Despite an agreement by President Obama and President Xi Jinping of China that neither country would condone cyberattacks against companies in the other country, the computer systems of at least seven U.S. companies have been subject to “intrusions from actors … affiliated with the Chinese government” in the nearly four weeks since the agreement was announced, according to a cybersecurity technology company claiming to have successfully intercepted the attacks.
“The main interest in the story is not that the Chinese are stealing trade secrets – they’ve been doing that for a decade – it’s that they’ve continued to do it even after making a pledge in the Rose Garden with President Obama on September 25,” Dmitri Alperovitch, the co-founder and chief technology officer of Irvine, Calif.-based CrowdStrike, told CFO.
In an October 19 blog on the company’s website, Alperovitch reported that over the previous three weeks, its cloud-based Falcon software product “detected and prevented” seven attacks leveled at its commercial customers’ systems by hackers linked to the Chinese government.
Five of the seven companies were in the technology sector, while two were in pharmaceuticals, the CTO said in the interview on Wednesday. In the period since the U.S.-China agreement, “We have picked up intrusions into those companies from actors we had previously tracked and attributed to China,” he said, noting that the firm prevented them from stealing information.
Judging by the profile of the hackers the firm has assembled, Alperovitch says “it seems highly likely that the information that they’re going after would be intellectual property, would be trade secrets.”
CrowdStrike isn’t “able to say for certain whether [the hackers] are employees or contractors, but they do their bidding on behalf of the Chinese government,” he added.
The same group of attackers has targeted dissident groups in Hong Kong “and other regions that the Chinese are concerned are threats to their regime,” according to Alperovitch. “We’ve also seen them go after very sensitive national security interests or facilitate collection of intelligence that’s of very serious national security concern to the Chinese government.”
This week’s blog, however, focuses only on the attacks on commercial businesses specified in the U.S.-China agreement. “The primary benefit of the intrusions seems clearly aligned to facilitate theft of intellectual property and trade secrets, rather than to conduct traditional national-security related intelligence collection which the cyber agreement does not prohibit,” he wrote.
The first attack happened on September 26, the day after the two presidents announced the agreement, according to the post.
As part of the deal, which sought cooperation between the two countries on many other issues, China and the United States agreed “that neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”
Yet the “intrusion attempts are continuing to this day, with many of the China-affiliated actors persistently attempting to regain access to victim networks even in the face of repeated failures,” according to the blog.
Alperovitch adds that the firm has an intelligence team that uses various means to establish that the hackers come from groups affiliated with the Chinese government and that their target is corporate trade secrets. “We look at the tradecraft that is being used by those actors [and] the data they’re going after,” he says.
In the current cases, one of the major groups involved has been Deep Panda, a cyber espionage gang linked to the attacks on health insurers Anthem and Premara, according to the CTO, who noted that CrowdStrike has been tracking the hackers since the firm was founded in 2011.
Besides targeting government entities and think tanks considered security threats to China, Deep Panda has been zeroing in on a wide range of industries, including the technology, agriculture, chemical, and pharmaceutical sectors, according to Alperovitch.
Although how, or whether, Deep Panda actually hands off the trade secrets of U.S. companies to Chinese competitors is unknown, Alperovtich asserts that “there’s no question that the Chinese companies are benefiting from that theft.”
The Chinese government may not, in fact, be controlling the operation “from the top down,” he speculated. “Some of these individuals may be moonlighting and working directly with industry, without necessarily their [government] managers knowing about it.”
Nevertheless, even an arrangement like that would still be covered by the U.S.-China pact, “in that the Chinese have said that they will not only be not engaged in but not condone, encourage, or support this activity,” he said.
In his blog, Alperovitch asks if the proof his firm has unearthed concerning ongoing commercial attacks from China means that the cyber agreement has failed. “That depends on what is done about it and how long the current situation persists,” he writes.
“The fact that there is some time delay between agreement and execution is not entirely unexpected. But, we need to know the parameters for success, and whether the parties to the agreement discussed a timeframe for implementation or, instead, expected it to be immediate,” he adds.
Image by Crowdstrike