By Eric Geller
“China stands accused of engaging in criminal activity that victimizes individuals and companies in the United States, violates our laws, and departs from international norms of responsible state behavior,” Deputy Attorney General Rod Rosenstein said at a press conference.
To emphasize the point, the Justice Department on Thursday indicted two Chinese hackers for a long-running economic espionage campaign that resulted in the theft of hundreds of gigabytes of data from companies and government agencies.
Hours later, DHS and the State Department warned Beijing to “abide by its commitment to act responsibly in cyberspace” and said the U.S. would “take appropriate measures to defend our interests.”
Thursday’s actions confirm what private-sector cybersecurity researchers and U.S. intelligence officials have been saying for months: The 2015 agreement in which Beijing pledged to stop hacking U.S. companies for their valuable intellectual property is dead.
“The activity alleged in this indictment violates the commitment that China made to members of the international community,” Rosenstein said. “The evidence suggests that China may not intend to abide by its promises.”
The two Chinese hackers, Zhu Hua and Zhang Shilong, worked for a technology company in Tianjin, China, and “acted in association with” China’s Ministry of State Security, according to the indictment unsealed today in federal court in the Southern District of New York. They were part of a group that security researchers and the government have dubbed APT10, for “advanced persistent threat.”
The men participated in two parallel campaigns of digital intrusions, DOJ said. In the first operation, beginning in 2006, they hacked at least 45 companies and government agencies in at least 12 states and stole vast troves of data from firms in industries such as aviation, oil and natural gas, manufacturing, pharmaceuticals, and telecommunications.
In the second campaign, which began in 2014, they hacked “managed service providers,” which offer technology services to other companies, and stole data from manufacturing, consulting, healthcare, biotechnology, consumer electronics and other companies around the world.
The companies were located in Brazil, Canada, Finland, France, Germany, India, Japan, Sweden, Switzerland, the United Arab Emirates, the United Kingdom and the U.S., according to the indictment.
Prosecutors said that APT10’s “hacking operations evolved over time, demonstrating advances in overcoming network defenses, victim selection, and tradecraft.”
Also on Thursday, the United Kingdom issued statements blaming China’s government for sponsoring economic cyberattacks across the U.S., Europe and Asia.
Adam Segal, who leads the cyber program at the Council on Foreign Relations, praised the U.S. for building a global coalition against Beijing’s activities.
“Getting other countries to call China out is an important step,” he told POLITICO. The Trump administration, he added, is “likely to get more traction with Beijing when it is multilateral, not just the United States criticizing.”
Rep. Jim Langevin (D-R.I.), one of Congress’s most active lawmakers on cyber policy, agreed. “Collective international action, rather than going it alone, is the best way to make it clear to China that their actions are unacceptable,” he said in a statement.
At the press conference in Washington, Rosenstein said that the Chinese government “will find it difficult to pretend that it is not responsible for these actions.”
“In some cases, we know exactly who is sitting at the keyboard perpetrating these crimes in association with the Chinese government,” he said. “There is no free pass to violate American laws merely because they do so under the protection of a foreign state.”
But experts also expressed disappointment at the limited nature of Thursday’s actions. The indictments “fell short of the full punitive response that many in the administration were advocating,” said Paul Triolo, an expert on China and global technology issues at the Eurasia Group.
Treasury Secretary Steven Mnuchin and other “administration moderates … were able to prevail in their efforts to hold back the most punitive actions,” Triolo told POLITICO.
Chris Painter, who was the State Department’s top cyber diplomat from 2011 to 2017 and helped negotiate the 2015 agreement, said the Trump administration should make economic espionage central to the bilateral relationship.
“This cyber activity is only part of a larger set of issues with China,” he said, “and there needs to be consistent messaging that continuing this malicious activity is a roadblock to solving other issues between our countries.”
Segal, Painter and Langevin urged the U.S. and other Western countries to sanction the Chinese firms that benefited from Beijing’s cyber thefts.
“Chinese business leaders need to understand that if they make a Faustian pact with their government, they will not be welcome in the international community,” said Langevin.
Thursday’s actions mark the most aggressive turn in a months-long effort by the Trump administration to shine a spotlight on Beijing’s malicious cyber activity, especially its use of cyberattacks to steal U.S. intellectual property and hand it off to Chinese businesses.
In March, the Office of the U.S. Trade Representative issued a report on Chinese intellectual property theft that detailed Beijing’s decade-long campaign of “cyber intrusions into U.S. commercial networks targeting confidential business information held by U.S. firms.”
“Through these cyber intrusions, China’s government has gained unauthorized access to a wide range of commercially valuable business information, including trade secrets, technical data, negotiating positions and sensitive and proprietary internal communications,” the report said. “These acts, policies, or practices by the Chinese government are unreasonable or discriminatory and burden or restrict U.S. commerce.”
China is linked to more than 90 percent of DOJ’s economic espionage cases over the past seven years, as well as more than two-thirds of its trade secrets theft cases, Rosenstein said today.
Speaking after Rosenstein, FBI Director Christopher Wray told reporters that “no country poses a broader, more severe, long-term threat to our nation’s economy and cyber infrastructure than China.”
Intellectual property theft has long been a source of tension between the U.S. and China, the world’s two largest economies, and in 2015 the issue came to a head before a summit between Presidents Barack Obama and Xi Jinping.
Facing the threat of sanctions just as Xi and his high-level delegation were set to arrive in Washington, Beijing agreed to a deal that would ban the “cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.” Xi and Obama announced the agreement from the Rose Garden following their summit.
Cybersecurity researchers saw a significant drop-off in Chinese intellectual property theft following the deal. But in recent years, as trade tensions escalated following Trump’s election, the hacking resumed its previous pace and expanded to new areas, including “dual-use” technology that has commercial and military applications, experts said.
“On the one hand the diplomatic agreement definitely worked, but on the other hand it established a narrow norm that Beijing has continued working around using all elements of national power to improve their economy at the expense of U.S. competitors,” Christopher Porter, chief intelligence strategist at the security firm FireEye, told POLITICO.
For a while, the U.S. government avoided directly accusing China of breaching the 2015 agreement. But that changed in recent months. In November, Rob Joyce, a senior NSA cybersecurity official, said it was “clear that they are well beyond the bounds” of the deal.
“We’ve certainly seen the behavior erode in the last year,” said Joyce, who previously served as Trump’s cyber coordinator in the White House. “And we’re very concerned with those troubling trends.”
On Oct. 30, the Justice Department announced charges against Chinese intelligence officers and their contract hackers for a five-year cyber campaign that targeted, among other things, the proprietary design for a jet engine.
“At the time of the intrusions,” the government said, “a Chinese state-owned aerospace company was working to develop a comparable engine for use in commercial aircraft manufactured in China and elsewhere.”
The indictment followed news that Belgian authorities had extradited to the U.S. a senior officer of China’s Ministry of State Security to face economic espionage charges, also related to aviation firms. Officials said it was the first U.S. extradition of a Chinese spy.
Another aspect of the counter-China offensive is a focus on the so-called supply chain, the complex and often opaque web of companies that design, produce and sell technology products and services.
U.S. intelligence officials worry the Chinese government will pressure its telecom giants, Huawei and ZTE, to manipulate the equipment they sell to Western countries for espionage and disruptive cyberattacks. The U.S. is trying to persuade its closest allies to stop using those companies’ products, but the effort has met with mixed results.
Washington is also concerned about Chinese cyberattacks on corporations and government agencies that host vast troves of Americans’ personal data, especially information — like security clearance applications and health records — that could help Beijing turn Americans into double agents.
The 2014 hack of the U.S. Office of Personnel Management, which compromised the records of 21.5 million current, former and prospective federal employees, was part of this campaign, officials have said. So too was the hack of the giant health insurer Anthem, disclosed in January 2015, which exposed more than 37.5 million patient records.
U.S. officials believe the massive Marriott data breach, which compromised as many as 500 million people’s information, was also part of this counterintelligence project. That hack, which the company disclosed on Nov. 30, included not only basic information like names, phone numbers and street addresses, but also passport numbers. Secretary of State Mike Pompeo publicly blamed China for the hack last week.
None of the OPM, Marriott or Anthem data have surfaced online, which would be unusual if it lay in the hands of garden-variety cyber criminals. The U.S. believes Beijing’s analysts are pouring over the data, trying to determine who is most susceptible to recruitment by China’s spy services.
Complicating efforts to reduce this type of hacking is the fact that the U.S. — along with every other country with an advanced cyber program — also conducts cyber espionage. Efforts to prosecute foreign government hackers for digital spycraft risk creating a norm that intelligence and national security officials see as unwise. In addition, other countries might try to charge NSA or CIA hackers using the U.S.’ rationale.
While China’s intelligence operations may perennially bedevil U.S. investigators, senior DOJ officials appeared confident Thursday that exposing Beijing’s economic espionage would yield results.
“Today’s charges mark an important step in revealing to the world China’s continued practice of stealing commercial data,” said Rosenstein.