The Chinese government appears to be abiding by its September pledge to stop supporting the hacking of American trade secrets to help companies there compete, private U.S. security executives and government advisors said on Monday.
FireEye Inc., the U.S. network security company best known for fighting sophisticated Chinese hacking, said in a report released late Monday that breaches attributed to China-based groups had plunged by 90 percent in the past two years. The most dramatic drop came during last summer’s run-up to the bilateral agreement, it added.
FireEye’s Mandiant unit in 2013 famously blamed a specific unit of China’s Peoples Liberation Army for a major campaign of economic espionage.
Kevin Mandia, the Mandiant founder who took over last week as FireEye chief executive, said in an interview that several factors seemed to be behind the shift. He cited embarrassment from Mandiant’s 2013 report and the following year’s indictment of five PLA officers from the same unit Mandiant uncovered.
Prosecutors said the victims included U.S. Steel, Alcoa Inc. and Westinghouse Electric. Mandia also cited the threat just before the agreement that the United States could impose sanctions on Chinese officials and companies.
“They all contributed to a positive result,” Mandia said.
A senior Obama administration official said the government was not yet ready to proclaim that China was fully complying with the agreement but said the new report would factor into its monitoring. “We are still doing an assessment,” said the official, speaking on condition he not be named.
The official added that a just-concluded second round of talks with China on the finer points of the agreement had gone well. He noted that China had sent senior leaders even after the U.S. Secretary of Homeland Security pulled out because of the Orlando shootings.
China’s Foreign Ministry, the only government department to regularly answer questions from foreign reporters on the hacking issue, said China aimed to maintain dialog on preventing and combating cyber-spying.
“We’ve expressed our principled position on many occasions,” ministry spokeswoman Hua Chunying told a daily news briefing on Tuesday. “We oppose and crack down on commercial cyber-espionage activities in all forms.”
FireEye said that Chinese intrusions into some U.S. firms have continued, with at least two hacked in 2016. But while the hackers installed “back doors” to enable future spying, FireEye said it had seen no evidence that data was stolen.
Both hacked companies had government contracts, said FireEye analyst Laura Galante, noting that it was plausible that the intrusions were stepping stones toward gathering information on government or military people or projects, which remain fair game under the September accord.
FireEye and other security companies said that as the Chinese government-backed hackers dropped wholesale theft of U.S. intellectual property, they increased spying on political and military targets in other countries and regions, including Russia, the Middle East, Japan and South Korea.
Another security firm, CrowdStrike, has observed more Chinese state-supported hackers spying outside of the United States over the past year, company Vice President Adam Meyers said in an interview.
Targets include Russian and Ukrainian military targets, Indian political groups and the Mongolian mining industry, Meyers said.
FireEye and CrowdStrike said they were confident that the attacks are being carried out either directly by the Chinese government or on its behalf by hired contractors.
Since late last year there has been a flurry of new espionage activity against Russian government agencies and technology firms, as well as other targets in India, Japan and South Korea, said Kurt Baumgartner, a researcher with Russian security software maker Kaspersky Lab.
He said those groups use tools and infrastructure that depend on Chinese-language characters.
One of those groups, known as Mirage or APT 15, appears to have ended a spree of attacks on the U.S. energy sector and is now focusing on government and diplomatic targets in Russia and former Soviet republics, Baumgartner said.
(Reporting by Joseph Menn in San Francisco and Jim Finkle in Boston; Additional reporting by; Megha Rajagopalan in Beijing; Editing by Jonathan Weber and Richard Chang)