clock menu more-arrow no yes mobile

Filed under:

What to Expect From Charges Against Chinese Hackers: Nothing

Pot, meet kettle.

Hung Chung Chih /

The U.S. Department of Justice has secured criminal indictments against five active-duty members of the cyberwar unit of China’s People’s Liberation Army.

Here’s what you should expect to happen as a result: Nothing meaningful.

The charges announced by Attorney General Eric Holder amount to the diplomatic equivalent of the pot criticizing the kettle’s wardrobe. The chance that anyone sees the inside of a U.S. courtroom as a result of today’s charges is virtually nil.

Recall that last year, the security research firm Mandiant identified a section of the PLA, Unit 61398 based in Shanghai, as the source of several attacks against U.S., British and Canadian companies. Rather than hacking for the purpose of protecting China’s national security, its efforts appeared to be carried out for the benefit of Chinese companies and state-owned enterprises.

Mandiant, now a unit of FireEye, said at the time that the Army unit had compromised the networks of at least 141 companies or organizations, and probably more than that. On average it spent 356 days perusing the networks of each of them. In one case, the attackers had unfettered access to the computers of a victim of the attacks for nearly five years before being detected.

The names of the defendants — according to this DOJ press release — are Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu and Gu Chunhui. The victim companies are Westinghouse, SolarWorld, U.S. Steel, Allegheny Technologies, the United Steelworkers Union and Alcoa. The attacks began in 2006 and continued into this year, the charges allege.

China has already reacted, calling the charges “made up.”

Richard Bejtlich, chief security strategist at FireEye, says the people being charged aren’t officers but are more likely to be foot-soldiers who carried out the operations. He says that at least one of the names, Wen Xinyu, was familiar to him from when Mandiant was preparing its report.

“These are the sorts of people who would have been doing the work and carrying out the operations, not the ones giving the orders,” he said. Thus, the DOJ would have been more likely to piece together information about them from their social media profiles and other digital breadcrumbs they might have left in the course of their normal use of the Internet. “We would see these guys logging into their email and Facebook accounts while they were hacking,” he said.

The Justice Department says the hackers stole sensitive commercial information from the companies’ computers at times when those companies were involved in negotiations with Chinese state-controlled enterprises not identified in the charges.

For example, in 2010, Westinghouse was building four power plants in China and negotiating other terms of the construction project. Sun, the government says, penetrated Westinghouse’s network and stole specifications for pipes and pipe supports as well as other proprietary information. Later, in 2011, he’s said to have taken emails concerning internal corporate deliberations about another matter Westinghouse was negotiating.

In 2012, Wen is said to have attacked the networks of SolarWorld, an Oregon-based manufacturer of solar panels. At the time, Chinese companies were being accused of “dumping” their products on the market, essentially selling them at a loss in order to hurt competitors. Wen, the government says, stole SolarWorld’s internal cash flow statements, information about its costs and production lines and even privileged communications with its attorneys about a court case.

While the particulars are interesting — and hopefully we’ll get to read more nitty-gritty details when the official indictment documents are unsealed (Update: See it below.) — the fundamental problem is one of credibility. Essentially, when it comes to cyber attacks, the U.S. has none.

The revelations concerning the aggressive collection efforts of the U.S. National Security Agency by its former contractor Edward Snowden have demonstrated there is very little in the global communications infrastructure that agency won’t touch in an attempt to compromise. And while Holder and other U.S. officials are quick to say that the U.S.government doesn’t hack non-U.S. companies in order to help U.S. companies, there have been hints from Snowden that there are disclosures yet to be made that tell a different story.

In an interview with a German television network in January, Snowden said there is “no doubt” that the NSA engages in industrial espionage, and cited the German industrial giant Siemens as a potential target. “If there’s information at Siemens that’s beneficial to U.S. national interests — even if it doesn’t have anything to do with national security — then they’ll take that information nevertheless,” Snowden told the network ARD at the time.

No specifics have been released from the trove of Snowden’s pilfered documents since then. But today’s charges will likely prompt a new disclosure in the coming weeks.

Snowden’s choice of Siemens as an example in the above quote is notable because it brings to mind that company’s role as the unwitting middleman in another U.S. cyberwar effort, the Stuxnet worm. The worm exploited vulnerabilities in Siemens-made industrial control computers installed in Iran and was ultimately used to seize control of nuclear centrifuges and make them spin out of control, causing some to explode.

Another example of industrial espionage that we know about: Huawei, the Chinese network equipment manufacturer. In March, the New York Times reported that the NSA has systematically built back doors into equipment from Huawei. The first step was hacking into servers at the company’s headquarters in Shenzhen.

Of course no one can yet cite examples where the NSA or another agency attacked the systems of a foreign company in order to benefit a favored U.S. company commercially. But the scale of its operation and reach is immense. Its national policy goal is to preserve and protect American power and influence.

The scale and reach of China’s hacking operations are just as large, but they’re aimed at different policy goals: China wants to catapult its economy into the 21st century by any means necessary, even if it involves stealing corporate secrets to help its internal players along the way.

The nuance is in the difference in each country’s aims, and it will likely be lost as the accusations and counter-accusations play out on the international stage in the coming months.

Update: Here’s the full indictment, which should make for interesting reading. And after that is a video segment from CNBC which includes Kevin Mandia, head of FireEye’s Mandiant, the firm that first found and publicly identified China’s Unit 61398.

US PLA Indictment

This article originally appeared on

Sign up for the newsletter Today, Explained

Understand the world with a daily explainer plus the most compelling stories of the day.