Security Experts:

Chinese Spying Drops in Volume, Becomes More Focused

Chinese cyberspies continue to target organizations in the United States and other countries, but their activities have dropped in volume and have become more focused and calculated, according to a new report from FireEye.

The security firm has observed the activities of 72 China-linked groups since early 2013. These threat actors are believed to be responsible for a total of 262 successful attacks, including 182 incidents affecting U.S. entities. Their attacks were also aimed at 25 other countries in Europe, Asia, South America, Africa and the Middle East.

FireEye started seeing a drop in successful attacks in mid-2014, a trend attributed by researchers to several factors. The United States government started taking action against cyber espionage – the Department of Justice indicted PLA officers, President Barack Obama signed an executive order authorizing sanctions against individuals and entities, and some reported that the government had been preparing economic sanctions against China. In September 2015, President Obama and his Chinese counterpart, President Xi Jinping, agreed not to conduct cyber espionage for economic gain.

In the period leading up to the meeting between Xi and Obama, FireEye observed an even more significant drop in activity and the volume of attacks continued to remain at low levels until now.

While China’s cyberspying might have decreased in volume, attacks are still being launched – although they have apparently become more focused and calculated. Between September 2015 and June 2016, the security firm spotted 13 active China-based groups conducting attacks against corporations in the United States, Europe and Japan.

The list of U.S. targets included aerospace, software, high-tech, healthcare, and government services companies. In Europe, attackers targeted logistics and consulting companies. The most recent attacks conducted by three of the 13 groups were aimed at four companies involved in the manufacturing of semiconductors in the U.S., Europe and Asia.

Other groups operating from China have been seen targeting organizations in Russia, Mongolia, South Korea, Taiwan, Hong Kong and Vietnam.

In addition to the actions taken by the United States, FireEye believes the drop in activity can also be attributed to President Xi’s political and military initiatives, and the widespread exposure of Chinese cyber operations by the infosec community.

“We have not seen evidence of a coordinated shift in the behavior of recently active China-based groups—tactical changes appear to be specific to each group’s mission and resources, and in response to public exposure of its cyber operations,” FireEye said in its report.

Russian security firm Kaspersky Lab has confirmed that Chinese-speaking threat actors continue to launch attacks.

“From our more global perspective, activity that has been associated with Chinese speaking groups continues. In many cases, we have seen Chinese speaking groups increase their activity in other parts of the world, including Russia,” Kurt Baumgartner, principal security researcher at Kaspersky, told SecurityWeek. “Over the past year, APTs subjected to significant public exposure only slightly changed their toolset and continued on with their activity.”

Symantec said it had observed an immediate decrease in tactics, techniques and procedures (TTPs) against the United States after the Xi-Obama agreement.

“However, we still continue to see a small amount of activity continuing after September 2015. This small trickle of continuing activity could be explained by the time needed for attackers to cease operations in relation to the US-China cyber agreement in September 2015,” the company told SecurityWeek.

“Some operations just can’t be wound down overnight. Alternatively, what we are seeing could just be part of the normal ebb and flow of attacks. However, since the start of 2016, we have been in a distinct trough of activity,” Symantec added. “It should be noted as well that we continue to see TTP data associated with China involved in general cybercrime activity.”

Related: Chinese Attackers Conduct Cyberespionage for Economic Gain

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.