The report shows that China mounts a multifaceted approach to stealing secrets, which include computer software source codes, chemical formulas, and technology that can be used in weapons systems. Although it relies on computer hacking, China also acquires technology and know-how through joint ventures and purchases of companies, academic and research partnerships, and front companies meant to “obscure the hand of the Chinese government,” the report found.
The findings were published by the National Counterintelligence and Security Center, part of the Office of the Director of National Intelligence, which oversees all U.S. spy agencies.
In 2015, after the Obama administration threatened to impose sanctions on China, both countries agreed to refrain from conducting cyber operations for economic advancement. The deal was mostly one-sided, as the United States doesn’t steal proprietary information and technology from other countries for economic advancement, intelligence and security officials have said. (It does steal for political and strategic purposes.)
William Evanina, who heads the counterintelligence center, said China was by far the most aggressive country trying to steal economic information from the United States and was responsible for most of the theft. He told reporters Thursday that although other nations, including Russia and Iran, were trying to steal valuable technology to enhance their economies, “none of them equals China.”
The report shows that although some progress has been made in curbing Chinese economic espionage, its cyber operations continue and are focused on defense contractors or information technology and communications companies that provide products and services to support government and private-sector information networks.
“We believe that China will continue to be a threat to U.S. proprietary technology and intellectual property through cyber-enabled means or other methods,” the report says. “If this threat is not addressed, it could erode America’s long-term competitive economic advantage.”
Intelligence officials are increasingly concerned about an emerging threat in which attackers target software manufacturers and distributors, rather than individual users. In these “supply chain” attacks, software is manipulated — perhaps to add a back door for hackers to enter later — before it is installed or updated on a computer. The attacks can affect millions of people who download the software, often from sources they trust.
Recent evidence suggests that the problem is pervasive and that companies are unprepared to manage it. Two-thirds of respondents in a survey commissioned this month by computer security company CrowdStrike said their organizations had experienced a supply-chain attack, with 90 percent of those incurring some financial cost.
The intelligence report called 2017 “a watershed in the reporting of software supply chain operations.” Last year, seven “significant events” were publicly reported, compared with four between 2014 and 2016, the report found.
“Hackers are clearly targeting software supply chains to achieve a range of potential effects to include cyber espionage, organizational disruption, or demonstrable financial impact,” the report said.
Among the most notable incidents intelligence officials cited is one that affected a popular tool used to delete unwanted and potentially dangerous files from personal computers. More than 1 million computers downloaded an infected version of the program, CCleaner, which hackers then used to target technology companies, including Intel, Samsung and Sony, researchers said.
Security analysts have found evidence that they think links the attack to Chinese hackers, whom they believe broke into a British software maker to corrupt the popular CCleaner program.
Hackers also infiltrated software supply chains to conduct a devastating attack last year in Ukraine. The CIA has attributed that attack to Russian military hackers, who used a virus called NotPetya to delete information from computers used by banks, energy firms, senior government officials and an airport. The attack crippled Ukraine’s financial system during a war with separatists loyal to Moscow.
The attack had significant financial costs to companies, including FedEx and Maersk, which each suffered $300 million in damages, the intelligence report said.
The report warns that new laws and inspection regimes in foreign countries pose a risk to American firms.
Last year, China began requiring foreign companies to submit communications technology to a government-administered national security review. Companies that operate in China also must store their data there, which exposes it to government influence, the report noted.
Russia also “has dramatically increased its demand for source code reviews for foreign technology being sold inside the country,” the report said.
The report singles out Russia and Iran as malign actors intent on penetrating U.S. computer systems and critical infrastructure.
Russia aims to use cyber espionage “to bolster an economy struggling with endemic corruption, state control, and a loss of talent departing for jobs abroad,” the report said. Russian hackers have stolen intellectual property from U.S. health-care and technology companies, and last year compromised operational networks at energy companies, the report found.
Iran targets American firms as part of what the report calls “a subset” of offensive cyber operations mostly focused on Israel and Saudi Arabia.
For instance, an Iranian hacker group called Rocket Kitten “consistently targets U.S. defense firms, likely enabling Tehran to improve its already robust missile and space programs with proprietary and sensitive U.S. military technology,” the report said. Iranians are also targeting aerospace and civil aviation firms, financial institutions, and energy sector companies.
To combat old and evolving threats, the U.S. government is taking a range of actions, including trying to collaborate more with business and computer security experts to stay abreast of threats and either prevent them or manage the fallout.
In recent years, the Justice Department has indicted foreign citizens in connection with computer hacking. And although many of those accused aren’t likely to see the inside of an American courtroom, some experts think the legal actions have been a deterrent, particularly in China, where the government has come to realize that to be taken seriously as a world economic power, it has to curtail its aggressive economic espionage.