A U.S. cybersecurity company says it has evidence hackers linked to the Chinese government may have tried to violate a recent agreement between Washington and Beijing not to hack private firms in each other’s country for economic gain.
The firm, CrowdStrike Inc., plans to announce Monday that unnamed customers in the technology and pharmaceutical industries have faced attempted—though unsuccessful—intrusions from China-linked hackers.
Two incidents took place the day before and the day after President Barack Obama and Chinese President Xi Jinping said on Sept. 25 they reached an “understanding” not to use cyberspies to commit economic espionage against each other, according to CrowdStrike. The Chinese embassy in Washington didn’t immediately respond to a request for comment. “We are aware of this report. We’ll decline comment on its specific conclusions,” said a senior Obama administration official. “We have and will continue to directly raise our concerns regarding cybersecurity with the Chinese.”
American companies have complained for years that Beijing-linked hackers have sought to pilfer their trade secrets from corporate computers. U.S. spies have hacked into Chinese companies, such as Huawei Technologies Co., though American officials have argued such hacks are for national security purposes and not to steal trade secrets. Earlier Chinese hackers were arrested after US request.
Security firms like CrowdStrike, which has ties to official Washington, often note that their customers are under attack from a variety of computer hackers. Monday’s declaration is striking because of its implications for foreign policy: In effect, a private company is saying that years of back-channel talks between the U.S. and China over hacking norms have been for naught.
Former U.S. officials and investigators at other security companies cautioned it may be too soon to know whether China is violating the new agreement. FireEye Inc. is a computer security firm that, like CrowdStrike, works with the government and employs numerous former government investigators. FireEye executives say they have seen apparent Chinese-linked hacking operations since the agreement was announced. But Laura Galante, a director at FireEye and former analyst for the State Department, said it is “premature to conclude that activity during this short time frame constitutes economic espionage.”
By contrast, CrowdStrike says that on Sept. 24, the day after Mr. Xi met with American technology executives in Seattle, cyberspies it has linked to China attempted to hack into an American technology company. CrowdStrike says this happened again on Sept. 26, the day after the two leaders announced the hacking agreement. Attempted intrusions at tech firms continued into early October. On Oct. 8, CrowdStrike says, Chinese hackers attempted to hack into a pharmaceutical company.
“This is a pretty clear violation of the agreement as opposed to other types of espionage,” said CrowdStrike Chief Technology Officer Dmitri Alperovitch, adding, “What else would you steal from a pharma company” aside from intellectual property? Determining the sponsors of a hack is a subjective mix of computer science and instinct. In this case, CrowdStrike says the attempted attacks against its clients appear to be linked to one of the alleged Chinese hacking groups it tracks: Deep Panda. Mr. Alperovitch says these hackers can be traced back to Beijing based on the tools and servers they use, the hours they appear to keep and the data they target.
Investigators at other security companies and within the U.S. government say they agree that Deep Panda appears to be working on behalf of the Chinese government, even though they don’t necessarily agree with CrowdStrike’s assessment of the recent activity. In the past, the Chinese government publicly has denied any link to Deep Panda. The antihacking agreement between the U.S. and China is narrow, applying only to stealing trade secrets for the benefit of other companies—not hacking for national security purposes or traditional espionage.
Another security company said it is aware of a Chinese-linked intrusion at a defense contractor since Mr. Xi agreed to not endorse economic espionage through hacking. But a researcher at that company said that incident wouldn’t violate the agreement because it might be aimed at gaining a security advantage. “As far as I’m concerned that’s fair game,” the researcher said.