WASHINGTON — Three months after hackers working for a cyber unit of China’s People’s Liberation Army went silent amid evidence they had stolen data from scores of U.S. companies and government agencies, they appear to have resumed their attacks using different techniques, according to computer industry security experts and U.S. officials.
The Obama Administration had bet that “naming and shaming” the groups, first in industry reports and then in a Pentagon survey of Chinese military capabilities, might prompt China’s new leadership to crack down on the military’s highly organized team of hackers. Or at least urge them to be more subtle.
But the cyber unit is back in business, according to U.S. officials and security companies.
It is not clear precisely who has been affected by the latest attacks.
Mandiant, a private security company that helps companies and government agencies defend themselves from hackers, said the attacks had resumed but would not identify the targets, citing agreements with its clients. But it did say the victims were many of the same ones the unit had attacked before.
The hackers were behind scores of thefts of intellectual property and government documents over the past five years, according to a report by Mandiant in February that was confirmed by U.S. officials.
They have stolen product blueprints, manufacturing plans, clinical trial results, pricing documents, negotiation strategies, and other proprietary information from more than 100 of Mandiant’s clients, predominantly in the United States.
According to security experts, the cyber unit was responsible for a 2009 attack on the Coca-Cola Co. that coincided with its failed attempt to acquire the China Huiyuan Juice Group.
In 2011, it attacked RSA, a maker of data security products used by U.S. government agencies and defense firms, and used the information it collected from that attack to break into the computer systems of Lockheed Martin, the aerospace contractor. More recently, security experts said, the group took aim at firms with access to the nation’s power grid.
In September, it broke into the Canadian arm of Telvent, now Schneider Electric, which keeps detailed blueprints on more than half the oil and gas pipelines in North America.
Obama Administration officials said they were not surprised by the resumption of the hacking activity. “This is something we are going to have to come back at time and again with the Chinese leadership,” one senior official said, noting they “have to be convinced there is a real cost to this kind of activity.”
Mandiant said the Chinese hackers stopped their attacks after they were exposed and removed their spying tools from the organizations they had infiltrated.
But in the last two months they have gradually begun attacking the same victims from new servers and have reinserted many tools that enable them to seek out data without detection.
They now operate at 60 to 70 percent of the level they worked at before, according to a study by Mandiant requested by the New York Times. Mandiant’s findings match those of Crowdstrike, another security company that has been tracking the group.
Adam Meyers, director of intelligence at Crowdstrike, said apart from a few minor changes in tactics, it was “business as usual” for the Chinese hackers.
The subject is expected to be a central issue in an upcoming visit to China by President Obama’s national security adviser, Thomas Donilon. Mr. Donilon has said dealing with China’s actions in cyberspace is moving to the center of the complex security and economic relationship between the two countries.
But hopes for progress are limited. When the Pentagon released its report this month officially identifying the Chinese military as the source of years of attacks, the Chinese Foreign Ministry denied the accusation. People’s Daily, which reflects the Communist Party’s views, called the United States “the real ‘hacking empire,’ ” saying it “has continued to strengthen its network tools for political subversion against other countries.”
Others in China cited U.S. and Israeli cyberattacks on Iran’s nuclear facilities as evidence of U.S. hypocrisy.
Guidelines: Please keep your comments smart and civil. Don't attack other readers personally, and keep your language decent. Comments that violate these standards, or our privacy statement or visitor's agreement, are subject to being removed and commenters are subject to being banned. To post comments, you must be a registered user on toledoblade.com. To find out more, please visit the FAQ.