Foreign Economic Espionage in Cyberspace


National Counterintelligence and Security Center (2018)

International Affairs Academy

Document of the Day

Free Professional Development


Executive Summary

In the 2011 report to Congress on Foreign Spies Stealing U.S. Economic Secrets in Cyberspace, the Office of the National Counterintelligence Executive provided a baseline assessment of the many dangers facing the U.S. research, development, and manufacturing sectors when operating in cyberspace, the pervasive threats posed by foreign intelligence services and other threat actors, and the industries and technologies most likely at risk of espionage. The 2018 report provides additional insight into the most pervasive nation-state threats, and it includes a detailed breakout of the industrial sectors and technologies judged to be of highest interest to threat actors. It also discusses several potentially disruptive threat trends that warrant close attention.


This report focuses on the following issues Foreign economic and industrial espionage against the United States continues to represent a significant threat to America’s prosperity, security, and competitive advantage. Cyberspace remains a preferred operational domain for a wide range of industrial espionage threat actors, from adversarial nationstates, to commercial enterprises operating under state influence, to sponsored activities conducted by proxy hacker groups. Next-generation technologies, such as Artificial Intelligence (AI) and the Internet-of-Things (IoT) will introduce new vulnerabilities to U.S. networks for which the cybersecurity community remains largely unprepared. Building an effective response will require understanding economic espionage as a worldwide, multi-vector threat to the integrity of the U.S. economy and global trade. Foreign intelligence services—and threat actors working on their behalf—continue to represent the most persistent and pervasive cyber intelligence threat. China, Russia, and Iran stand out as three of the most capable and active cyber actors tied to economic espionage and the potential theft of U.S. trade secrets and proprietary information.


Countries with closer ties to the United States also have conducted cyber espionage to obtain U.S. technology. Despite advances in cybersecurity, cyber espionage continues to offer threat actors a relatively low-cost, high-yield avenue of approach to a wide spectrum of intellectual property. A range of potentially disruptive threat trends warrant attention. Software supply chain infiltration already threatens the critical infrastructure sector and is poised to threaten other sectors. Meanwhile, new foreign laws and increased risks posed by foreign technology companies due to their ties to host governments, may present U.S. companies with previously unforeseen threats. Cyber economic espionage is but one facet of the much larger, global economic espionage challenge. We look forward to engaging in the larger public discourse on mitigating the national economic harm caused by these threats. 2 Scope Note


This report is submitted in compliance with the National Defense Authorization Act for Fiscal Year 2015, Section 1637, which requires that the President annually submit to Congress a report on foreign economic espionage and industrial espionage in cyberspace during the 12-month period preceding the submission of the report. Definitions of Key Terms For the purpose of this report, key terms were defined according to definitions provided in Section 1637 of the National Defense Authorization Act for Fiscal Year 2015. Economic or Industrial


Espionage means

(a) stealing a trade secret or proprietary information or appropriating, taking, carrying away, or concealing, or by fraud, artifice, or deception obtaining, a trade secret or proprietary information without the authorization of the owner of the trade secret or proprietary information;

(b) copying, duplicating, downloading, uploading, destroying, transmitting, delivering, sending, communicating, or conveying a trade secret or proprietary information without the authorization of the owner of the trade secret or proprietary information; or

(c) knowingly receiving, buying, or possessing a trade secret or proprietary information that has been stolen or appropriated, obtained, or converted without the authorization of the owner of the trade secret or proprietary information.


Cyberspace means

(a) the interdependent network of information technology infrastructures; and

(b) includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers.


I. The Strategic Threat of Cyber Economic Espionage Foreign economic and industrial espionage against the United States continues to represent a significant threat to America’s prosperity, security, and competitive advantage. Cyberspace remains a preferred operational domain for a wide range of industrial espionage threat actors, from adversarial nation-states, to commercial enterprises operating under state influence, to sponsored activities conducted by proxy hacker groups. Next-generation technologies such as Artificial Intelligence (AI) and the Internet-of-Things (IoT) will introduce new vulnerabilities to U.S. networks for which the cybersecurity community remains largely unprepared. Building an effective response demands understanding economic espionage as a worldwide, multi-vector threat to the integrity of the U.S. economy and global trade.


The United States remains a global center for research, development, and innovation across multiple high-technology sectors. Federal research institutions, universities, and corporations are regularly targeted by online actors seeking all manner of proprietary information and the overall long-term trend remains worrisome. While next generation technologies will introduce a range of qualitative advances in data storage, analytics, and computational capacity, they also present potential vulnerabilities for which the cybersecurity community remains largely unprepared. The solidification of cloud computing over the past decade as a global information industry standard, coupled with the deployment of technologies such as AI and IoT, will introduce unforeseen vulnerabilities to U.S. networks.


• Cloud networks and IoT infrastructure are rapidly expanding the global online operational space. Threat actors have already demonstrated how cloud can be used as a platform for cyber exploitation. As IoT and AI applications expand to empower everything from “smart homes” to “smart cities”, billions of potentially unsecured network nodes will create an incalculably larger exploitation space for cyber threat actors.

• Lack of industry standardization during this pivotal first-generation deployment period will likely hamper the development of comprehensive security solutions in the near-term.

• Building an effective response demands understanding economic espionage as a worldwide, multi-vector threat to the integrity of both the U.S. economy and global trade. Whereas cyberspace is a preferred operational domain for economic espionage, it is but one of many. Sophisticated threat actors, such as adversarial nation-states, combine cyber exploitation with supply chain operations, human recruitment, and the acquisition of knowledge by foreign students in U.S. universities, as part of a strategic technology acquisition program.


II. Threats from Foreign Countries Foreign intelligence services—and threat actors working on their behalf—continue to represent the most persistent and pervasive cyber intelligence threat. China, Russia, and Iran stand out as three of the most capable and active cyber actors tied to economic espionage and the potential theft of U.S. trade secrets and proprietary information. Countries with closer ties to the United States have also conducted cyber espionage to obtain U.S. technology. Despite advances in cybersecurity, cyber espionage continues to offer threat actors a relatively low-cost, high-yield avenue of approach to a wide spectrum of intellectual property.


We anticipate that China, Russia, and Iran will remain aggressive and capable collectors of sensitive U.S. economic information and technologies, particularly in cyberspace. All will almost certainly continue to deploy significant resources and a wide array of tactics to acquire intellectual property and proprietary information. Countries with closer ties to the United States have conducted cyber espionage and other forms of intelligence collection to obtain U.S. technology, intellectual property, trade secrets, and proprietary information. U.S. allies or partners often take advantage of the access they enjoy to collect sensitive military and civilian technologies and to acquire know-how in priority sectors. China: Persistent Cyber Activities China has expansive efforts in place to acquire U.S. technology to include sensitive trade secrets and proprietary information. It continues to use cyber espionage to support its strategic development goals—science and technology advancement, military modernization, and economic policy objectives.


China's cyberspace operations are part of a complex, multipronged technology development strategy that uses licit and illicit methods to achieve its goals. Chinese companies and individuals often acquire U.S. technology for commercial and scientific purposes. At the same time, the Chinese government seeks to enhance its collection of U.S. technology by enlisting the support of a broad range of actors spread throughout its government and industrial base.


The Intelligence Community and private sector security experts continue to identify ongoing Chinese cyber activity, although at lower volumes than existed before the bilateral September 2015 U.S.-China cyber commitments. Most Chinese cyber operations against U.S. private industry that have been detected are focused on cleared defense contractors or IT and communications firms whose products and services support government and private sector networks worldwide. Examples of identified ongoing Chinese cyber activity include the following:


• According to several cyber intelligence companies, in 2017 the China-associated cyber espionage group APT10 continued widespread operations to target engineering, telecommunications, and aerospace industries. APT10 targeted companies across the globe, including the United States, using its exploitation of managed IT service providers as a means to conduct such operations.

• Cybersecurity researchers have found links between Chinese cyber actors and a back door in the popular CCleaner application that allowed the actors to target U.S. companies, including Google, Microsoft, Intel, and VMware.

• In November 2017, PricewaterhouseCoopers (PWC) reported that the China-based APT, known as KeyBoy, was shifting its focus to target Western organizations. According to PWC, the targeting likely was for corporate espionage purposes. KeyBoy previously focused on Asian targets, according to commercial cybersecurity reporting.

• According to FireEye, in 2017 TEMP.Periscope continued targeting the maritime industry as well as engineering-focused entities including research institutes, academic organizations, and private firms in the United States. FireEye has detected sharp increases in targeting in early 2018 as well.


Russia:

A Sophisticated Adversary The threat to U.S. technology from Russia will continue over the coming years as Moscow attempts to bolster an economy struggling with endemic corruption, state control, and a loss of talent departing for jobs abroad. Moscow’s military modernization efforts also likely will be a motivating factor for Russia to steal U.S. intellectual property. An aggressive and capable collector of sensitive U.S. technologies, Russia uses cyberspace as one of many methods for obtaining the necessary know-how and technology to grow and modernize its economy. Other methods include the following:

• Use of Russian commercial and academic enterprises that interact with the West;

• Recruitment of Russian immigrants with advanced technical skills by the Russian intelligence services; and

• Russian intelligence penetration of public and private enterprises, which enable the government to obtain sensitive technical information from industry.


Russia uses cyber operations as an instrument of intelligence collection to inform its decisionmaking and benefit its economic interests. Experts contend that Russia needs to enact structural reforms, including economic diversification into sectors such as technology, to achieve the higher rate of gross domestic product growth publicly called for by Russian President Putin. In support of that goal, Russian intelligence services have conducted sophisticated and large-scale hacking operations to collect sensitive U.S. business and technology information.


In addition, Moscow uses a range of other intelligence collection operations to steal valuable economic data:

• In 2016, the hacker “Eas7” confided to Western press that she had collaborated with the Russian Federal Security Service (FSB) on economic espionage missions. She estimated that “among the good hackers, at least half works (sic) for government structures,” suggesting Moscow employs cyber criminals as a way to make such operations plausibly deniable.

• Moscow has used cyber operations to collect intellectual property data from U.S. energy, healthcare, and technology companies. For example, Russian Government hackers last year compromised dozens of U.S. energy firms, including their operational networks. This activity could be driven by multiple objectives, including collecting intelligence, developing accesses for disruptive purposes, and providing sensitive U.S. intellectual property to Russian companies.

• Since at least 2007, the Russian statesponsored cyber program APT28 has routinely collected intelligence on defense and geopolitical issues, including those relating to the United States and Western Europe. Obtaining sensitive U.S. defense industry data could provide Moscow with economic (e.g. in foreign military sales) and security advantages as Russia continues to strengthen and modernize its military forces.


Iran:

An Increasing Cyber Threat Iranian cyber activities are often focused on Middle Eastern adversaries, such as Saudi Arabia and Israel; however, in 2017 Iran also targeted U.S. networks. A subset of this Iranian cyber activity aggressively targeted U.S. technologies with high value to the Iranian government. The loss of sensitive information and technologies not only presents a significant threat to U.S. national security. It also enables Tehran to develop advanced technologies to boost domestic economic growth, modernize its military forces, and increase its foreign sales. Examples of recent Iranian cyber activities include the following:

• The Iranian hacker group Rocket Kitten consistently targets U.S. defense firms, likely enabling Tehran to improve its already robust missile and space programs with proprietary and sensitive U.S. military technology.

• Iranian hackers target U.S. aerospace and civil aviation firms by using various website exploitation, spearphishing, credential harvesting, and social engineering techniques.

• The OilRig hacker group, which historically focuses on Saudi Arabia, has increased its targeting of U.S. financial institutions and information technology companies.

• The Iranian hacker group APT33 has targeted energy sector companies as part of Iran’s national priorities for improving its petrochemical production and technology.

• Iranian hackers have targeted U.S. academic institutions, stealing valuable intellectual property and data.