Hackers based in China seem to have slowed some of their attacks on U.S. targets, private cybersecurity researchers and U.S. government officials have recently suggested, hinting at a shift in strategy for the nation as more public and political attention has turned to online threats.
But it’s not clear how long that will last, and companies and individuals shouldn’t be quick to let their defenses down, they say.
“Since mid-2014, we have seen a notable decline in China-based groups’ overall intrusion activity against entities in the U.S. and 25 other countries,” cybersecurity firm FireEye said in a report published on June 20.
While prominent actions by the U.S. government, including the indictment of accused hacker members of the Chinese military in 2014, seem to have played a role in tamping down the cyber threat, the FireEye report suggests that China had already begun to tone down some of its activities amid a shift in strategy started by Chinese President Xi Jinping.
“We suspect that this shift in operations reflects the influence of ongoing military reforms, widespread exposure of Chinese cyber operations, and actions taken by the U.S. government,” the firm said.
Those changes — including the consolidation of military cyber resources and increased sensitivity to how China is perceived on the world stage — have led to a “more refined” strategy among the Chinese when it comes to conducting online operations, FireEye reported.
Assistant Attorney General for National Security John Carlin pointed to the apparent slowdown — at least temporarily — in cyberattacks from China while taking questions at the Center for Strategic and International Studies in Washington, D.C. on Tuesday.
“It seems like generally people have seen a change in activity,” Carlin said. “There’s a debate as to how long-lasting it may be, but there has been a change.”
FireEye’s new assessment was based on its work with clients in identifying and tracing intrusions by groups based in China. While in early to mid-2013 it saw more than 60 instances in which a client’s network was broken into, by the end of 2015 and the beginning of this year, that number was under 10 active attacks a month.
“Although we have continued to see China-based groups compromise corporations’ networks in the U.S., Europe and Japan and target entities in the countries surrounding China through late 2015 and into 2016, our data show an overall decline in compromises that began in earnest in mid-2014,” FireEye said in its report.
That was a year before Chinese President Xi and President Barack Obama met and hashed out an agreement that their governments would not hack companies in the other country to gain a commercial edge.
Last October another cybersecurity firm, CrowdStrike, said that it recorded attacks on at least seven of its client companies from actors it connected to the Chinese government in the three weeks after Xi and Obama announced their deal.
U.S. intelligence officials confirmed to NBC News this week that there has been a drop-off in Chinese attacks against some American targets, crediting it to the agreement between Obama and Xi. But they remain wary about whether it will continue.
Brian Bartholomew, a senior security researcher for cyber firm Kaspersky Lab, said that his company has also noted some decline in attacks against U.S.-based targets by actors thought to be originating in China.
“That being said, we have also seen somewhat of an uptick in attacks against other countries, including Pakistan, India, Russia and many more throughout Europe and Asia,” Bartholomew told NBC News in an email this week. And while there did appear to have been fewer attacks on American-based companies and non-governmental organizations, “there are still traditional espionage operations occurring against the government and defense contractors.”
The Mountain View, California-based firm Symantec said it too noted some decline in activity from China after October of last year, but said it continued to monitor a “small trickle of continuing activity” that it said could in part be due to hackers needing time to shut down their attacks after the agreement between the U.S. and China.
“Attacks have increased and broadened into other countries beside the U.S., so these groups still very much remain active,” Kaspersky’s Bartholomew said. “Activity has decreased, but it would be foolish for one to assume Chinese-speaking threat actors will no longer target commercial entities in the U.S.”
American intelligence officials have regularly identified cyber threats originating from China as cause for serious concern.
The nation’s top spy chief, Director of National Intelligence James Clapper, told lawmakers earlier this year that malicious online activity was still coming from China, targeting both intelligence and private-sector companies.
“We have seen some reduction, but I don’t think we’re in a position to say at this point whether they’re in strict compliance,” Clapper said in response to a question from lawmakers in February regarding whether China was keeping up its end of the bargain.
“I think the jury’s out,” he said.
American and Chinese diplomats have continued to meet to discuss use of the Internet for espionage in the months since Xi and Obama signed their deal.
Attorney General Loretta Lynch and Department of Homeland Security head Jeh Johnson departed early from high-level cyber talks in Beijing earlier this month after a gunman claiming sympathies for ISIS killed 49 people in an Orlando nightclub.