In 2015, the United States and China agreed to a digital truce that banned hacking private companies to steal trade secrets. And though the agreement has been touted as a success, it hasn't stopped Chinese state-sponsored hackers from pushing the envelope of acceptable behavior. Moreover, it certainly hasn't slowed types of hacking that fall outside the purview of the accord. Lately, it seems, that means defense intelligence gathering.

In recent weeks, Chinese hackers have reportedly breached a US Navy contractor that works for the Naval Undersea Warfare Center, stealing 614 GB of data about submarine and undersea weapons technology. Attacks in the last few months originating from China have also targeted US satellite and geospatial imaging firms, and an array of telecoms. The incidents highlight the clandestine but incessant hacking campaigns that continue reliably between the US and China.

"China’s actually backed off quite a bit on intellectual property theft, but when it comes to military trade secrets, military preparedness, military readiness, satellite communications, anything that involves the US’s ability to keep a cyber or military edge, China has been very heavily focused on those targets," says David Kennedy, CEO of the threat tracking firm Binary Defense Systems, who formerly worked at the NSA and with the Marine Corps' signal intelligence unit. "And the US does the same thing, by the way."

'They'll use that as a first step instead of having to send fighter jets or something.' David Kennedy, Binary Defense Systems

The submarine contractor breach, recently reported by the Washington Post, reflects this intense focus on bridging any technological advantage the US may have. It involved attacks in January and February that nabbed important data, albeit from an unclassified network. When taken together, though, the information would have amounted to a valuable snapshot of US cutting edge underwater weapons development, plus details on a number of related digital and mechanical systems.

The attack fits into a known pattern of Chinese hacking initiatives. "China will continue to use cyberespionage and bolster cyberattack capabilities to support [its] national security priorities," US director of national intelligence Daniel Coats wrote in a February threat report. "The [Intelligence Community] and private-sector security experts continue to identify ongoing cyberactivity from China...Most detected Chinese cyberoperations against US private industry are focused on cleared defense contractors or IT and communications firms."

This week, analysts from Symantec also published research on a series of attacks in the same category from November 2017 to April from a hacking group dubbed Thrip. Though Symantec does not go so far as to identify Thrip as Chinese state-sponsored hackers, it reports "with high confidence" that Thrip attacks trace back to computers inside the country. The group, which Symantec has tracked since 2013, has evolved to hide in plain site by mostly using prefab malware to infiltrate networks and then manipulating administrative controls and other legitimate system tools to bore deeper without setting off alarms. All of these off-the-shelf hacking tools and techniques have made Thrip harder to identify and track—which is likely the idea—but Symantec started to notice patterns in their anomaly detection scanners that ultimately gave these attacks away, and led the researchers to a unique backdoor that implicated Thrip.

The researchers found evidence of intrusions at some southeast Asian telecom firms, a US geospatial imagery company, a couple of private satellite companies including one from the US, and a US defense contractor. The breaches were all deliberate and targeted, and in the case of the satellite firms the hackers moved all the way through to reach the control systems of actual orbiting satellites, where they could have impacted a satellite's trajectory or disrupted data flow.

"It is scary," says Jon DiMaggio, a senior threat intelligence analyst at Symantec who leads the research into Thrip. "We looked at which systems they were interested in, where they spent the most time, and on the satellites it was command and control. And then they were also on the operational side for both the geospatial imagery and the telecom attacks."