An elite Chinese hacking group with ties to operatives indicted by a US grand jury in 2020 has surged its activity this year, targeting sensitive data held by companies and government agencies in the US and dozens of other countries, according to an expert at consulting giant PricewaterhouseCoopers.
The findings highlight the biggest cyber-espionage challenge facing the Biden administration: combating a Chinese hacking program that the FBI has called more prolific than that of all other governments in the world combined.
The Justice Department has aggressively sought to expose the alleged data-stealing campaigns through indictments, and made the case that Chinese hackers have robbed American companies of intellectual property, causing huge losses. But China-based hackers have often developed new tools or otherwise altered their operations, according to analysts.
One of the Chinese groups tracked by PwC has targeted dozens of US organizations in the last year, including government agencies and software or tech firms, said Kris McConkey, who leads PwC’s global cyber threat intelligence practice. The intruders often comb networks for data that could offer insights into foreign or trade policy, he said, but also dabble in cryptocurrency schemes for personal profit. He declined to detail what types of US government agencies, whether at the federal, state or local level, were targeted.
“They are, by far, the most active and globally impactful [hacking group] that we track at the minute,” McConkey, who closely follows China-based hackers, told CNN. He believes the attackers have been successful in breaching at least some organizations because they operate on a vast scale, targeting organizations in at least 35 countries this year alone.
McConkey traced part of the activity to an ostensibly legitimate cybersecurity company based in the Chinese city of Chengdu, but he stopped short of publicly connecting the hacking to the Chinese government. US officials have for years accused China of using front companies to conduct hacking that feeds the government’s sprawling intelligence collection efforts.
China has repeatedly denied allegations of hacking and Beijing has in recent months stepped up its own accusations that Washington has conducted cyber operations against Chinese assets.
Cybersecurity issues have been a repeated source of friction between the world’s two biggest economies; President Joe Biden raised the subject on a call with Chinese President Xi Jinping last year.
McConkey was one of multiple private cyber specialists who exposed the operations, and sometimes the alleged locations, of hackers from China, Iran and elsewhere at a recent conference called LABScon, hosted by US security firm SentinelOne, in Scottsdale, Arizona.
Adam Kozy, who tracked Chinese hackers at the FBI from 2011 to 2013, showed the audience a photo of a People’s Liberation Army building in the city of Fuzhou that allegedly houses officers who conduct information operations against Chinese adversaries. That unit has targeted Taiwan, Kozy said, and “is the main area for China’s disinformation operations.”
In their investigations of foreign hackers, the FBI and Justice Department prosecutors have drawn on those types of revelations from private researchers.
At least one FBI agent and officials from the National Security Agency and the US Cybersecurity and Infrastructure Security Agency attended the conference, a reminder of how reliant government officials are on data held by tech firms to pursue spies and cybercriminals. Sometimes that work happens not in a classified facility but in the halls of a luxury hotel.
Morgan Adamski, a senior NSA official, told conference attendees that the coronavirus pandemic changed how her agency worked with private firms to guard sensitive data targeted by hackers.
“The pandemic actually helped because it no longer revolved around big government meetings in a room, in a SCIF [Sensitive Compartmentalized Information Facility], where you couldn’t use any of the information,” said Adamski, who heads the NSA’s Cybersecurity Collaboration Center, which works with defense contractors to blunt the impact of foreign hacking.
After US defense contractors began working from home during the pandemic, she said, Chinese government hackers exploited the virtual private networking (VPN) software the contractors were using. One hacked contractor, which she didn’t name, shared data with federal agencies so they could build a clearer picture of what was going on.
Asked by CNN whether the NSA and other federal agencies responding to the hacks were able to evict the Chinese hackers, Adamski said it’s an iterative process.
“When you talk about nation-state actors, you kick them out, but they’re going to come back,” Adamski said, “especially if you’re a defense industrial base company that is producing critical military intelligence for the Department of Defense.”