that aspiration is challenging the West economically, but China is prone to taking shortcuts, experts say.

China's shifting priorities

The Chinese government laid out its "Made in China 2025" strategy, which identifies the industries that it considers to be most important going forward, in 2015. The document is extremely helpful when it comes to defending against IP theft by China's government, said Daniel, who is now president and CEO of the Cyber Threat Alliance, an industry group.

"If your company is in one of those industries identified in that strategy, you are a target for Chinese intelligence," he said. "It's that simple, actually."

Some of the industries that now face the biggest threat of IP theft from China — such as energy, aerospace defense technology and quantum computing — are already well aware of it, according to Steinberg, now the founder of cybersecurity research lab CTM Insights.

But other industries should be paying closer attention than they are, he said. Those include the AI/robotics, agricultural technology and electric vehicle sectors — which are among the industries mentioned in the "Made in China 2025" plan.

"If you're on their list, they've got an army of skilled people who are trying to figure out how to get your intellectual property," Steinberg said.

"If your company is in one of those industries identified in that strategy, you are a target for Chinese intelligence."

Christian Sorensen, formerly a U.S. Cyber Command official and U.S. Air Force officer, said there's been a clear shift in China's IP theft priorities from its traditional focus on defense-related technologies — such as the designs for the F-35 — and into the high-tech and biotech sectors. For instance, in mid-2020, the U.S. accused Chinese government hackers of attempting to steal data from COVID-19 vaccine developer Moderna.

Threats of this sort can be more difficult for perennially overwhelmed security teams to prioritize, however, said Sorensen, who is now founder and CEO of cybersecurity vendor SightGain.

"Everybody pays attention to what's right in their face," he said. "Our intellectual property is just flying out of our borders, which is a serious strategic threat. But it's not always the front-burner threat."

That has been particularly the case in 2022 — the year of "Shields Up."

A. U.S. Air Force F-35 Lightning II aircraft from the Vermont Air National Guards 134th Fighter Squadron Documents leaked by former NSA contractor Edward Snowden appeared to confirm that Chinese government hackers stole data on the U.S.'s F-35 Lightning II. Photo: Robert Atanasovski/AFP via Getty Images

Following the invasion of Ukraine, there was a widespread expectation that the U.S. and other allies of Ukraine would face disruptive cyberattacks by Russia. So far, major retaliatory attacks from Russia have not materialized — though experts believe a Russian escalation of this sort could still come as soon as later this year, depending on how events play out with Ukraine and sanctions.

America's focus on its cyber adversaries tends to go in cycles, experts say. And even prior to the Ukraine war, Russian threat actors have been constantly in the spotlight, from the SolarWinds breach by Russia's intelligence forces in 2020 to the Colonial Pipeline and Kaseya ransomware attacks by cybercriminals operating out of the country in 2021.

It's not out of the question that China might pursue similar disruptive cyberattacks against the U.S. and Western Europe in the future, however, if China wants to prevent aid to Taiwan, Daniel said. It's believed that China has been seeking the ability to strike critical infrastructure for a situation such as that, he said.

To date, however, China's cyber activity has been "almost entirely covert cyber espionage campaigns," said Josephine Wolff, associate professor of cybersecurity policy at Tufts University.

Whereas Russian cyberattacks are often meant to create noise and chaos, Wolff said, China's attacks are "meant to happen undercover. They don't want anyone to know it's them."

Countering China

U.S.-China tensions rose Tuesday as House Speaker Nancy Pelosi visited Taiwan. Mandiant's John Hultquist said in a statement that China is expected to carry out “significant cyber espionage against targets in Taiwan and the U.S.” related to the situation.

Notably, the Chinese government is very effective at organizing the hacking activities, said SentinelOne's Hegel. "It's a well-oiled machine for mass espionage."

While China's hacking program often does not perform the most technically advanced attacks, its sheer size and persistence allows it to be successful over the longer-term, he said.

But because China's motives are different compared to Russia, "you've got to defend yourself [in] a completely different way," said CTM Insights' Steinberg.

The go-to technologies in these situations are data-loss prevention, data exfiltration detection and deception technologies such as tripwires, he said. Rather than expecting to prevent an intrusion every time, the key to stopping IP theft is "Can you catch it happening and shut it down?"

Businesses should also concentrate on applying special protections to systems that are hosting IP, said Burnard, who is senior consultant for information security research at Secureworks. That might include network segmentation and enhanced monitoring for those parts of the system, he said.

One way that China’s hackers have been evolving can be seen in their methods for gaining initial access to corporate systems, experts say. Recent years have seen Chinese attackers increasingly exploiting vulnerabilities, instead of just relying on phishing, said Kevin Gonzalez, director of security at cybersecurity vendor Anvilogic.

China-based attackers exploited a dozen published vulnerabilities in 2021, up from just two the prior year, CrowdStrike reported — making the Chinese government's hacking operation the "leader in vulnerability exploitation."

The threat actors have shown capabilities for exploiting both previously unknown, zero-day vulnerabilities as well as unpatched known vulnerabilities, Hegel said.

Additionally, China’s government hackers are now scanning for vulnerabilities “the second they pop up online," he said — for instance, in the case of Log4Shell, a severe vulnerability in the widely used Apache Log4j software that was uncovered in December 2021. The Chinese government reportedly punished China-based tech giant Alibaba for informing the developers behind Log4j about the flaw prior to telling the government.

China has used more innovative techniques as well, such as software supply chain attacks. The compromises of CCleaner and Asus Live Update in 2017 are among the past instances.

Still, while China's focus on IP theft makes some defenses unique from those needed to stop ransomware, there are plenty of countermeasures that can help against both Russia- and China-style threats, experts said.

Placing an emphasis on strong security hygiene, vulnerability and patch management, identity authentication and zero-trust architecture will go a long way toward defending against attacks regardless of what country they're coming from, said Adam Meyers, senior vice president of intelligence at CrowdStrike.

Threat hunting is also a valuable investment, whether you're concerned about threats from Russia, China or anywhere else, Meyers said. "You have to be out there looking for these threats, because the adversary is constantly moving," he said.

But hacking is not the only cyber threat that China poses to the U.S. and the West, experts say. And it may not even be the most challenging, said Samuel Visner, a longtime cybersecurity executive and former NSA official, who currently serves as technical fellow at MITRE.

The harder question, according to Visner, is how to respond to China's initiative to build a "Digital Silk Road" across much of the globe using exported Chinese IT infrastructure. The technology is believed to be capable of facilitating surveillance on citizens. Ultimately, the fear is that the Digital Silk Road could be used to feed information about Americans or Europeans traveling abroad back to the Chinese government, he said.

While meeting a different definition of cybersecurity, Visner said, "that is also a security challenge."


What the fate of 9 small tokens means for the crypto industry

The SEC says nine tokens in the Coinbase insider trading case are securities, but they are similar to many other tokens that are already trading on exchanges.

While a number of pieces of crypto legislation have been introduced in Congress, the SEC’s moves in court could become precedent until any legislation is passed or broader executive actions are made.

Illustration: Christopher T. Fong/Protocol

When the SEC accused a former Coinbase employee of insider trading last month, it specifically named nine cryptocurrencies as securities, potentially opening the door to regulation for the rest of the industry.

If a judge agrees with the SEC’s argument, many other similar tokens could be deemed securities — and the companies that trade them could be forced to be regulated as securities exchanges. When Ripple was sued by the SEC last year, for example, Coinbase chose to suspend trading the token rather than risk drawing scrutiny from federal regulators. In this case, however, Coinbase says the nine tokens – seven of which trade on Coinbase — aren’t securities.

Keep Reading Show less
Tomio Geron

Tomio Geron ( @tomiogeron) is a San Francisco-based reporter covering fintech. He was previously a reporter and editor at The Wall Street Journal, covering venture capital and startups. Before that, he worked as a staff writer at Forbes, covering social media and venture capital, and also edited the Midas List of top tech investors. He has also worked at newspapers covering crime, courts, health and other topics. He can be reached at tgeron@protocol.com or tgeron@protonmail.com.

Sponsored Content

They created Digital People. Now, they’ve made celebrities available as Digital Twins

Protocol talks to Soul Machines’ CEO about the power of AI in the metaverse

Keep Reading Show less
David Silverberg
David Silverberg is a Toronto-based freelance journalist, editor and writing coach. He writes for The Washington Post, BBC News, Business Insider, The Toronto Star, New Scientist, Fodor's, and several alumni magazines. He also writes for brands such as 23andme, Shopify and Bold Commerce. He has served as editor of B2B News Network, Canada's only B2B news magazine, and Digital Journal, a leading pioneer in citizen journalism. Find more about him at www.davidsilverberg.ca

Werner Vogels: Enterprises are more daring than you might think

The longtime chief technology officer talked with Protocol about the AWS customers that first flocked to serverless, how AI and ML are making life easier for developers and his “primitives, not frameworks” stance.

"We knew that if cloud would really be effective, development would change radically."

Photo: Amazon

When AWS unveiled Lambda in 2014, Werner Vogels thought the serverless compute service would be the domain of young, more tech-savvy businesses.

But it was enterprises that flocked to serverless first, Amazon’s longtime chief technology officer told Protocol in an interview last week.

Keep Reading Show less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.


Dark money is trying to kill the Inflation Reduction Act from the left

A new campaign is using social media to target voters in progressive districts to ask their representatives to vote against the Inflation Reduction Act. But it appears to be linked to GOP operatives.

United for Clean Power's campaign is a symptom of how quickly and easily social media allows interest groups to reach a targeted audience.

Photo: Anna Moneymaker/Getty Images

The social media feeds of progressive voters have been bombarded by a series of ads this past week telling them to urge their Democratic representatives to vote against the Inflation Reduction Act.

The ads aren’t from the Sunrise Movement or other progressive climate stalwarts, though. Instead, they’re being pushed by United for Clean Power, a murky dark money operation that appears to have connections with Republican operatives.

Keep Reading Show less
Lisa Martine Jenkins

Lisa Martine Jenkins is a senior reporter at Protocol covering climate. Lisa previously wrote for Morning Consult, Chemical Watch and the Associated Press. Lisa is currently based in Brooklyn, and is originally from the Bay Area. Find her on Twitter ( @l_m_j_) or reach out via email (ljenkins@protocol.com).


A game that lets you battle Arya Stark and LeBron James? OK!

Don’t know what to do this weekend? We’ve got you covered.

Image: Toho; Warner Bros. Games; Bloomberg

This week we’re jumping into an overnight, free-to-play brawler; one of the best Japanese dubs we’ve heard in a while; and a look inside a fringe subculture of anarchists.

Keep Reading Show less
Nick Statt

Nick Statt is Protocol's video game reporter. Prior to joining Protocol, he was news editor at The Verge covering the gaming industry, mobile apps and antitrust out of San Francisco, in addition to managing coverage of Silicon Valley tech giants and startups. He now resides in Rochester, New York, home of the garbage plate and, completely coincidentally, the World Video Game Hall of Fame. He can be reached at nstatt@protocol.com.

Latest Stories