The recently uncovered Operation CuckooBees campaign shows how serious China is about using IP theft as a competitive advantage. Protect IP now or chase it later. Credit: Dimitris66 / Getty Images Chinese focus on the acquisition of intellectual property is a recurring topic, percolating to the forefront, the most recent being Operation CuckooBees, which has been detailed in a comprehensive Cybereason report. The report noted that the Chinese advanced persistent threat (APT) group has had many labels including Winnti and APT41 and is credited with being operational from at least 2019. Over the course of the past few years, the group siphoned off, according to Cybereason, hundreds of gigabytes of data from their targets.Stepping back in time, in September 2020 the US Department of Justice announced two separate indictments that charged five Chinese nationals, members of the APT41/Winnti, with cyber-related crimes. At that time, Michael R. Sherwin, acting U.S. attorney for the District of Columbia, commented, “As set forth in the charging documents, some of these criminal actors believed their association with the PRC provided them free license to hack and steal across the globe.” This was followed in October 2020 by the Cybersecurity and Infrastructure Security Agency (CISA) in conjunction with the National Security Agency (NSA) issuing an alert highlighting how China can be expected to target “networks holding sensitive intellectual property, economic, political, and military information.” In July 2021, a joint CISA, NSA and FBI alert highlighted a broader array of targets that have found themselves within China’s state-sponsored targeting matrix.Contemporaneously with the Cybereason’s yeoman research effort, Mandiant was conducting its own research into APT41. In March 2022 it published its own piece on how APT41 was attacking U.S. state government networks. Mandiant’s report highlighted the persistent nature of the group’s efforts to infect, reinfect, and exploit target entities. It provided a visual timeline of exploitation. Mandiant also notes that in most instances, their efforts detected APT41’s presence. CISO warning: China plays the long gameThe drumbeat of the state-sponsored threat posed by China has been going on for years. Cybereason’s report drives this point home with alacrity. The fact that China continues to enjoy success in the face of multiple technical warnings and a variety of exploitation methodologies dissected speaks to China’s technical acumen, tenacity, and focus.While Cybereason did not detail the specifics of China’s cyber espionage success (the information that the company gleaned was shared with the FBI), the company characterized it as consisting of “exfiltrating hundreds of gigabytes of information. The attackers targeted intellectual property developed by the victims, including sensitive documents, blueprints, diagrams, formulas, and manufacturing-related proprietary data. In addition, the attackers collected information that could be used for future cyberattacks, such as details about the target company’s business units, network architecture, user accounts and credentials, employee emails, and customer data.” In a nutshell, China went long, established its foothold, and desired to have the ability to have a continuous flow of information from the compromised entities. These efforts were not of the once-and-done variety of cyberattacks.China’s IP thefts a competitive advantageIn April 2022, the Office of the President of the United States issued its Annual Intellectual Property Report to Congress, which detailed the status of intellectual property protection efforts across ten separate government entities, including the Department of Justice and Department of Homeland Security.Furthermore, Cybereason emphasized how the cyber espionage operation touched on “manufacturing companies mainly in East Asia, Western Europe, and North America.” It stands to reason, that these efforts were focused within each targeted entity on what we affectionately refer to as the crown jewels.The theft will allow the government of China to parcel out the stolen intellectual property to the Chinese entities, both private and state-owned enterprises for exploitation. This exploitation can be expected to bring to market the goods or services which the victim created and took to market, and because the theft obviated the need for research and development sunk costs, the Chinese company is able to sell the goods or services at a fraction of the price competitors charge.Detection and prevention of intellectual property loss Oftentimes it is only when a company finds itself competing against its own product design that they realize their intellectual property has been purloined. They are then faced with chasing their IP through the judicial system, which arguably is a multi-year endeavor. Furthermore, when the entity using the stolen IP is in China, companies often find their remedies limited to filing Section 301 complaints with the Departments of State and Commerce via the U.S. Trade Representative to protect their U.S. market, while for all intents and purposes ceding the China market.Working with CIOs, information security teams may have to be creative in the means by which functions within the China market are walled off from the rest of the enterprise given the advent of tech transfer mandates. Thus the role of the CISO carries with it the incentive to protect the crown jewels from cyber espionage, while at the same time keeping on top of the potential for a scenario that includes a forced technology transfer to China, by China. The bottom line, protect your intellectual property today or chase your intellectual property later. Related content news Conti-linked ransomware takes in $107 million in ransoms: Report A ransomware campaign linked to the ostensibly defunct Conti malware group has targeted mostly US businesses, in a costly series of attacks. By Jon Gold Nov 30, 2023 4 mins Ransomware Malware Cybercrime news Okta confirms recent hack affected all customers within the affected system Contrary to its earlier analysis, Okta has confirmed that all of its customer support system users are affected by the recent security incident. By Shweta Sharma Nov 30, 2023 3 mins Data Breach news Top cybersecurity product news of the week New product and service announcements from Wiz, Palo Alto Networks, Sophos, SecureAuth, Kasada, Lacework, Cycode, and more. By CSO staff Nov 30, 2023 17 mins Generative AI Security feature How to maintain a solid cybersecurity posture during a natural disaster Fire, flood, eathquake, hurricane, tornado: natural disasters are becoming more prevalent and they’re a threat to cybersecurity that isn’t always on a company’s radar. Here are some ways to prepare for the worst. By James Careless Nov 30, 2023 8 mins Security Operations Center Data and Information Security Security Practices Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe