China’s military has reduced cyber espionage activity against the US since the latter’s indictment of five PLA operatives last year, although much of this work may now be carried out by a civilian government department, according to a new report.
Current and former US officials told the Washington Post that the hard line pursued by the Department of Justice for over a year now has forced a retreat by the People’s Liberation Army—the notorious Unit 61398, soldiers of which were indicted in May 2014.
“For a period of time following the indictments, there was a very significant decrease,” an unnamed official explained. “And today we are definitely not at the level that we were before the indictments.”
In October this year, China arrested several hackers on a shortlist drawn up by US intelligence agencies in a sign of greater co-operation between the two superpowers on the issue.
This aligned with internal PLA efforts to crack down on hacking experts who may have been working on the side for private companies, as well as to stop the collection of data that wasn’t central to its national security goals, the report claimed.
President Obama signed in April an executive order which will result in economic sanctions being imposed on any individuals or organizations found to be taking part in or benefiting from economic cyber espionage.
However, it is unclear whether China is willing to come good on a promise made by president Xi Jinping on a state visit in September that it will not engage in any economic cyber espionage designed to benefit its own companies.
The Ministry of State Security is said to be involved in traditional nation state hacking—pegged by some for the OPM attack—as well as economic cyber espionage, and crucially is apparently more skilled at hiding its tracks than the PLA.
These might be MSS employees or contractors, but the message is clear: the hardline stance taken by the US is only likely to drive Chinese cybercrime activity even deeper underground.
Jens Monrad is system engineer at FireEye. The firm owns Mendicant—the security company that first blew the lid on Unit 61398, also known as APT1.
He told Infosecurity that although the PLA group originally moved away from using the same infrastructure and tools following its landmark report, other Chinese APT groups have certainly been active since.
“It is difficult to answer with a simple ‘yes’ or ‘no’ that Chinese activity is ‘up’ or ‘down’ because no company or law enforcement organization has the full picture of activity around the internet to attribute cyber operations,” he explained.
“So while APT1 seemed to have moved away from using the infrastructure and tools we monitored, other APT groups that we suspect operate out of China have conducted other cyber operations.”
Monrad added that APT threats are not just a US issue, or indeed a problem confined to Chinese operatives.
“We have seen APT groups attacking companies and organizations in EMEA and also APT groups which are not coming out of China as well,” he said. “APT threat actors today come from many places and not only China, and we recently published reports on two groups we suspect are Russian based APT groups; APT28 and APT29."
It's perhaps noteworthy that the Washington Post story appeared just ahead of high-level talks in the capital on Tuesday thought to be focused on Xi's pledge to end cyber-spying for economic gain.
Photo © Kheng Guan Toh