Return to

May 5, 2022
Notes from the Pentagon

Report details massive Chinese IP theft

By Bill Gertz
Cybersecurity sleuths recently uncovered a massive Chinese government-linked hacking operation that is part of the billions of dollars’ worth of stolen intellectual property and other data designed to support further cyber espionage taken from U.S. and foreign companies.

The cybersecurity firm Cybereason disclosed details of the sophisticated Chinese hacking group it labeled “Winnti” in a report made public Wednesday.

“This group has existed since at least 2010 and is believed to be operating on behalf of Chinese state interests and specializes in cyberespionage and intellectual property theft,” the report said.

Among the stolen information from victim companies — not identified in the report — were sensitive documents, blueprints, diagrams, formulas and manufacturing-related proprietary data. Research and development documents and source code also were taken.

“With years to surreptitiously conduct reconnaissance and identify valuable data, it is estimated that the group managed to exfiltrate hundreds of gigabytes of information,” the report said. “In addition, the attackers collected information that could be used for future cyberattacks, such as details about the target company’s business units, network architecture, user accounts and credentials, employee emails and customer data.”

The value of the stolen data was not estimated in the report. However, a White House report made public in 2018 stated that Chinese cyber espionage overall cost U.S. companies between $180 billion and $540 billion annually.

“Suffice it to say that losing gigabytes of sensitive and proprietary intellectual property is a massive hit to the bottom line and erases any competitive advantage in the marketplace,” the Cybereason report said, adding that the exact number of companies hit by the Chinese in the hacking operation is difficult to estimate because of the hackers’ ability to evade detection.

“Winnti is one of the most industrious groups operating on behalf of Chinese state-aligned interests,” the report said.

The report identifies details on how the Chinese hackers gained initial access to the computer networks through security flaws in business management software. The hackers then installed malicious software that allowed them to operate secretly within the networks and ultimately to download large amounts of data.

The Winnti cyberattacks were apparently unique in using several phases to infect targeted computer networks and evade their cyberdefenses.

“This demonstrates the thought and effort that was put into both the malware and operational security considerations, making it almost impossible to analyze unless all pieces of the puzzle are assembled in the correct order,” the report said.

Lior Div, Cybereason’s chief executive, said the most alarming findings of the report deal with the sophisticated evasion techniques developed to operate undetected inside the hacked companies’ networks.

“The group operates like a guided missile and once it locks in on its target, it attacks and doesn’t stop until it steals a company’s crown jewels,” he told Inside the Ring.

In addition to the proprietary data, the hundreds of gigabytes of stolen data included information on business units, customer and partner data, employee emails and other personal information that could be used in later blackmail or extortion schemes.

Disclosure of the Chinese intellectual property theft follows a report by the Office of the U.S. Trade Representative last month that said Beijing is “doubling down” on theft of U.S. intellectual property. China’s government has denied engaging in illicit cyber activities.

Results of the Cybereason probe, code-named Operation Cuckoo Bees, were briefed to the Justice Department and FBI.

The Winnti group in the past has been identified by the FBI as APT (Advanced Persistent Threat) 41. Five members of the hacking group were indicted in 2019 by a federal grand jury in Washington for breaking into over 100 protected computers and other charges.

Prosecutors said one of the hackers boasted of having links to China’s Ministry of State Security, the civilian political police and intelligence service. In July, federal prosecutors in San Diego charged four Chinese nationals with conducting illegal computer intrusions for the MSS through a front company.

“The breadth and duration of China’s hacking campaigns, including these efforts targeting a dozen countries across sectors ranging from health care and biomedical research to aviation and defense, remind us that no country or industry is safe,” Deputy Attorney General Lisa O. Monaco said in July.

China preps for sanctions or war
Intelligence agencies are closely watching the Chinese government and military for signs Beijing could be preparing for an attack on rival Taiwan.

Among the intelligence indications and warning signs are reports that an emergency government meeting April 22 to discuss ways to protect the country from Western sanctions. Officials from China’s central bank, the finance ministry and some international lenders attended the meeting.

The meeting is a key sign that China is considering an attack on Taiwan, the island democracy that Beijing considers its sovereign territory and has vowed to reunite with the mainland, using force if necessary.

But some see the emergency meeting as a sign that the government is preparing to openly support Russia in response to large-scale economic and financial sanctions imposed on Moscow by the U.S. and its allies following the invasion of Ukraine. The Biden administration has said publicly that China would face economic sanctions if it aids Moscow.

U.S. officials said so far there are no indications Beijing is short-circuiting the sanctions, Reuters reported.

The Financial Times, however, reported Wednesday that some Chinese companies are stepping up purchases of Russian oil, even as state-owned enterprises shy away from oil purchases concerned that they could be hit with sanctions.

China has an estimated $3.2 trillion in foreign currency reserves that could be frozen through Western financial sanctions. Russia had an estimated $630 billion in assets frozen by sanctions since the Feb. 24 invasion of Ukraine. Britain’s Daily Mail newspaper reported that the foreign bank HSBC and other international lenders were invited to the April meeting.

The U.S. is said to be considering economic sanctions against China as part of its response to a possible move against Taipei. Analysts have said Chinese President Xi Jinping is committed to using all means to take over Taiwan, but Beijing officials are also said to be closely watching how Russian President Vladimir Putin fares in its clash with the West over Ukraine.

“This emergency meeting to find ways to protect itself from Western sanctions is the first ‘Learn from Putin in Ukraine’ item to surface above the water line, but we can be assured that others are in play below,” said Bill Triplett, a China expert who was former chief counsel to the Senate Foreign Relations Committee. “Certainly Beijing is reviewing its plans for an air and sea blockade and a cyber blockade to keep [Taiwanese] President Tsai Ing-wen off the world’s TV networks” as part of its response.

China’s People’s Liberation Army in recent months has engaged in repeated military demonstrations against Taiwan, sending large waves of warplanes into Taiwan’s air defense zone. On Wednesday, the PLA dispatched Su-30 and J-11 jets and a Y-8 anti-submarine aircraft into the southern air defense zone off the coast of Taiwan, the Taiwanese defense ministry said on Twitter.

British minister: NATO should protect Taiwan
Chinese military calculations regarding a future military invasion of Taiwan became more complex last month after Britain’s foreign minister said the transatlantic NATO alliance should be ready to aid Taiwan’s defense. “I mean that NATO must have a global outlook, ready to tackle global threats,” British Foreign Minister Liz Truss said in an April 27 speech in London. “We need to pre-empt threats in the Indo-Pacific, working with allies like Japan and Australia to ensure that the Pacific is protected. We must ensure that democracies like Taiwan are able to defend themselves.”

British support for Taiwan follows public commitments of support from the governments of Japan and Australia, which both said recently they would join a U.S. military defense of Taiwan.

Under the 1972 Taiwan Relations Act, the United States is committed to providing Taiwan with defense arms but the act stops short of requiring an ironclad commitment to defend Taiwan from a military attack.

The British minister’s call for helping defend Taiwan also followed comments by NATO Secretary-General Jens Stoltenberg that the alliance needs to do more to counter threats from China, even if there are no NATO members in the region.

“Taiwan is not a NATO member, they will never become a NATO member. NATO is an alliance for Europe and North America,” Mr. Stoltenberg said in October. “But of course, we see a China which is behaving in a more coarse way against the neighbors. … So all this matters for NATO.”

  • Contact Bill Gertz on Twitter via @BillGertz.

  • Return to