The cybersecurity peace deal struck last year between U.S. President Barack Obama and Chinese President Xi Jinping appears to be working to some extent, according to new research.
Over the last two years, most Chinese hackers have lessened the frequency of their cyberattacks aimed at U.S. targets — a decline that accelerated after the deal was announced last September — according to a report published late Thursday by Silicon Valley-based cybersecurity firm FireEye.
Researchers Will Glass and Mike Oppenheim, members of the company’s research intelligence team, told Cyberscoop that a select cohort of roughly 13 China-backed hacker groups are now responsible for the vast majority of remaining malicious activity against U.S. companies and government agencies.
A fall in the volume of attacks originally began in mid-2014 and has continued since. The September deal notably accelerated the drop, however, shortly before and after the announcement was made.
While the number of detected attacks and breaches has decreased, those attacks that continue seem aimed at economic espionage — which runs contrary to the Obama-Xi deal’s main plank.
Glass and Oppenheim said they recently ran tests on the networks of several semi-conductor manufacturers and found evidence suggesting at least one of the 13 hacker groups had breached their systems. The goal of the hacking in this case, Oppenheim explained, was to steal valuable intellectual property, or IP. These attacks follow months of reiterated promises by Chinese government officials that they are ‘cracking down’ on commercial cyber espionage.
Attribution of cyberattacks is notoriously difficult. Hackers can hide their location, use unknowing hacking victims as cut outs, even employ malware that manipulates recorded data about the victim’s system, among other techniques. However, the two researchers are confident in the new report because of their long familiarity with the 13 government-backed hacker groups — some of which FireEye has monitored since 2005.
“We know these guys well, they’ve been on our radar before,” said Glass.
A spokeswoman for China’s Foreign Ministry said in a news briefing Monday, ”we’ve expressed our principled position on many occasions … we oppose and crack down on commercial cyber-espionage activities in all forms.’
Glass, for his part, said he wasn’t surprised by the ongoing economic espionage because it follows a Chinese trend in which offensive cyber operations generally correlate with policy priorities. China has made catching up and overtaking its western rivals such a priority. Nations that have been targeted by the Chinese hackers working for one of the 13 still-active groups include Japan, England and Germany, among others.
The newly released study gathers data from FireEye’s arsenal of deployed cybersecurity sensors and relies on intelligence from the company’s consulting practice, intelligence research division and Mandiant forensics team. Importantly, the report only covers non-automated hacking initiated by an “actual person behind the keyboard,” as Glass put it. And the majority of the studied network data comes from commercial entities, not government ones.
Representatives for the network security giant say that tactics used by members of the hacker groups have not changed since the September agreement; the hacking tools, malware, employed infrastructure, behavioral patterns and other indicators are all the same. Instead, the general strategy appears to have somewhat shifted away from the U.S. and towards spying on political and military targets representatives of other countries.
Over the last several years, FireEye, a publicly traded network security firm and one of the most prominent brands in the industry, has become known for their APT, or advance persistent threat, intelligence reports. In 2013, an illuminating report from Mandiant revealed a specific unit in China’s Peoples Liberation Army was responsible for a massive economic espionage campaign against several U.S.-based companies, including U.S. Steel, Alcoa Inc and Westinghouse Electric. Mandiant subsequently was purchased by Fire Eye.