China’s Cyber Spying on the U.S. Has Drastically Changed
Last year United States President Barack Obama and Chinese President Xi Jinping entered into a dubious agreement during Xi’s first state visit: No more hacking one another’s businesses. Military and political espionage? Fair game. Industry? Hands off.
Hackers allegedly sponsored by China had been ransacking U.S. companies for economic advantage for years, as any computer forensics pro who has helped clean up one of these data breaches will tell you. The hackers’ goal: Intellectual property theft. With the recent truce, the heads of state agreed that their countries could break into one another’s computer networks for traditional state on state espionage, but no more hacking for profit.
For skeptics, here’s the shocker: The parties appear to be keeping their word—for the most part. Cybersecurity firm FireEye (FEYE) released a report earlier this week that found that the number of breaches by China-based groups on U.S. businesses has dropped off a cliff. The number of network compromises has not fallen to zero, but it has plummeted 90% in the past two years.
Get Data Sheet, Fortune’s technology newsletter.
Fortune spoke to Laura Galante, director of the threat intelligence at FireEye (FEYE), as well as Kevin Mandia, the company’s recently appointed CEO, about the report’s findings. (Mandia makes his appearance at question 12.) Among the topics discussed: How the threat of economic espionage has changed, what this means for U.S. businesses, and whether everyone may now breathe a sigh of relief. (Spoiler: The answer is no.)
Here’s what the two said, edited and condensed for clarity.
Fortune: This report seems to be a follow-up to Mandiant’s original report on Chinese economic cyberespionage from a few years ago. [Editors note: FireEye purchased Mandiant, Mandia’s computer forensics firm, for about $1 billion in 2014.] What does the new report find?
Laura Galante: We’ve tracked all of these groups for years before the APT1 report that you probably remember from back in 2013. Here we found the percentage of incidents and number of incidents we’ve seen over time from groups that are based in China, and how that’s changed. We came up with a pretty deep understanding of how we’ve seen President Xi undertake reforms in the military and also in the party since he came to power. We have some analysis around how he is probably centralizing and refocusing some of the cyber operations that China sponsored. We also think that widespread exposure from private sector disclosures was another impetus that really changed how Beijing was thinking about cyber operations. Finally the punitive measures—the indictments of several military officers back in 2014, and then the threat of sanctions right on the eve of President Xi coming over to the U.S—these were all factors that, in the aggregate, have really changed the way we’ve seen intellectual property theft conducted from China based groups.
Fortune: It seemed like the key line in the report was that the attacks are less voluminous, but more focused.
Galante: That’s what we’re seeing. When we do see compromises—and we have seen compromises since last year—we’re seeing the groups conduct a variety of different activity at different targets, not just in the U.S., but also in Japan and abroad in Europe. We’re seeing compromises of networks still. What we aren’t seeing is data theft at such a volume as before—back in 2013, even 2014. We’re seeing that they’ll go in and they’ll package up data, which is something that we typically see right before they would steal it, but we haven’t observed instances of data theft, per se, in 2015 and 2016.
Fortune: You’re still seeing intrusions and breaches, but not the actual exfiltration of data. Is that accurate?
Galante: That’s right. What that doesn’t necessarily mean is that it’s not happening. We’re not seeing the actual data theft in the recent examples that we’ve had here, but we’re still seeing the compromise. If you’re able to compromise the network, get in, move laterally to different parts of the network, and see the files that you want, that’s still a very effective way to get at the information you want without the level of risk and evidence left behind of actually transferring the data out of a network.
Fortune: So it’s a shift from smashing-and-grabbing to quietly and passively surveilling?
Galante: That’s a way to characterize what we’ve seen. And I think that fits too with what’s definitely a higher cost of doing business that has risen in the last three and a half years. The risk of exposure from security firms, from security researchers, which is happening left and right, and the measures that the U.S. government has taken, paint a very different picture of risk when groups are operating—whether they be sponsored by the government, by a military entity, by an intelligence agency, or simply by opportunistic entrepreneurial groups who are looking for a way into a network to find something valuable to sell. We think that the scene in China really runs the gamut in terms of different types of sponsorship.
Fortune: In the report you discuss how it’s hard to make out the difference between these groups. Do you have any speculation as to whom—which groups—might be the ones remaining? Is it a mix? Does it weight toward government, or toward the enterprising hacker? What is the breakdown here—is there any way to know?
Galante: It’s hard to give a percentage. We have examples where we’ve seen what we call patriotic hackers, people who are aligned with state interests, but not necessarily on the payroll. We’ve seen everything form the patriotic hacker to the cybercriminal to groups that act in a very regimented 9-to-5 way. We see their tools built on a schedule that parallels Chinese federal holidays. We’ve seen really disciplined groups that operate in a way that’s hard to not see that there has to be a ton of resourcing behind it, and probably a government entity. Another aspect that we’ve traced for years is how long we’ve seen groups operate. With some groups out of China, especially the ones that have been conducting the more traditional political espionage, we’ve seen those groups operate for over a decade with almost the same tools and infrastructure, too.
Fortune: Part of this deal between Obama and Xi was that China would stop its attacks on U.S. enterprises. Obviously there are still attacks going on, as your report says, but is there any way to know whether, in fact, the state sponsored attacks are down?
Galante: It’s hard to say. The network visibility that we have just shows us what’s compromised. What we don’t know is when data is taken. In our cases, we haven’t seen data theft. But when data has been taken in the past—to know that the data has been used and given to an entity, to an industry, or to a company in an industry that can then use it to put a product on the market—that would start to fulfill the definition of what they’re getting at with this economic espionage agreement. From our side we’re reluctant to say that this equates to economic espionage, because we simply see one part of a much longer chain of what would equate to economic espionage. What we can say is that we’re still seeing compromises into corporate networks.
Fortune: You mentioned that you’re not seeing the same levels of data theft now. Is that because it’s not happening, or because they’re eluding detection in some way? Or perhaps FireEye doesn’t have the visibility to see that?
Galante: I think it’s a couple factors. To set the premise though, it’s very rare that you see data theft happening. When we’re called in to do investigations, we’re frequently looking into network logs and into network activity that, on average, happened almost 200 days before. [Editor’s note: the average breach takes 201 days to detect, according to a recent IBM study.] When you’re investigating what happened previously, you have to consider, How well does the company keep logs? How do we go back and look at that activity and see what happened outside the network? There are a variety of factors that hamper understanding when the actual data was stolen, or if it was stolen. There are other cases where we’ve thwarted the detected compromise before the group could go any deeper into the network. So there are a couple of different wonky factors that keep the data theft from eluding our ability to have seen it when it happened.
Now one thing we’re seeing is these groups go in and hack data and look for specific items. With the semiconductor firms, we were seeing attackers get into the files that had the manufacturing data about semiconductors and the chemical components used in the production. They’re not just getting into a network, they’re able to get in and navigate to data that would be useful. So that says a little bit more about their intent. If you’re able to go in and locate a project that you need, that says a little bit more about what you’re interested in.
Fortune: Are there any cases that seem more grey in terms of what the hackers were going after?
Galante: The navigational projects were interesting. This is a grey area. GPS navigation is right in that area of not knowing if it’s for military or for civilian use. Traditionally, something for military use would fall into political espionage or military espionage, something that states have done since the beginning of time, versus something like the blueprints of a green energy or a coal cleaning plant, which we’ve seen before. When those are taken, that’s a situation where it’s pretty hard to see the military application of it. In the cases that we have here, in the cases that we’ve seen recently, we see semiconductors, we see high-tech corporations, we’ve seen an aerospace company, and a logistics company. These are all arguably targets and data that could fit either a military or a civilian use. So, tough to say whether that would trend more toward economic espionage versus political.
Fortune: Have you been sending this report around government quarters?
Galante: We frequently give a variety of government partners a heads up when we’re able to do that before a report goes live.
Fortune: What has been their reaction to this?
Galante: This tracks fairly well with the visibility that they’ve had as well.
Fortune: Last year a cybersecurity firm CrowdStrike issued a report saying there had been continued intrusions on U.S. companies after the China-U.S. deal. How does the FireEye report differ?
Galante: That report came out in early October. It was really a first sense that activity still continued. But there’s a ton of ways to look at activity. What we’re very careful to parse here is that we wanted to know when a corporate network has been entered remotely, not just when the malware or the commands to the malware in a network has been live, which was one of the main indications used in that report from October to say that activity continued. We wanted to see that a group actively went into a network, and that was the bar that we used when we made the chart that you see, and also the graph. [Editor’s note: See, for example, page 11 of the report.]
Fortune: So whereas CrowdStrike was asking—is there malware active on the network?—your report was asking, is there remote access happening?
Galante: Is there an actual compromise of a network, yes. There is always remote access happening—so, is there a remote compromise happening of a corporate network. I think we’re being more specific about how we want to define a piece of this, whereas CrowdStrike was looking just generally for any sort of beaconing or indication that infrastructure or malware were still living. We wanted to see something that reasonably made us conclude that an operator is still sitting there with fingers on keyboard, sending a command and entering networks.
Kevin Mandia: Robert, this is Kevin Mandia. I’ve actually been on the line for the past 10 minutes and just staying quiet because Laura is crushing it. I don’t know what CrowdStrike’s criteria is for saying compromise or not compromise. I do know that we at FireEye have over 350 incident responders, we have nearly 350 iSight intel analysts [Editor’s note: FireEye acquired the threat intelligence firm iSight Partners for $200 million earlier this year], and we have well over 3,000 customers where we have appliances deployed. Those are the sources for where we find these compromises. We’ve had our threat database in existence since 2006, so that’s the scale and scope at which we operate. When I look at the all the investigations we’ve done and all the intel we get from iSight, that’s the data we’re reporting on. From the observables we have here at FireEye, the activity and counterespionage intrusions from China have gone down.
Fortune: Because the attacks have dropped off precipitously, it seems, does this mean U.S. companies should breathe a sigh of relief?
Mandia: Well, you’ve still got a bunch of other threats to worry about. So the answer is you still have to safeguard yourself from rogue states, which may be less responsible than China. I’ve always said this: the Chinese were the most polite hackers in cyberspace. They would break in, but I don’t think they had exceptionally great counter forensics, they weren’t destructive, they didn’t go public with the data they stole. In many ways, if you were hacked, and you knew it, and it was the Chinese that did it, you breathed a sigh of relief. If it was some other group, you had to worry about public disclosure, about extortion, about a ton of other things. So the polite hackers have narrowed their targeting. That’s how I look into this.
I wouldn’t breathe a sigh of relief. What I do see is that public exposure of Chinese cyber espionage by the private sector as well as by government officials—potentially the indictments and all the things Laura has put in the report—all of these factors did have an impact on the scale and scope of Chinese cyber espionage against the U.S.A. I see that as a positive thing. The unfortunate reality is that you still have to build your moat of defend against the other threats that are still out there.
Fortune: During one recent quarter, Dave DeWalt, who was then FireEye’s CEO, said that attacks by China on U.S. companies had been decreasing. A bunch of people took issue with the statement. They said that attacks are still going on. Where does FireEye stand on that? Because it seems the report is saying that, yes, the number of attacks has decreased a lot.
Mandia: Yup, we just stand by exactly what were publishing. Based on our observables, that’s what we see. This isn’t like the TTPs [Editor’s note: TTPs is cyberspeak for “tools, tactics, and procedures”—the idiosyncrasies of hacking methods] of Chinese cyber espionage changed over night. When we do see them, the TTPs are largely the same. There are going to be those naysayers out there who say, well, maybe FireEye is just missing it. I’ve been locked onto these guys virtually my whole career. I’m not convinced anyone has been responding to Chinese cyber espionage breaches longer than I have—and if there is somebody I’d like to find them. We dealt with this back when I was in the military in the ‘90s, and we’re locked on still. The TTPs will change, but they’re not surreptitious. We’re not missing it. That’s my opinion.
Fortune: How do you persuade companies to continue to invest in cybersecurity when it seems that maybe the threats are not as drastic or immediately pressing as they might have been?
Galante: I would say at this point you’re taking a roll of the dice if you’re a corporate entity or a government entity with strong intellectual property. Especially something that could be dual-use. Particularly, if you’re in one of the many industries that’s producing cutting edge R&D, you’re now rolling the dice and have been for a long time, on whether you’re going to be compromised. We’re seeing a maturation of China’s military and political means to use cyber operations. To think that the decline in activity that we’re seeing now is endemic of the future would be a misread. I think what we’re seeing is a period of recalculating how to go with a precision force and a focus to get exactly the access that is needed, whether for political or military gains.
Fortune: What prompted this report?
Mandia: We went public in 2013 with the APT1 report. The government indicts soldiers in 2014. The president and the heads of state meet and they have discussions, and what does it lead to? What we hoped it would lead to—a reduction in the targeting of the private sector. I think that’s a positive result. And that’s why we’re really doing this—to report on a positive result.
Fortune: How have things changed for you since becoming CEO? Congrats on the promotion, by the way.
Mandia: Thanks, it doesn’t change much at the end of the day.
PR person: Let’s keep off that for now.
Fortune: Okay, what else is interesting—is North Korea behind the SWIFT bank hacks?
Mandia: First thing I would say as a general citizen—and I don’t have the data to opine one way or another—but boy, wouldn’t you want to know who stole $81 million dollars from the bank of Bangladesh?
Fortune: Oh yeah.
Mandia: I mean if we can’t pierce anonymity behind that as an international community, both behind the hack and behind the laundering of the money, don’t we have a challenge here? $81 million is gone and we don’t know who did it? That’s not a good indicator for whether we’re going to catch who hacks a utility in Mississippi and shuts it down. We’ve got to get attribution right. If we can’t get it right for Ashley Madison, fine, I get that. But if we can’t get it right for stealing $81 million—that’s not a good indicator. I think that’s the interesting story right now. Can the international community can the pierce anonymity behind folks who steal $81 million, and if they can’t, what else can they not do?
Fortune: Indeed. Thanks for your time.
Mandia: Take care, Robert.
Fortune: You too.