The Washington PostDemocracy Dies in Darkness

China still trying to hack U.S. firms despite Xi’s vow to refrain, analysts say

Chinese President Xi Jinping and President Obama toast during a State Dinner on Sept. 25, 2015, in the East Room of the White House. (Andrew Harnik/AP)

Chinese government hackers have attempted in the past few weeks to penetrate the networks of U.S. companies to steal their secrets despite a pledge by China’s president that they would not do so, according to private researchers.

Chinese hackers have targeted at least seven U.S. companies since President Xi Jinping vowed last month in Washington that his country would not conduct economic cyberespionage — the theft of trade secrets and intellectual property for the benefit of the nation's industries, according to CrowdStrike, a firm that helps companies track and prevent intrusions.

In the three weeks since Xi left Washington — including the day after he left, on Sept. 26 — hackers linked to the Chinese government have attempted to gain access to tech and pharmaceutical companies’ networks, said Dmitri Alperovitch, CrowdStrike co-founder and chief technology officer, who released a report on the issue Monday.

The efforts continue to the present, sometimes several times a day, and appear to be distinct from traditional intelligence gathering, which is not covered by Xi’s pledge, Alperovitch noted.

U.S., China vow not to engage in economic cyberespionage

Both President Obama and President Xi Jinping referenced the evolving relationship between their two counties during a toast at the Chinese state dinner. (Video: AP)

The U.S. intelligence community is also seeing continued signs of economic cyberespionage by Chinese hackers, according to a U.S. official, who spoke on the condition of anonymity because of the matter’s sensitivity. But what it means at this point is not clear.

One senior military cyber­defense official said recently that any cessation of Chinese economic espionage activity will play out over time. “I think it’s too early for any of us to see any of those changes,” said the U.S. Cyber Command’s deputy commander, Lt. Gen. James K. McLaughlin, speaking at the Center for Strategic and International Studies on Oct. 9.

Nonetheless, the fresh efforts by Chinese hackers, if they prove to be part of a renewed campaign of commercial espionage in cyberspace, will put pressure on the Obama administration to hold China accountable.

While in Washington for a state visit, Xi met with President Obama and promised that China would not “conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage.”

Obama said Beijing must now follow through. “The question now is,” Obama said, “are words followed by actions?”

Timeline: Intrusions detected by CrowdStrike

A senior administration official said the White House is aware of CrowdStrike’s report. “We’ll decline comment on its specific conclusions,” said the official, who spoke on the condition of anonymity because of the issue’s sensitivity. “As we move forward, we will monitor China’s cyber-activities closely and press China to abide by all of its commitments.”

The Washington Post reported in late August that the administration was preparing to impose — possibly even before Xi's visit — economic sanctions on Chinese companies that benefited from government-sponsored hacking. But a promise by the Chinese government to refrain from such activity and its arrests of several hackers, among other gestures, helped persuade the administration to hold off on imposing sanctions.

But if the Chinese continue their behavior, the administration will act, officials said.

Standing next to Xi in the Rose Garden last month, Obama stressed that he had created a sanctions program earlier this year to be used when the administration has proof that the hackers have “gone after U.S. companies or U.S. persons.” He said he had told Xi “that we will apply [sanctions] and whatever other tools we have in our tool kit to go after cybercriminals, either retrospectively or prospectively.”

Many officials have been skeptical — some openly — that China would uphold its end of the agreement. One question: How much time should the administration give China to make changes in its behavior?

Some analysts noted that it could take time for China’s vast apparatus of cyberspies to be dismantled or refocused.

Another threat-detection company, FireEye, also has observed activity from likely Chinese government hacker groups since Sept. 25. “But it is premature to conclude that activity during this short timeframe constitutes economic espionage,” the firm’s intelligence director, Laura Galante, said in an e-mail. “Assessing the complexity of changes in state-sanctioned economic espionage requires far more sufficient time, data and viewpoints,” she said.

Alperovitch said he thinks enough time has passed. “The Chinese need to be held accountable for their continued attempts to steal IP and trade secrets through cyber-intrusions into commercial companies” he said. “The U.S government needs to make it clear that we will still use those sanctions unless these actions cease.”

CrowdStrike is not identifying the companies that were targeted, Alperovitch said. He said that CrowdStrike’s intrusion-detection platform prevented the hackers from gaining actual entry into their targets’ networks and no data was taken.

But, he said, the detection platform revealed tools and techniques, including servers in other countries, that are used by a variety of Chinese government hacking groups, including one that CrowdStrike has dubbed Deep Panda. For years, these groups have been targeting industries of strategic importance to China, including agriculture, chemical, financial, health care and insurance sectors.