The China Rules: Chinese Cyber Espionage Against the United States

This chapter from The Perfect Weapon provides an in-depth look at Chinese cyber espionage activities targeting the United States government and corporations in the early-to-mid 2010s. It reveals details about specific hacking groups, major breaches, and the U.S. government’s attempts to curtail this activity.

At the center of much of this activity was People’s Liberation Army Unit 61398, based out of a nondescript building in Shanghai. Kevin Mandia’s cybersecurity firm Mandiant tracked the unit and observed them breaking into networks of over 100 companies across dozens of industries. Remarkably, Mandiant was able to watch the hackers through their own webcams, seeing that most were young men who engaged in typical online activities in between bouts of hacking during work hours. Mandiant identified some hackers’ real names, including one who went by the moniker “UglyGorilla”, by watching them log into personal accounts.

One major company that found itself in Unit 61398’s crosshairs was Google. The tech giant ran into issues with the Chinese government restricting and censoring their services in the late 2000s. Tensions escalated in 2009 when Chinese hackers broke into Google’s systems in the U.S. in an operation dubbed “Aurora”. The intruders stole source code and tried to access Gmail accounts of Chinese activists. Google publicly disclosed the intrusions in 2010 and announced it would stop censoring results on its Chinese search engine, Google.cn, leading to its effective withdrawal from mainland China. Unbeknownst to Google, the hackers had also accessed a highly sensitive database of surveillance orders from the U.S. Foreign Intelligence Surveillance Court, potentially allowing them to identify which of their own agents had been compromised.

Perhaps the most audacious Chinese hacking operation came to light in 2014-2015 when it was revealed that intruders had breached the U.S. Office of Personnel Management (OPM) and stolen sensitive data on over 22 million current and former federal employees and job applicants. The stolen files included extensive personal and financial information from SF-86 security clearance forms and background investigation reports. This data breach, one of the largest in U.S. history, went undetected for about a year, in part due to OPM’s outdated systems and poor security practices. Intelligence officials assessed that the stolen data could help China identify American spies, even those under diplomatic cover.

The CIA was forced to cancel assignments to China as a result. Shockingly, Director of National Intelligence James Clapper remarked that the U.S. would likely have done the same if it had the chance. The White House sought to downplay the severity of the breach.

Against this backdrop of escalating cyber aggression, U.S. Attorney David Hickton worked to build a criminal case against Chinese hackers. In an unprecedented move, Hickton led the Justice Department to indict five PLA officers in absentia in 2014, including some individuals that Mandiant had identified. The hackers were charged with infiltrating U.S. companies like Westinghouse and U.S. Steel and stealing trade secrets and proprietary information. While there was little practical chance of prosecution, the indictments represented a “name and shame” effort to deter Chinese economic espionage. Beijing vociferously denied the allegations but refrained from retaliating strongly.

Diplomatic efforts to curb Chinese hacking reached a critical juncture in 2015 ahead of President Xi Jinping’s state visit to Washington. With the Obama administration threatening sanctions, last-minute negotiations produced a landmark bilateral agreement pledging that neither country would conduct cyber espionage for commercial gain. Notably, the accord treated traditional national security-focused spying, like the OPM breach, as fair game. While the deal did lead to a significant drop in Chinese hacking of U.S. corporations, it failed to become a model for international norms as the White House had hoped.

This chapter paints a dramatic picture of China’s strategic campaign to vacuum up American corporate secrets and government personnel data on a massive scale in the early 21st century. Although high-level diplomacy helped curtail the most flagrant commercial hacking, core tensions endured between the two powers in the cyber domain as they maneuvered to protect their national security interests and intelligence capabilities. The events recounted here marked an early and defining chapter in the emerging high-stakes competition between the U.S. and China for technological and geopolitical advantage in the information age.

"A gilded No is more satisfactory than a dry yes" - Gracian