Skip to main content

Chinese Hackers: A Return to IP Theft?


Chinese hackers have given U.S. companies a reprieve for more than a year. But, does the hack of the National Foreign Trade Council signal a return to Chinese IP theft? Or does it signal a broader strategic shift?


In April 2017, a cybersecurity firm, Fidelis Cybersecurity, reported that the National Foreign Trade Council (NFTC), a trade advocacy group, was the victim of a watering hole attack that occurred just before a summit between President Donald Trump and Chinese President Xi Jinping. Fidelis identified APT10, a Chinese cyberespionage group, as the likely actor, accusing the group of infecting select pages of the NFTC website with links that loaded reconnaissance malware, known as the ScanBox Framework. While it is unclear what APT10’s relationship with the Chinese government is, according to Fidelis, “Scanbox has exclusively been known to have been used by threat actors associated with, or sponsored by, the Chinese government.”

There are two possible and potentially overlapping objectives for the cyberattack on NFTC. The first is to prepare for cyber-enabled intellectual property (IP) theft, which would be a continuation of China’s persistent campaign of IP theft. The second is cyberespionage designed to inform protectionist policies and to strengthen China’s negotiating position as she pursues increasingly aggressive trade policies. Both would be intended to steal or stifle US innovation and competitiveness and are pieces of China’s economic offensive against US innovators and business leaders.


According to the 2017 Update to the IP Commission Report, economic espionage, which includes the theft of IP and trade secrets, costs the US economy between $225 billion and $600 billion each year. The report identifies China as the “world’s principal IP infringer” and warns that China not only steals “the most American IP of any country” but also targets “sectors at the forefront of innovation that could create the best jobs for Americans in the 21st century.” Hacking appears to drive a large portion of US economic losses that precipitate from Chinese economic espionage. In 2015, the Office of the Director of National Intelligence estimated that hacking costs the US economy $400 billion annually, a figure that affirmed by the IP Commission. A 2014 report from the Center for Strategic and International Studies asserts a more conservative estimate of $100 billion in annual costs to the US economy.

To tamp down on traditional Chinese cyber-enabled economic espionage, President Barack Obama and Chinese President Xi Jinping agreed “that neither the U.S. or the Chinese government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage.” Following the September 2015 agreement, FireEye observed a conspicuous decrease in the number of network compromises targeting US companies that are attributed to China. However, the decline was likely a tactical shift, rather than a concerted effort to abide by the rules, principles, and norms of fair and free competition.

Prior to the attack on NFTC, APT10 was engaged in global campaign of cyberespionage against managed IT service providers (MSPs). MSPs maintain privileged access to the networks of their clients, many of whom are firms in advanced industries. Breaching an MSP could result in unfettered access to client networks that harbor sensitive data and intellectual property. Furthermore, the group implicated in the NFTC hack, APT10, has a well-documented track record of targeting the assets of US advanced industries. By pilfering US intellectual property, Chinese firms have been able to leap-frog incremental innovation and compete directly with US firms. A previous piece examining US-China innovation competition highlighted high-performance computing, solar, and high-speed rail as examples of China’s ability to successfully leverage technology transfer and IP theft into internationally competitive industries.

While NFTC does not have access to the networks of its members, its website does attract visitors from its member firms. By infecting webpages likely to be visited by NFTC members with ScanBox, APT10 can log user keystrokes and identify the versions of popular software installed on infected machines. This revealing data can be used to develop customized and highly-effective spear-phishing campaigns. Indeed, a recent joint report by PricewaterhouseCoopers UK and BAE Systems suggests that APT10’s “standard compromise methodology begins with a spear phishing email sent to the target.” An APT10 spear-phishing campaign against US firms has yet to emerge, but the attack on NFTC may be an indication that APT10 intends to pivot to targeting US firms.


The timing of the attack suggests that there may be a second motive. Since the start of his presidential campaign, President Trump has threatened to confront China regarding its unfair trade practices. A 2012 report from the Information Technology and Innovation Foundation (ITIF) observes that cyber-enabled economic espionage is only one tactic in a larger Chinese strategy to achieve economic self-sufficiency and to dominate global advanced industries. The report argues that, in addition to cyberespionage and IP theft, China pressures countries and companies alike into accepting anticompetitive terms in return for access to the domestic Chinese market.

In 2015, China released its national economic strategy, “Made in China 2025″. Following past master plans, “Made in China 2025” delineates the contours of China’s economic development over the next 10 years. According to the plan, China seeks to escape the middle-innovation trap by rapidly acquiring or developing innovation-driven, advanced industries. At the same time, China aims to retain low-value manufacturing. Reports published by ITIF, the Mercator Institute for China Studies, and the US Chamber of Commerce suggest that, to achieve these dual objectives, China is seeking to become more reliant on its untoward trade practices.

Ahead of the recent US-China summit, it’s likely that China sought insight into the Trump Administration’s trade strategy. By targeting a prominent and influential trade association, China may have gained an understanding of America’s top financial and manufacturing firm’s trade policy priorities. This privileged information would have given President Xi and Chinese government officials leverage in discussions with the United States.

Presently, the US-China cyber agreement appears to be holding. But recent hacks on US allies and close trading partners and on a prominent American trade advocacy group may signal a return of China’s campaign of cyber-enabled economic espionage. However, economic espionage is not the only challenge posed by China. The hacks may also be a part of a concerted Chinese effort to continue flouting the rules and principles that undergird international free trade and competition. The US government and US firms should monitor Chinese cyber activity closely, watching for signs that China is reverting to IP theft or attempting to bolster its position in trade negotiations.