China's cyber espionage focus: intellectual property theft

The recently uncovered Operation CuckooBees campaign shows how serious China is about using IP theft as a competitive advantage. Protect IP now or chase it later.

The shadow of hand unsettlingly hovers over a keyboard.
Dimitris66 / Getty Images

Chinese focus on the acquisition of intellectual property is a recurring topic, percolating to the forefront, the most recent being Operation CuckooBees, which has been detailed in a comprehensive Cybereason report. The report noted that the Chinese advanced persistent threat (APT) group has had many labels including Winnti and APT41 and is credited with being operational from at least 2019. Over the course of the past few years, the group siphoned off, according to Cybereason, hundreds of gigabytes of data from their targets.

Stepping back in time, in September 2020 the US Department of Justice announced two separate indictments that charged five Chinese nationals, members of the APT41/Winnti, with cyber-related crimes. At that time, Michael R. Sherwin, acting U.S. attorney for the District of Columbia, commented, “As set forth in the charging documents, some of these criminal actors believed their association with the PRC provided them free license to hack and steal across the globe.”  

This was followed in October 2020 by the Cybersecurity and Infrastructure Security Agency (CISA) in conjunction with the National Security Agency (NSA) issuing an alert highlighting how China can be expected to target “networks holding sensitive intellectual property, economic, political, and military information.” In July 2021, a joint CISA, NSA and FBI alert highlighted a broader array of targets that have found themselves within China’s state-sponsored targeting matrix.

Contemporaneously with the Cybereason’s yeoman research effort, Mandiant was conducting its own research into APT41. In March 2022 it published its own piece on how APT41 was attacking U.S. state government networks. Mandiant’s report highlighted the persistent nature of the group’s efforts to infect, reinfect, and exploit target entities. It provided a visual timeline of exploitation. Mandiant also notes that in most instances, their efforts detected APT41’s presence.

CISO warning: China plays the long game

The drumbeat of the state-sponsored threat posed by China has been going on for years. Cybereason’s report drives this point home with alacrity. The fact that China continues to enjoy success in the face of multiple technical warnings and a variety of exploitation methodologies dissected speaks to China’s technical acumen, tenacity, and focus.

While Cybereason did not detail the specifics of China’s cyber espionage success (the information that the company gleaned was shared with the FBI), the company characterized it as consisting of “exfiltrating hundreds of gigabytes of information. The attackers targeted intellectual property developed by the victims, including sensitive documents, blueprints, diagrams, formulas, and manufacturing-related proprietary data. In addition, the attackers collected information that could be used for future cyberattacks, such as details about the target company’s business units, network architecture, user accounts and credentials, employee emails, and customer data.”

In a nutshell, China went long, established its foothold, and desired to have the ability to have a continuous flow of information from the compromised entities. These efforts were not of the once-and-done variety of cyberattacks.

China’s IP thefts a competitive advantage

In April 2022, the Office of the President of the United States issued its Annual Intellectual Property Report to Congress, which detailed the status of intellectual property protection efforts across ten separate government entities, including the Department of Justice and Department of Homeland Security.

Furthermore, Cybereason emphasized how the cyber espionage operation touched on “manufacturing companies mainly in East Asia, Western Europe, and North America.” It stands to reason, that these efforts were focused within each targeted entity on what we affectionately refer to as the crown jewels.

The theft will allow the government of China to parcel out the stolen intellectual property to the Chinese entities, both private and state-owned enterprises for exploitation. This exploitation can be expected to bring to market the goods or services which the victim created and took to market, and because the theft obviated the need for research and development sunk costs, the Chinese company is able to sell the goods or services at a fraction of the price competitors charge.

Detection and prevention of intellectual property loss

Oftentimes it is only when a company finds itself competing against its own product design that they realize their intellectual property has been purloined. They are then faced with chasing their IP through the judicial system, which arguably is a multi-year endeavor. Furthermore, when the entity using the stolen IP is in China, companies often find their remedies limited to filing Section 301 complaints with the Departments of State and Commerce via the U.S. Trade Representative to protect their U.S. market, while for all intents and purposes ceding the China market.

Working with CIOs, information security teams may have to be creative in the means by which functions within the China market are walled off from the rest of the enterprise given the advent of tech transfer mandates. Thus the role of the CISO carries with it the incentive to protect the crown jewels from cyber espionage, while at the same time keeping on top of the potential for a scenario that includes a forced technology transfer to China, by China.

The bottom line, protect your intellectual property today or chase your intellectual property later.

Copyright © 2022 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.