With more than half of its\u00a01.4 billion people online<\/a>, the world\u2019s most populous country is home to a slew of cyberspies and hackers. Indeed, China has likely stolen more secrets from businesses and governments than any other country.<\/p>\n Covert espionage is the main Chinese cyberthreat to the U.S. While disruptive cyberattacks occasionally come from China, those that cause overt damage, like destroying data or causing power outages, are more common from the other\u00a0top state threats<\/a>, namely\u00a0Russia<\/a>, Iran and\u00a0North Korea<\/a>.<\/p>\n But\u00a0Chinese cyberaggression<\/a>\u00a0toward the U.S. has been evolving. Before their espionage became a serious threat, Chinese hackers were conducting disruptive cyberattacks against the U.S. and other countries.<\/p>\n Chinese hackers were among the first to come together in defense of their country. Their first operation against the U.S. occurred in 1999 during the Kosovo conflict, when the U.S. inadvertently\u00a0bombed the Chinese embassy<\/a>\u00a0in Belgrade, killing three Chinese reporters. The\u00a0patriotic hackers<\/a>\u00a0planted messages denouncing \u201cNATO\u2019s brutal action<\/a>\u201d on several U.S. government websites.<\/p>\n Chinese hackers struck the U.S. again in 2001 after a\u00a0Chinese fighter plane collided with a U.S. reconnaissance aircraft<\/a>. The midair collision killed the Chinese pilot and led to the forced landing and detention of the American crew. Both Chinese and American hackers responded with\u00a0disruptive cyberattacks<\/a>, with the Chinese hackers defacing thousands of U.S.-based websites, including the White House site.<\/p>\n What is especially important about this incident, though, is what happened next. The People\u2019s Daily, China\u2019s Communist Party newspaper, issued an editorial decrying the attack against the White House. The paper called it, and the other attacks, \u201cweb terrorism<\/a>\u201d and \u201cunforgivable acts violating the law.\u201d On the anniversary of the incident in 2002, the government asked Chinese hackers to\u00a0forgo further attacks<\/a>\u00a0against U.S.-based sites. They complied.<\/p>\n That was the last big cyberattack from Chinese patriotic hackers against the U.S. While Russia seems to condone, if not outright\u00a0encourage or even sponsor<\/a>, its patriotic hackers, China has taken a stance against that sort of activity, at least with respect to U.S.-based sites.<\/p>\n <\/p>\n In addition to reining in its patriotic hackers, China appears to have refrained from conducting cyberattacks that cause overt damage to critical infrastructure in other countries, like the\u00a0Russians did to Ukraine\u2019s power grid<\/a>. However, it has used disruptive cyberattacks to help enforce censorship policies within its own borders.<\/p>\n The Chinese government\u2019s \u201cGreat Firewall<\/a>\u201d keeps internet users in China from accessing censored foreign sites such as those that advocate Tibetan autonomy. Users\u2019 traffic is filtered based on domain names, internet addresses and keywords in web addresses.<\/p>\n Chinese hackers have also used denial-of-service attacks to temporarily take out sites whose activity the government wants to block. These attacks overwhelm target servers with large amounts of activity, preventing others from using the sites and often knocking the servers offline.<\/p>\n Back in 1999, the government launched DoS attacks against foreign websites associated with\u00a0Falun Gong<\/a>, a spiritual movement banned in China. Then in 2011, a Chinese military TV program showed software tools being used in possible\u00a0cyberattacks against Falun Gong sites<\/a>\u00a0in the U.S. The tools were developed by the Electrical Engineering University of China\u2019s armed forces, the People\u2019s Liberation Army.<\/p>\n More recently, in 2015, U.S. and other foreign users visiting sites running analytics software from the\u00a0Chinese search engine provider Baidu<\/a>\u00a0unwittingly picked up malware<\/a>. The malicious code was injected into traffic going back to the users by a device collocated with the Great Firewall. The malware then\u00a0launched DDoS attacks<\/a>\u00a0against\u00a0GreatFire.org<\/a>, a site that helps Chinese users evade censorship, and the Chinese language edition of The New York Times.<\/p>\n <\/p>\n By 2003, China\u2019s interest in cyberespionage was apparent: A series of cyberintrusions that U.S. investigators code-named \u201cTitan Rain<\/a>\u201d was traced back to computers in southern China. The hackers,\u00a0believed by some to be from the Chinese army<\/a>, had invaded and stolen sensitive data from computers belonging to the U.S. Department of Defense, defense contractors and other government agencies.<\/p>\n Titan Rain was followed by a rash of espionage incidents that originated in China and were given code names like \u201cByzantine Hades<\/a>,\u201d \u201cGhostNet<\/a>\u201d and \u201cAurora<\/a>.\u201d The thieves were after a wide range of data.<\/p>\n They stole intellectual property, including\u00a0Google\u2019s source code<\/a>\u00a0and\u00a0designs for weapons systems<\/a>. They took government secrets, including user names and passwords. And they compromised data associated with Chinese human rights activists, including their email messages. Typically, the intrusions started with\u00a0spear-phishing<\/a>.<\/p>\n In 2013, the American cyberintelligence firm Mandiant, now part of FireEye, issued a\u00a0landmark report<\/a>\u00a0on a Chinese espionage group it named \u201cAdvanced Persistent Threat<\/a>\u00a01.\u201d According to the report, APT1 had stolen hundreds of terabytes of data from at least 141 organizations since 2006.<\/p>\n The Mandiant report gave details of the operations and provided evidence linking those thefts to\u00a0Unit 61398<\/a>\u00a0of the People\u2019s Liberation Army \u2013 and named five officers of the unit. This was the first time any security firm had publicly disclosed data tying a cyberoperation against the U.S. to a foreign government. In 2014, the U.S.\u00a0indicted<\/a>\u00a0the five Chinese officers for computer hacking and economic espionage.<\/p>\n Mandiant described APT1 as \u201cone of more than 20 APT groups with origins in China.\u201d Many of these are believed to be associated with the government. A\u00a0report from the nonprofit Institute for Critical Infrastructure Technology<\/a>\u00a0describes 15 state-sponsored advanced persistent threat groups, including APT1 and two others associated with PLA units. The report does not identify sponsors for the remaining groups.<\/p>\n According to the institute, China\u2019s espionage supports the country\u2019s 13th Five-Year Plan (covering the years 2016 to 2020), which calls for technology innovations and socioeconomic reforms. The goal is \u201cinnovative, coordinated, green, open and inclusive growth<\/a>.\u201d The ICIT report said most of the technology needed to realize the plan will likely be acquired by\u00a0stealing trade secrets<\/a>\u00a0from companies in other countries.<\/p>\n In its\u00a02015 Global Threat Report<\/a>, the American cyberintelligence firm CrowdStrike identified dozens of Chinese adversaries targeting business sectors that are key to the Five-Year Plan. It found 28 groups going after defense and law enforcement systems alone. Other sectors victimized worldwide included energy, transportation, government, technology, health care, finance, telecommunications, media, manufacturing and agriculture.<\/p>\n China\u2019s theft of military and trade secrets has been so rampant that editorial cartoonists\u00a0Jeff Parker<\/a>\u00a0and\u00a0Dave Granlund<\/a>\u00a0depicted it as \u201cChinese takeout.\u201d<\/p>\n In September 2015, President Obama met with China\u2019s President Xi Jinping to address a range of issues affecting the two countries. With respect to economic espionage, they\u00a0agreed<\/a>\u00a0that their governments would not conduct or knowingly support cyber-enabled theft of business secrets that would provide competitive advantage to their commercial sectors. They did not agree to restrict government espionage, a practice that countries generally consider to be fair game.<\/p>\n In June 2016, FireEye reported that since 2014 there had been a dramatic\u00a0drop in cyberespionage<\/a>\u00a0from 72 suspected China-based groups. FireEye attributed the reduction to several \u201cfactors including President Xi\u2019s military and political initiatives, the widespread exposure of Chinese cyberoperations, and mounting pressure from the U.S. Government.\u201d The ICIT believes China may also be asserting greater control over its operatives and focusing on unspecified high-priority targets.<\/p>\n The U.S.-China agreement also calls for the two countries to cooperate in fighting cybercrime. Just weeks after the deal was signed,\u00a0China announced it had arrested hackers<\/a>\u00a0connected with the 2015 intrusions into the\u00a0Office of Personnel Management\u2019s<\/a>\u00a0database. Those had exposed highly sensitive personal and financial data of about 22 million federal employees seeking security clearances. The\u00a0Washington Post observed<\/a>\u00a0that the arrests could \u201cmark the first measure of accountability for what has been characterized as one of the most devastating breaches of U.S. government data in history.\u201d<\/p>\n The cyberthreat to the U.S. from China is mostly one of espionage, and even that threat seems to be declining. Nevertheless, companies need to be wary of losing their data, not just to China, but to any country or group seeking to profit from U.S. trade secrets and other sensitive data. That calls for\u00a0staying ahead of the cybersecurity curve<\/a>.<\/p>\n <\/p>\nHACKERS UNITE<\/h2>\n
TARGETS AT HOME<\/h2>\n
ESPIONAGE AT THE FOREFRONT<\/h2>\n
THE FIVE-YEAR PLAN<\/h2>\n
US-CHINA AGREEMENT<\/h2>\n