It may seem to some that China and America are experiencing a rapprochement of sorts in the cyber realm. Compared to previous years, today there are are markedly fewer headlines about breaches of American public and private institutions by the hands of Chinese hackers. Overall, there are fewer indictments being thrown at members of the People’s Liberation Army (PLA) and the level of political and economic sanctions being prepared against Chinese organisations and individuals has fallen since 2014/2015.
Some may attribute this to an agreement signed by former US president Barack Obama and Chinese leader Xi Jinping on the 25th September 2015. The two leaders agreed that they would not “conduct or knowingly support cyber-enabled theft of intellectual property” against each other. Importantly, the agreement made no reference to personal data, which given China’s implication in the 2014/2015 OPM breach, seems to represent an unspoken understanding. Indeed, not only was the agreement limited in what it permitted, there are other factors that are likely to have contributed more to the apparent warming of cyber relations between the two countries.
The Xi factor
The primary factor, many analysts have suggested, is Xi Jinping’s stance on China’s military and the administrative structure of China’s cyber operations. Security firms tracking Chinese cyber operations commented on a sharp drop in activity around mid-2014, months before this agreement was signed. This coincided with Xi’s process reforming the PLA in a major way, beginning the process of centralising the country’s cyber capabilities. This process has culminated in the establishment of the Strategic Support Force (SSF). This ambiguously named cyber command centre is believed to now house the most advanced elements of China’s hacking groups including operators from the PLA unit 61398, otherwise known as APT1.
The SSF was formed to streamline China’s strategy in cyberspace. It was also a move by Xi to crack down on government and military institutions using state resources for their own agenda, and to integrate cyber operations with military activity. It was likely difficult for Beijing to control and direct the multitude of hacking teams operating out of China including in military, intelligence and civilian circles.
Another contributing factor to China’s consolidation of its cyber activities is the investigation and reportage on its espionage activities by several high-profile vendors. The activities of PLA unit 61398 (APT1), and numerous other groups have been thrust into the public spotlight – something that will have concerned the state. Furthermore, in unmasking Chinese cyber espionage activities, the United States has indicted several members of the PLA believed to be core participants in cyber operations against American businesses, as well as imposing sanctions on those who are linked to other operations. All this created unwanted attention for the Chinese, and is highly likely to have prompted Xi to place this centralised control on hacking groups.
Given these factors, any apparent rapprochement between the US and China seems more like an uneasy (and temporary) truce than a warming of relations. In fact, it could easily be argued that it never really happened at all.
There are numerous examples of American critical national infrastructure and private intellectual property being targeted in the years since the 2015 agreement. Almost immediately following the 2015 agreement, American officials reported detection of malware with Chinese attributes in power grids, mobile networks and other civilian targets, More recently, a major operation conducted by a Chinese hacking group known as Stone Panda (APT10), was reported in April 2017. This operation was dubbed Operation Cloud Hopper, the title of which alludes to the fact that the hackers were using IT service providers to ‘hop’ into the networks of the clients they had contracts with. It is known that at least one major US IT service provider (the report does not mention any specific victim organisations) was compromised in 2017, which likely meant that hackers gained access to several large US corporations who were outsourcing their IT.
It was also reported that there were other sophisticated Chinese hacking groups acting under the guise of private organisations. In May 2017, it was reported that a Chinese ‘intelligence contractor’ working for the government was supporting the activities of the group known as Gothic Panda (APT3). For example, shareholders in the company were purchasing and registering domains that became part of the malicious infrastructure used by Gothic Panda to conduct their attacks. The attackers were targeting intellectual property and political targets primarily in the US and Hong Kong.
The Trump Factor
The presidency of Donald Trump may damage the already flawed cyber cooperation between the US and China. One of the bedrocks of Sino-American relations has for several years, been the adherence by the United States to the ‘One-China’ policy. Although Trump has backtracked on his opposition to this policy, his brazen approach to foreign and domestic policy will instil a large degree of scepticism amongst the Chinese, and will make them less likely to honour the agreements made under Barack Obama. There has already been evidence of Chinese espionage during a summit involving Trump and Xi in April 2017.
Those who thought that the agreement signed in 2015 was a watershed moment were perhaps a little optimistic. The consolidation of Chinese cyber strategy will likely mean fewer breaches on the scale witnessed in previous years, but attacks on commercial, military and government targets in the US and elsewhere will not cease. Cyber operations are now a core part of Chinese military strategy and intelligence gathering.
Attacks will continue but perhaps with a more targeted approach, utilising numerous tactics and techniques to remain hidden, and with greater direction and control from the top.
Subscribe to receive free updates
If you'd like to be kept updated on our blog, why not subscribe?
We will never give away, trade or sell your email address. You can unsubscribe at any time.