In unsealing charges Tuesday against 10 Chinese nationals, the Department of Justice showed its focus is on China’s civilian intelligence agency, which analysts say has become Beijing’s preferred arm for conducting economic espionage.
The agency, the Ministry of State Security, is more professional and technical in its hacking operations than China’s People Liberation Army, according to CrowdStrike co-founder Dmitri Alperovitch.
“We have seen [the MSS], over the years, break into [corporate] organizations,” Alperovitch said Tuesday at an event hosted by The New York Times. “They were always better technically than the PLA.”
After a landmark 2015 agreement between the United States and China not to conduct “cyber-enabled” intellectual property theft, Chinese activity in that vein tapered off for about a year, according to Alperovitch. Now, he said, it is back in full force. “[W]e’re seeing, on a weekly basis, intrusions into U.S. and other Western companies from Chinese actors,” with the MSS responsible for much of that activity, he added.
The surge in cyber-espionage followed a reorganization of the Chinese government’s resources. In December 2015, the PLA established an integrated space, cyber and electronic warfare unit called the Strategic Support Force. After that, according to analysts, the MSS began taking a more robust role in targeting IP at foreign companies. (Beijing has denied allegations that it engages in state-sponsored IP theft.)
As the Strategic Support Force got off the ground, “industrial espionage appeared to shift out of the PLA over to the MSS,” said Adam Segal, director of the Council on Foreign Relations’ Digital and Cyberspace Policy Program.
“This made sense, because the PLA was supposed to focus on use of cyber in actual warfighting,” Segal told CyberScoop, “and the MSS’s tradecraft was more skilled, and they picked a set of targets — IT services, cloud providers — that would provide visibility into a large number of targets.”
Hired guns leave digital trail
The indictment unsealed Tuesday alleges a persistent campaign by Chinese intelligence officers and their recruits to steal aerospace technology from companies in the United States and France. The indictment covers activity from January 2010 to May 2015.
Two of the 10 people charged were said to be senior officials in MSS’s directorate for the province of Jiangsu, north of Shanghai. The officers — Zha Rong and Chai Meng — were allegedly overseeing recruited hackers rather than doing the network intrusions themselves. That is in keeping with MSS’s approach to hacking operations, said Priscilla Moriuchi, director of strategic threat development at Recorded Future.
For MSS, outsourcing did not mean the operation went undetected, and the hackers themselves left fingerprints in online forums.
Dave Liebenberg, senior threat analyst at Cisco Talos, said that digital trail went mostly dark around 2014. The exception was a hacker with the online alias mer4en7y, who was the most prolific of the bunch, Liebenberg said.
In early 2015, mer4en7y published “a discovered vulnerability in the Chinese app Peiwo,” Liebenberg said.
It is hard to say why the digital trail went cold, but as Liebenberg pointed out, it could have been that they got word they were being investigated or that they moved on to another project, ditching their old aliases.
“What surprised me the most about the cyber-activity I was able to observe was how mundane it was,” Liebenberg told CyberScoop. “Questions and comments about Kali Linux, Gh0st, SQL injection: none of these are particularly advanced topics. And many of these posts were occurring at the same time that those indicted were allegedly working at the behest of the MSS to engage in commercial espionage.”
Nonetheless, MSS’s operatives have honed their tradecraft in the years since, according to Moriuchi, and have used malware and techniques common to other threat groups to evade detection.
“We believe that the MSS operational model and targeting requirements have persisted to this day, but that the techniques and tools have evolved,” she said.
‘This is just the beginning’
The unsealing of the indictment Tuesday was the latest move in a multiyear effort spanning the Trump and Obama administrations to curtail Chinese economic cyber-espionage. The opening salvo came in May 2014, when the Department of Justice brought the first U.S. charges of nation-state cyber-espionage with the indictment of five PLA officers.
“We needed to change the cost calculus for those who would commit these acts,” recalled John Carlin, who announced the charges when he was DOJ’s assistant attorney general for national security.
With the 2015 agreement between then-President Barack Obama and Chinese President Xi Jinping apparently moot, DOJ is once again on the prosecutorial offensive. “We are going to see more to come,” Carlin told CyberScoop. “That this is part of a concentrated, all-tools effort” to curb cyber economic espionage, he added.
Carlin’s successor at DOJ, John Demers, hinted as much in announcing the indictments on Tuesday.
“This is just the beginning,” he said.