Accused Chinese hackers abandon techniques after U.S. indictments

Written by

U.S. indictments against individual Chinese soldiers accused of hacking various American targets have deterred those military personnel from conducting the same kinds of hacks again, according to the co-founder of a firm known for investigating nation-state activity.

Digital infrastructure associated with alleged hackers charged in 2014, 2017 and 2018 essentially evaporated when charges in each case were made public, said Dmitri Alperovitch, who co-founded CrowdStrike, during a keynote speech Wednesday during the RSA security conference in San Francisco. Each of the groups — known as APT 1, APT 3, or Buyosec, and APT 10, respectively — has been associated with Chinese intelligence services or the People’s Liberation Army.

“Everything associated with them disappeared,” Alperovitch said during a conversation with reporters after the presentation. He cautioned that, while other Chinese groups largely have remained active, the specific groups named in the indictments “vanished” in a way that was “remarkable.” Some of the alleged hackers may have been re-assigned to other units that had not been publicly identified, and thus continued launching attacks on Beijing’s behalf, Alperovitch suggested.

At the very minimum, he said, attackers had to “reset and re-tool.” Even that would differentiate Chinese hackers from their counterparts in Russia and Iran, who tend to “ignore the indictments and move on,” he said. Exactly why China changes its tactics, while other state-sponsored hackers continue without interruption, remains unclear.

Alperovitch co-founded CrowdStrike, an incident response firm and threat intelligence provider perhaps best known for investigating the 2016 breach at the Democratic National Committee. He also worked as CrowdStrike’s chief technology officer before announcing on Feb. 19 he’d left the company to start a nonprofit.

The presentation Wednesday came just weeks after the Justice Department announced charges against four members of the PLA for allegedly hacking Equifax in 2017. The so-called name-and-shame strategy dates back at least to the 2014 indictment against APT 1, the Chinese hacking crew that U.S. prosecutors say infiltrated U.S. Steel and Westinghouse Electric. By 2015, when the U.S. made public the names of the accused hackers behind the Sony breach, security experts questioned whether such a plan would have any effect.

Five years later, the Justice Department still makes its determinations on a case-by-case basis.

“The question of whether to unseal the indictment is basically a function of whether we believe there’s a chance that the defendant will travel to a place where we will be able to arrest and extradite him,” said John Demers, assistant attorney general for national security.

“If we think that may happen within a reasonable timeframe, then we’ll keep it under seal,” he said during an interview Monday. “In other cases, like Equifax, where we think it’s unlikely that the Chinese military officers are engaged in travel outside China the value of unsealing the indictment and telling people who stole the data outweighs the slim chance we might be able to catch them.”

In recent years, the PLA has not carried out attacks with the same high tempo as China’s Ministry of State Security, Alperovitch said of the intelligence service. The PLA established itself as an offensive force before former President Barack Obama and China’s Xi Jingping agreed in 2015 that neither nation would hack each other for commercial gain. While that agreement resulted in a period of quiet, China’s MSS ultimately emerged from the time of relative peace as a more active entity.

“I’ve always been wondering what happened to the PLA,” Alperovtich said, adding that the change also coincided with a re-organization inside the army in which members of the department of the general staff were moved into a new strategic support force.

“A lot of the old guard was kicked out of the PLA with the anti-corruption campaign that President Xi has initiated, so there was a lot of turmoil happening internally,” he added.

The four men named in the Equifax indictment are members of the 54th Research Institute, a new unit within the PLA, Alperovitch said, and likely not affiliated with the military’s old guard.

“It will be really interesting to watch what happens is this a standalone operation, or part of something bigger? Or will we see more and more military officers coming to the fore?” he asked. “It may be that their mission has been restructured towards more military-on-military confrontations and MSS has been the primary beneficiary of collecting intellectual property.”

The Chinese government consistently has denied carrying out any cyerattacks.