Since 1953, the Chinese government has issued official five-year plans. Each plan outlines the economic development goals and the main drivers that will help the country achieve those ambitions. They also act as advance warning of industries hacker groups will likely target.This was the case with the 12th plan and is the case with the current 13th. With work for the 14th plan likely underway, a new group of industries could find themselves under attack from a number of sophisticated hacker groups. \u201cOrganizations need to understand how they are viewed by their adversaries and in the case of nation-states such as China how attractive are their personnel, locations, data and core intellectual property to those states,\u201d warns Adam Meyers, VP of intelligence at CrowdStrike.A shopping list for hackersThe current five-year plan runs until 2020. In it, the People\u2019s National Assembly of China set out goals around making China a \u201cmoderately prosperous society,\u201d including 6.5 percent annual gross domestic product (GDP) growth, increasing domestic R&D, achieving climate goals and bringing more people out of poverty.The 13th plan also included the \u201cMade in China 2025\u201d policy, which\u00a0laid out the key industries in which the Chinese government is focused on becoming a world leader. These industries include;Information technologyRobotics (including AI and machine learning)Green energy and green vehiclesAerospace equipment\u00a0\u00a0\u00a0Ocean engineering and high-tech ships\u00a0\u00a0Power equipment\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0New materials\u00a0\u00a0Medicine and medical devices\u00a0\u00a0\u00a0Agriculture machineryRailway infrastructureAt the time of that plan\u2019s announcement, CrowdStrike\u00a0warned that companies working in these industries would likely suffer more cyberattacks from China-affiliated hackers \u2014 much the same as with the 12th\u00a0plan \u2014 in an effort to steal intellectual property (IP), accelerate goals and reduce the country\u2019s dependency on foreign firms for technology, equipment and infrastructure.While there have been cyberattacks against major corporations since then, there have not been as many as some expected. This is due in part to an agreement in 2015 between U.S. President Obama and Chinese President Xi Jinping that neither country would \u201csupport cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.\u201dThe agreement coincided with a reorganization and modernization of the Chinese People's Liberation Army and the creation of the People's Liberation Army Strategic Support Force, which houses operations around space, cyberspace and electronic warfare.\u201cMost of the cyber-capable units notably the 3rd and 4th\u00a0General Staff Department (GSD) where the publicly attributed units (1st Bureau was the APT1 unit designated 61398, 12th Bureau was identified by CrowdStrike as Putter Panda in 2014), were reorganized into the PLASSF and Network Systems Department (NSD),\u201d explains Meyers.\u00a0Trade war brings new attacksThe ongoing tit-for-tat tariffs, plus repeated warnings from U.S. officials over Huawei\u2019s relationship with the Chinese government and its role in 5G, have strained relations between the two countries and attacks have increased.\u201cNow that there's geopolitical pressure and the trade wars, we've seen a resurgence [in attacks]. All these groups are active again. They were less active and now they're at full speed again,\u201d says Otavio Freire, CTO of threat monitoring service SafeGuard Cyber. \u201cYou can only attribute it to the trade wars. The timing is suspiciously too coincidental that when relations were good, there is less attacks by the advanced persistent threats from China.\u201dA survey\u00a0by CNBC found that one in five U.S. companies have had their IP stolen by China in the last 12 months. \u201cIn 2015, China promised to stop stealing trade secrets and other confidential business information through computer hacking with the intent of providing competitive advantages to companies or sectors,\u201d Deputy Attorney General Rod Rosenstein said in a press conference announcing the\u00a0indictment of two Chinese men connected with the APT10 hacking group. \u201cThe activity alleged in this indictment violates the commitment that China made to members of the international community.\u201dAs the cyber-d\u00e9tente has come to an end and the reorganization of the PLA has settled down, hacker activity is turning its focus back to the goals of the five-year plan. \u201cThe downturn in Chinese targeted intrusion activity observed in the wake of the 2015 agreement between China and the U.S. with regards to commercially motivated cyber-espionage appears to have been reversed,\u201d says CrowdStrike\u2019s Meyers. \u201cOver the last year, CrowdStrike Intelligence has observed an increasing operational tempo from China-based adversaries. The threat of 25 percent tariffs on more than $50 billion worth of Chinese goods may be driving some of the recent activity.\u201dMultiple industries at riskThe 10 industries mentioned in the plans face attacks from threat actors with differing skillsets. The first group Meyers mentions is\u00a0Wicked Panda (also known as APT17, Winnti Group, Tailgator Team, Deputy Dog and others), which has been active since 2009. \u201cWicked Panda has been linked to numerous incidents involving a broad set of targets including organizations in the mining, technology, manufacturing and hospitality sectors,\u201d he explains. \u201cThe scope for this adversary group suggests they are contractors supporting high-priority operations as needed.\u201d\u201c[In its most recent attacks] the actor compromised a running SQL Server process and attempted to upload and execute an open-source PowerShell Empire implant, which was intended to open a reverse TCP shell to the adversary-controlled domain,\u201d Meyers says.Other groups of note include APT10 (aka Menupass Team, Stone Panda), a Chinese Ministry of State Security (MSS)-affiliated group active since at least 2009 and targeting construction, engineering, aerospace, telecom and government. Known to use the Haymaker, Snugride, Bugjuice and Quasarrat malware families, the group leverages both traditional spear phishing and managed service providers \u2014 including IBM and HPE, according\u00a0to Reuters\u2014 to gain access to victims\u2019 networks.APT40 (aka Periscope), according\u00a0to FireEye, has been active since 2013 and is thought to be dedicated to China\u2019s naval modernization effort and the country\u2019s Belt and Road Initiative. It is known to target engineering, transportation and defense companies with maritime links across the U.S., Europe, South East Asia and the Middle East. It has been observed impersonating an unmanned underwater vehicle (UUV) manufacturer and targeting universities engaged in naval research.A\u00a0report from the U.S.-China Economic and Security Review Commission into Biotechnology says there have been at least six attempts by Chinese actors to remove IP from medical companies, including robotic surgical equipment, cancer treatments, treatments for organ recipients, cornea regeneration, hepatitis C diagnostics and an anemia drug. Multiple attacks in the agriculture industry involved attempts to steal genetically engineered rice or corn seeds, while other thefts have targeted organic pesticides, engineered food products and livestock feed supplements.SafeGuard Cyber tells\u00a0CSOit has seen also a large amount of activity in the aerospace sector. \u201cThey want their own Boeing,\u201d says Freire. \u201cThey want to stop buying from the United States.\u201dAs well as APT groups, numerous insider attacks have targeted high-tech companies. In October 2018, the U.S. charged two alleged Chinese intelligence officers of\u00a0attempting to steal IP and confidential business data \u2014 including information related to a turbofan engine used in commercial airliners \u2014 from aerospace companies.Smaller hacker groups with no obvious or official ties to the Chinese government are also a threat. \u201cIt works more like a loosely coupled criminal enterprise than 'everything is state sponsored',\u201d says Freire. \u201cIt is very network driven the attacks and it's not centralized. Entrepreneur hackers approach a politician in a relevant department and say, 'I have some information here, will you pay for it?' China\u2019s been able to create this environment and say, 'We're open for business. If you accomplish these objectives, we will pay for it.'\u201dTargeted industries face real consequencesLosing valuable IP to a competitor can be devastating; the full extent of the damage is often only seen years later. APT1 (aka the Comment Group), identified as Unit 61398 within the PLA, was attacking companies as far back as 2006 and is affiliated with the GhostNet, Aurora and Shady RAT campaigns. Companies named in\u00a0a 2014 US indictment as being victims of APT1 include SolarWorld, Westinghouse Nuclear and ATI Metals. The\u00a0Financial Times reports that these attacks, in turn, helped boost Chinese aluminum company Chinalco, steelmaker Baosteel and nuclear power firm SNPTC.\u201cIntellectual property is really the lifeblood of these organizations,\u201d says Freire. \u201cThe long-term consequences are for those countries and companies that were at the forefront of science and technology had that competitive advantage, that is lost forevermore. But it's slow moving, so the consequences [of losing IP] are not as obvious.\u201dThose companies haven\u2019t done well since they were hacked. German solar energy company SolarWorld was hacked in 2012 and filed for insolvency in 2017 (though the U.S. subsidiary is still in business and was recently acquired by SunPower).\u201cWhile the five Chinese military hackers have never been brought to justice in this country,\u201d SolarWorld CEO Juergen Stein said in a\u00a0recent testimony. \u201cWe firmly believe that were it not for their economic espionage and theft from SolarWorld Americas, Chinese solar producers like JA Solar and Trina would have taken far longer to make the leap into PERC [Passivated Emitter and Rear Cell, a newer type of solar architecture] technology.\u201dWestinghouse, which designs and constructs nuclear power stations, lost sensitive emails and confidential proprietary technical and design specifications for piping within nuclear plan designs. Like SolarWorld, the group filed for bankruptcy in 2017 before being sold to Brookfield Business Partners in January 2018.\u201cCan you imagine how frustrating it would be,\u201d says Freire. \u201cYou are Westinghouse, pursuing a nuclear deal, you've spent years with a government, you bid a price, explain what your differentiators are, and here comes another proposal that is a better financial model that addresses your differentiators.\u201d\u201cTo come up with a reactor design, it is hundreds of millions of dollars, 15 years in the making. If you steal that, it\u2019s not just that you\u2019ve gathered a full nuclear plant design that costs hundreds of millions, but also the time to market. The 15 years that it took to get to that pinnacle of nuclear design is the long-term geopolitical consequence.\u201dThough they never went in into bankruptcy, ATI, along with aluminum company Alcoa and US Steel \u2014 two other companies named as victims in the 2014 indictment \u2014 have seen their share prices drop substantially as their competitive advantage has eroded. US Steel recently lost a trade secrets case with the U.S. International Trade Commission (ITC) against Chinese steel manufacturers, in which US Steel said it had seen valuable trade secrets stolen by the Chinese government and \u2018used to produce advanced high-strength steel that no Chinese manufacturer had been able to commercialize before the theft.\u2019\u201cThey've been very successful. These industries came from nowhere and are now cutting-edge competitive industries from China,\u201d says Freire. \u201cChina's appropriated themselves of something that is so incredibly valuable that changes the trajectory of markets and is able to fast forward to the future when they get this information.\u201dThe 14th\u00a0plan is coming soonThe South China Morning Post\u00a0has reported that work is underway for the next 5-year plan, which will run from 2021 to 2025. As well as likely continuing to target companies in sectors mentioned in the Made in China policy, any new industries the next plan highlights will likely face increased interest from threat actors trying to steal their IP.\u201cThe 12th five-year pan was a veritable shopping list for Chinese intrusion groups during the 2011-2015 time frame, which they largely fulfilled,\u201d says CrowdStrike\u2019s Meyers. \u201cThe 13th five-year plan, which is currently in progress, has a focus on some fairly broad targets.\u201d\u201cIt is likely that China continues to see cyber espionage as a means to further enhance and develop the economy. Given the current Chinese efforts to be a leader in 5G and advanced communications technologies, I imagine there will be quite a focus on software and hardware in that arena [in the 14thplan]," says Meyers.Quantum computing, machine learning, AI and communications will likely continue to be of focus, Meyers warns, as will medical technology (particularly in digital healthcare and preventative medicine) and previously targeted industries such as biotech, defense, mining, pharmaceutical, professional services, transportation and aerospace.He adds that China\u2019s\u00a0Belt and Road Initiative, which sees the country making large infrastructure investments around the world to create a 21st century version of the Silk Road trading route, will also likely serve as a driver for intelligence collection.