The Chinese military scaled back its cybertheft of U.S. commercial secrets in the wake of Justice Department indictments of five officers, and the surprising drawdown shows that the law enforcement action had a more significant impact than is commonly assumed, current and former U.S. officials said.
The People’s Liberation Army (PLA) has not substantially reengaged in commercial cyberespionage since then-Attorney General Eric H. Holder Jr. announced charges against the officers in May 2014, the officials said.
It is still unclear, however, whether President Xi Jinping will be able to deliver on a September pledge to President Obama that China would not conduct economic spying in cyberspace to benefit its own companies.
As the United States and China prepare for high-level cyber-talks in Washington beginning Tuesday, officials and private-sector analysts say there is evidence that China’s civilian spy agency, the Ministry of State Security, continues to conduct significant commercial espionage operations.
Officials at the two-day meeting are expected to discuss how China is following up on Xi’s pledge, as well as guidelines for mutual assistance in cyber-investigations.
“The big picture is that from 2014 on, the administration pursued a much more direct and coercive approach with China, and it has produced results over time,” said Evan S. Medeiros, a former senior director for Asian affairs on the National Security Council.
In September, during a state visit, Xi Jinping pledged to Obama that China would not conduct economic spying in cyberspace to benefit its own companies.
“China strongly opposes and combats the theft of commercial secrets and other kinds of hacking attacks,” Xi said during the state visit.
The Obama administration said it would continue to monitor China’s cyber activities closely and press China to abide by all of its commitments. “We have been clear with the Chinese government that we are watching to ensure their words are matched by actions,” said a senior administration official, who, like others, discussed the issue on the condition of anonymity because of its sensitivity.
Most officials say it is still too early to tell whether China is making a true long-term shift or whether the changes are tactical.
“A lot of these things just take time, more time than I think people realize,” one U.S. official said.
Both the National Security Agency and the FBI track Chinese cyber-activity, although neither organization has a complete or comprehensive view. The NSA primarily collects data on the threat overseas, and the FBI gathers information through investigations in the United States.
“For a period of time following the indictments, there was a very significant decrease” by the PLA, said a second U.S. official. “And today we are definitely not at the level that we were before the indictments.”
The first shot across the bow came not from the U.S. government, but with the February 2013 release of a report by Mandiant, a cyberthreat intelligence firm. That report described in detail how hackers with the Shanghai-based Unit 61398, part of the PLA, conducted a wide-ranging industrial espionage campaign and described its targets, methods and personnel.
Coinciding with the report’s publication, the Department of Homeland Security released to U.S. companies a series of Internet protocol addresses associated with the PLA hacking unit and other Chinese groups. The idea was to help firms block malicious activity emanating from China, denying hackers access to company systems.
The Unit 61398 hackers stopped their activity for a while, but other parts of the military continued their operations, and the Shanghai group eventually resumed using other tools, said an intelligence analyst at FireEye, which now owns Mandiant.
Nonetheless, the report freed the administration to speak more openly about the Chinese cyber-campaign, as officials could point to the document to buttress their assertions. Obama repeatedly raised the issue with Xi — in Sunnylands, Calif., in June 2013; in St. Petersburg, Russia, in September of that year; and again in The Hague in March 2014.
Then in May 2014, the Justice Department, following a months-long FBI investigation, announced the indictments of five PLA officers on economic espionage charges. One of the accused was a hacker profiled in the Mandiant report — a moon-faced, bespectacled officer named Wang Dong, also known by the online moniker Ugly Gorilla.
“The indictments had an amazing effect in China, more than we could have hoped for,” said James A. Lewis, a cyber-policy expert at the Center for Strategic and International Studies. “The Chinese hated them. They complained about them every time there was a meeting. They said there couldn’t be any progress [in cyber-talks, which the Chinese pulled out of] until the indictments were withdrawn and we promised not to do them again.”
In the following months, the Chinese military quietly began dismantling its economic espionage apparatus, officials said. PLA leaders, with Xi’s approval, reviewed the military’s cyber-activities. They cracked down on moonlighters within the PLA who were hacking on the side to sell information to companies, and they attempted to halt collection of data that was not central to the national security mission.
What the change in PLA activity shows is that “China is not this implacable, immovable object,” said Rob Knake, a senior fellow at the Council on Foreign Relations and a former White House cyber-official. “We can in fact alter the behavior of at least portions of the Chinese government.”
In April, Obama signed an executive order establishing the power to impose economic sanctions on individuals and entities that take part in or benefit from illicit cyber-activities such as commercial espionage.
“If the indictments had the effect of getting the PLA to scale down, then sanctions likely will have a wider effect on other Chinese state-sponsored groups,” Knake said.
Prime among the other government hacking organizations is the Ministry of State Security. The MSS, which also employs elite contractors as hackers, is more skilled than the PLA and better able to hide telltale digital trails, analysts say. It is particularly suited to carry out economic espionage, some say, because it has direct channels to state-owned enterprises.
But it also conducts what might be considered more traditional spying. In fact, some officials and analysts say it is likely that the MSS or contractors working for it were behind intrusions into the Office of Personnel Management last year that compromised the data of 22 million current and former federal employees and their families and friends. Cyberthreat intelligence firms such as ThreatConnect also have documented links between the MSS and the breach into health-care giant Anthem, in which the techniques bore strong similarities to the OPM hacks.
“From what we see, the majority of the intrusions today are coming from sets that we believe are MSS or MSS contractors versus the PLA,” said Dmitri Alperovitch, co-founder of CrowdStrike, another cybersecurity firm. “That’s a shift that’s been happening roughly in the last year and a half.”