Chinese government cyberespionage has decreased sharply since mid-2014, an apparent response to widespread exposure of the activity, U.S. indictments and the threat of economic sanctions last summer, according to a new report by FireEye, a cybersecurity firm.
“The landscape we confront today is far more complex and diverse, less dominated by Chinese activity and increasingly populated by a range of other criminal and state actors,” said the report by FireEye’s iSIGHT Intelligence unit.
U.S. officials said late last year that the Chinese military had scaled back its economic cyberespionage against American companies following the indictments.
The firm’s report, however, is based on an analysis over three years of 262 intrusions into the networks of companies and government agencies that hired the firm to investigate both in the United States and overseas.
It found that Chinese activity is markedly down overall — from more than 60 intrusions in February 2013 to a handful in April of this year. It also found that some activity has shifted away from the United States to targets in Asia, including Taiwan, India and Japan.
The shifts have coincided with ongoing political and military reforms in China, FireEye noted. Since taking power in late 2012, Chinese President Xi Jinping has worked to centralize China’s cyber operations, turning them toward support of a greater range of activity, the firm said. That redirection takes place as the U.S. military is building up its Cyber Command in support of defensive and offensive operations to benefit regional military commands as well as protect the nation.
In September, Xi pledged that his country would not engage in state-sponsored commercial cyberespionage — the theft of intellectual property and trade secrets from one country to benefit another country’s own industries.
FireEye found that the trend line was already sloping downward by the time Xi made his pledge, although the activity has not completely stopped. The firm has investigated a number of intrusions of corporate networks in the United States, Europe and Japan.
Laura Galante, FireEye director of threat intelligence, points to several reasons for the downturn. In early 2013, the cybersecurity firm Mandiant issued a report describing in detail the activities of one prolific hacking unit from the People’s Liberation Army, Unit 61398. Mandiant is now owned by FireEye. That unleashed a flood of other reports outlining Chinese cyber operations.
In May 2014, the Justice Department obtained indictments against five Chinese army officers in commercial cyberespionage, marking the first time the U.S. government had charged foreign government personnel with such crimes.
In August 2015, The Washington Post reported that the Obama administration was developing economic sanctions to apply against Chinese companies and individuals who benefited through the cybertheft of U.S. companies’ intellectual property.
Taken together, Galante said, these events probably influenced the change in China’s behavior.
The analysts did not distinguish in their research between commercial and political espionage. The latter includes, for example, the Chinese government hack of the Office of Personnel Management, which U.S. officials have said was done more for classic spying purposes of gaining information that can be used to blackmail government employees or recruit them as agents.
They also did not analyze whether intrusions were directed by military or intelligence agencies. The Post reported last year t hat the Ministry of State Security , an intelligence and security agency, probably was behind the OPM hack. Other researchers have detected more activity coming from the ministry rather than the Chinese army.
“The volume has gone down so much that at least it’s clear that there’s a higher cost to operating in cyberspace” for the Chinese, Galante said.