Can’t Stop Won’t Stop

China Cyberspying on U.S.—After No-Hacking Deal

Three days after Obama and Xi Jinping signed a historic agreement to curb online economic espionage, the FBI issued a fresh warning about Chinese spies in U.S. corporate networks.

The U.S. and China may have agreed not to hack each other’s companies for commercial advantage. But China’s computer spies are still targeting hundreds of American companies working for the U.S. military, prompting an urgent warning from law enforcement officials, The Daily Beast has learned.

On Sept. 28, the FBI sent an alert to at-risk firms, reporting with “high confidence” that hackers based in China “have compromised and stolen sensitive military information” from companies that provide engineering and technical services to the Navy and the Marine Corps.

The FBI described the spying campaign as broad and comprehensive.

“The actors did not target information pertaining to a specific contract but instead stole all information that they accessed via their malicious cyber activities,” said the alert, a copy of which was obtained by The Daily Beast.

The FBI sent the warning three days after Chinese President Xi Jingping and President Obama announced an historic agreement to stop computer hacking aimed at stealing corporate trade secrets and intellectual property. That agreement, however, doesn’t cover the kinds of spying that the alert describes.

China can still target U.S. military contractors on the grounds that the classified information in their computers—including weapons designs and documents describing military operations and programs—is central to China’s own national security interests. The U.S. also hacks foreign companies for military and political intelligence, but officials say the information is never shared with American companies to give them a leg up in their business dealings.

The hackers have been observed collecting credentials and moving “laterally through the network” of their victims, the alert said, meaning that once inside a company’s systems, they obtained usernames and passwords that allowed them to pose as legitimate users and move around freely. Such intrusions can typically go undetected for months.

Evidence obtained from the victims indicates they were part of the Navy’s SeaPort contracting program, the FBI alert said. That program includes more than 2,4000 companies, from well-known giants to smaller firms that sell engineering, financial management, and other services. More than 85 percent of them are classified as small businesses, according to Navy statistics.

Defense contractors have long been a prime target for hackers, who find it easier to penetrate their often poorly secured networks than to attack the military’s head on.

The alert doesn’t say how many companies have been hit. But it notes the hackers used “infrastructure emanating from China,” the FBI’s preferred method of pointing the finger at the country without offering evidence of the government’s direct involvement.

Security experts disagreed over what other targets the hacker group may have hit, but said they are using tools commonly favored by the Chinese.

One former senior U.S. intelligence official who independently obtained the alert told The Daily Beast it describes the same hackers behind the massive breach at the Office of Personnel Management, in which Chinese spies stole the records of more than 21 million current and former U.S. government employees. The group has also been linked to a major breach at the health insurance company Anthem, he said.

Get The Beast In Your Inbox!

Daily Digest

Start and finish your day with the top stories from The Daily Beast.

Cheat Sheet

A speedy, smart summary of all the news you need to know (and nothing you don't).

By clicking “Subscribe,” you agree to have read the Terms of Use and Privacy Policy
Thank You!
You are now subscribed to the Daily Digest and Cheat Sheet. We will not share your email with anyone for any reason.

But a second expert who saw the alert said it doesn’t describe the hackers who breached the OPM. However, he said the particular hacking tool that the group used, known as the “China Chopper Web shell,” is a favorite of many hackers outfits in China who use it to build backdoors into companies’ networks. So even if the hackers who hit the Navy contractors didn’t target the OPM, they’re still part of the same broader complex of hackers who are infiltrating networks important to the U.S. government.

Both experts spoke on condition of anonymity because the FBI labeled the information in the alert as too sensitive to be shared with those who don’t have a “need to know.”

The timing of the alert suggests that the FBI may have wanted to refrain from drawing attention to Chinese hacking operations while Xi was visiting the U.S., the first expert said. In general, though, the FBI has been eager to implicate Beijing and has been much more aggressive in assigning individual hacking campaigns to Chinese actors than has the White House.

In July, the bureau warned companies to be on the lookout for Chinese hackers, including those whom the bureau thinks were responsible for stealing records from the OPM. The same month, in a rare on-the-record briefing, the FBI’s top counterintelligence officials said they were tracking “hundreds” of cases of Chinese economic espionage against American firms.

China’s intelligence services are “as aggressive now as they’ve ever been,” said FBI Assistant Director Randall Coleman, who runs the bureau’s counterintelligence division.

In the most recent alert, the FBI said the targeted companies were part of a subset of Navy contractors who’ve been vetted for the “SeaPort Enhanced” program.

A spokesperson for the Naval Sea Systems Command, which runs the contractor program, told The Daily Beast that officials are reviewing the FBI’s alert but could provide no additional information about it.

An FBI spokesman likewise declined to comment about the specific information in the alert, but said that the bureau “routinely advises private industry of various cyber threat indicators observed during the course of our investigations. This data is provided in order to help systems administrators guard against the actions of persistent cyber criminals.”

The Navy command also has a connection to the OPM hack: It selected the company that’s providing identity monitoring services to the millions of victims.

The firm was not selected from the list of contractors who may have been hit by the Chinese hackers, the Navy spokesman said. It’s not clear from the FBI alert whether the Navy command itself was targeted or compromised.

Identity monitoring may do little to counteract the OPM hack, which some U.S. officials have described as the most significant intelligence loss the government has suffered in years. The monitoring company will keep tabs on whether any information that was stolen is being used for financial fraud, such as opening credit card accounts in the victims’ names.

“Credit monitoring is not remediation for espionage,” said Michael Adams, a computer security expert who served more than two decades in the U.S. Special Operations Command. The more significant threat is that the Chinese will use the information they stole from OPM to identify U.S. intelligence officers working overseas or to try to recruit or coerce potential agents. The Washington Post reported that the CIA pulled some intelligence officers from the U.S. embassy in Beijing as a precautionary measure following the OPM hack.

Adams said that giving the monitoring company access to millions of victims’ personal records and financial information only increases the risk of exposure for those who’ve already seen the most intimate details of their personal lives plundered by Chinese hackers. The OPM files contain information from background investigations that can reveal past struggles with alcohol or drugs, marital strife, and financial troubles—all material that could be used for blackmail or coercion.

Another computer security expert who monitors the sale of personal information on the so-called “dark Web” told The Daily Beast that no information from the OPM hack has been found there. That indicates that the information isn’t being used for financial crimes or identity fraud, but more likely for Chinese intelligence and security operations.