Exclusive: Inside the FBI’s Fight Against Chinese Cyber-Espionage

SolarWorld was fighting a losing battle. The U.S. subsidiary of the German solar panel manufacturer knew that its Chinese competitors, backed by generous government subsidies, were flooding the American market with steeply discounted solar panels and equipment, making it practically impossible for U.S. firms to compete. What SolarWorld didn’t know, however, was that at the same time it was pleading its case with U.S. trade officials, Chinese military hackers were breaking into the company’s computers and stealing private information that would give Chinese solar firms an even bigger unfair advantage, including the company’s pricing and marketing strategies.

SolarWorld learned about the hacking not from some sophisticated security software or an outside consultant, but from FBI agents. In early July 2012, they called the company and alerted executives to a "persistent threat, some kind of attack," said Ben Santarris, SolarWorld’s spokesman, in an interview. Persistent threat is shorthand for hackers who burrow deeply into a computer system to steal information and spy on an organization from within. The FBI didn’t offer any specifics about the nature of the intrusion, Santarris said, but according to a federal indictment made public last week, the bureau determined that SolarWorld had been infiltrated by hackers working for China’s People’s Liberation Army, who were stealing private documents that would be valuable to Chinese state-backed solar companies — the same ones undercutting SolarWorld’s business. Armed with the warning from the feds, SolarWorld tightened up its computer security, and in September 2012, the intrusions appear to have stopped.

That federal investigators already knew SolarWorld had been hacked reveals the extensiveness of the Obama administration’s campaign, mounted almost entirely in secret, to turn the tables on Chinese spies, who U.S. officials say are responsible for nearly $300 billion a year in stolen intellectual property and lost business to American companies, and who have cost Americans jobs.

Interviews with eight current and former U.S. officials who are familiar with the now years-long counterintelligence campaign against China show that the administration has quietly waged a battle on many fronts. In the shadows, U.S. hackers at the National Security Agency (NSA) have broken into Chinese computers in order to find out what information has been stolen from American companies and who in the Chinese government is backing the operations. But closer to home, a team of FBI agents and a little-noticed group of prosecutors at the Justice Department have spent the past two years preparing to launch a more public offensive. This one, which aims to bring criminal charges against foreign government officials — an unprecedented step — relies on sophisticated cybersleuthing and the cooperation of American companies, which are willing to work with federal investigators and explain what damage they suffered as the victims of economic espionage.

The goal of the legal campaign, officials say, isn’t to put foreign government hackers in jail. There is practically no chance that the five Chinese military officials indicted last week for hacking into the computers of five U.S. companies, including SolarWorld, as well as a large labor union, will ever see the inside of a U.S. courtroom. But officials hope that by laying out the evidence of Chinese spying for the world to see, the Chinese government will curtail its rampant targeting of American companies, which U.S. officials say is distinct from the kind of spying that nations conduct on each other every day.

To fight Chinese hackers, the U.S. government is sharing information about cyberspying with the specific companies affected by it and is working with those companies to bring criminal charges, John Carlin, the head of the Justice Department’s National Security Division, said in public remarks last week. That in and of itself is a remarkable turn of events, since the FBI has long been focused more on collecting classified intelligence about foreign hackers and not as much on gathering evidence to use in a public trial. The government does share some of that intelligence haul, including with financial institutions and public utilities, but the information is meant to help the companies defend themselves against intruders, not to build criminal cases.

Without discussing specific details of the pending cases, Carlin said that federal prosecutors "and our partners at the FBI and other agencies are definitely reaching out to companies, both to warn individuals about the threat and encourage them to take steps to prevent it from happening, but also to work with them when it does occur."

The FBI knew about Chinese hacking against SolarWorld, as well as other companies named in the indictment, in part because of its success in monitoring computer equipment based in the United States that Chinese hackers use.

"A large amount of China’s hacking against U.S. companies is done through U.S.-based servers acting as the ‘hub.’ Meaning, China breaks into a computer in the United States and from there moves out along spokes and breaks into hundreds or even thousands of other victims," said Steve Chabinsky, the former deputy director of the FBI’s Cyber Division. "The FBI oftentimes establishes visibility on these ‘hubs’ — typically by getting consent from the victim company whose computer is being misused."

Once the FBI can see the hub-and-spoke system Chinese hackers have set up, it can trace victims by their Internet protocol address, a unique identifier that can help physically locate a computer user. The FBI can also see what documents the hackers are stealing. It’s possible that the FBI found evidence of the hacking at SolarWorld by monitoring a hub, whose owner is still unidentified. Santarris said that the FBI never asked for access to the company’s computers or its networks, nor did the company ever offer it, so agents must have obtained their evidence from other sources.

The bureau could have found the information around July 2012, which is when it first alerted SolarWorld it had been hacked. But the indictment traces the Chinese hacking activity against other targets to as early as 2006, indicating that the bureau has been gathering information for many years.

Spokespersons for the other companies named as victims in the indictment declined to comment. A spokesman for the United Steelworkers union said, "We’re supportive of and have been cooperative with the administration" on prosecuting Chinese spies, but declined to elaborate on how.

As a practical matter, the FBI may not need a company’s help or its permission to gather evidence of hacking. But to bring charges, it helps to have company employees explain why the information that was stolen was valuable and what damage they suffered because of the loss, said Chabinsky, now a senior vice president with the cybersecurity firm CrowdStrike. In his remarks last week, Carlin echoed that notion. "It’s critical" for companies to cooperate with the government, Carlin said, "so that you understand what was taken and why it was of importance, what it meant for it to be taken."

In the case of SolarWorld, prosecutors allege that the information the Chinese hackers stole could be used to "target SolarWorld’s business operations aggressively from a variety of angles," including by copying the company’s product designs and then selling cheap knockoffs on the open market. Chinese companies were already dumping their own cheaper solar products on the U.S. market in 2011 when SolarWorld filed a complaint about unfair practices with U.S. trade officials. (Imports of Chinese solar panels and cells skyrocketed from less than $100 million in 2006 to nearly $1.2 billion

in 2010, and U.S. manufacturers’ prices plummeted between 30 and 40 percent that year.)

The spies allegedly stole communications between SolarWorld and the attorneys representing the company in its trade dispute, including question-and-answer documents submitted to the Commerce Department that the Chinese competitors weren’t legally allowed to see. SolarWorld ultimately prevailed in its complaint, and the United States imposed heavy duties on imported Chinese solar products — around the same time that the hacking began.

Santarris said that several months after the FBI first informed the company it had been hacked — he couldn’t recall precisely when — officials came calling again and asked whether SolarWorld was willing to help with a criminal investigation. The company didn’t hesitate.

"We said, ‘Yeah, we’ll cooperate,’" Santarris said. "We want competition. But we don’t want to have to compete with the Chinese government." FBI agents interviewed company officials as well as employees in SolarWorld’s IT department. The company only learned of the final outcome of the investigation when the indictments were announced last week, Santarris said.

The U.S. indictments against the Chinese hackers caught many in Washington by surprise and were newsworthy because the United States has never brought a criminal hacking case against government officials. But Barack Obama’s administration has been on a steady course to do just that for nearly three years.

In October 2011, the Office of the National Counterintelligence Executive, the government’s top spy hunter, released a 31-page report on foreign spies targeting U.S. companies. It marked the first time that the U.S. government had publicly and unequivocally named China as a source of some of the most aggressive cyberspying. Until then, U.S. officials had largely confined their complaints to off-the-record remarks to journalists, calibrated not to disrupt diplomatic relations with one of the country’s most important trading partners. Those days were over with the publication of the report.

Meanwhile, the Justice Department was mounting its own offensive. On Nov. 7, 2012, federal prosecutors from around the country gathered at department headquarters in Washington for the inaugural meeting of a new unit trained to deal with national security-related cyber cases. Known as the National Security Cyber Specialist network, or NSCS (pronounced "niscus"), it was modeled on the FBI’s joint terrorism task forces, set up in all the bureau’s field offices after the 9/11 terrorist attacks to get agents working on terrorism cases more aggressively and in partnership with their colleagues from other parts of the government, especially the intelligence agencies.

The newly tapped prosecutors spent three days in Washington discussing computer forensics and other unique facets of cyber investigations. The NSCS planned to include 100 prosecutors who work with the FBI and the NSA and who represent the government before the Foreign Intelligence Surveillance Court, which authorizes surveillance and intelligence-gathering.

To underscore the importance of the new unit to the administration’s counter-espionage strategy, Attorney General Eric Holder and then-FBI Director Robert Mueller spoke to the group during its visit to Washington, emphasizing that it would take all components of the department working together with the FBI and intelligence agencies to combat cyberspies.

Justice Department officials began asking FBI investigators to look for cases that could be brought to court and to start collecting evidence of economic espionage. The prosecutors were getting close to bringing an indictment. "I’ll give you a prediction," Carlin, the current head of the National Security Division, said in a December 2012 interview with Defense News. "Now that we are having people look at bringing one of these cases, it’s there to be brought, and you’ll see a case brought."

Meanwhile, the administration stepped up its political pressure on China. In March 2013, five months after the new prosecution unit met in Washington, Obama’s national security advisor, Tom Donilon, gave a major speech at the Asia Society in New York calling Chinese cyber-espionage "a growing challenge to our economic relationship with China" and a "key point of concern and discussion with China at all levels of our governments." Donilon called on Beijing to "take serious steps to investigate and put a stop to these activities." His were the first public remarks by a White House official directed specifically at Chinese cyber-espionage.

The stage seemed to be set for an imminent prosecution. But whatever plans were in place came to a screeching halt on June 5, 2013, the day the Guardian published the first story about surveillance by the NSA, based on documents provided by leaker Edward Snowden. Over the coming weeks and months, Snowden’s disclosures exposed a vast network of NSA spying programs, including operations to hack into Chinese and other foreign companies and steal sensitive and proprietary information — precisely the same kinds of activities for which U.S. officials were blasting the Chinese and building criminal cases against state officials.

According to former U.S. officials familiar with the long campaign against Chinese cyberspies, the Snowden revelations knocked the administration back on its heels and squashed any hopes of bringing charges against China in the near future. The United States would have been accused of hypocrisy and trying to deflect the controversy over its own spying.

"Talk about anything cyber-related was dead," said one former official, noting that the administration also stopped any significant efforts to push new cybersecurity legislation through Congress, which had been on the White House’s agenda. "Cyber" had become a politically radioactive word, drawing unwanted attention to all the work U.S. spies were doing in the shadows, including spying on the personal communications of American allies and hacking into the private overseas data centers of some of the biggest American technology companies.

But nearly a year after Snowden’s disclosures, the Justice Department’s prosecution campaign appears to be back on track. In a speech last week at the Brookings Institution in Washington, Carlin credited the new unit of specially trained prosecutors with bringing the cases against the five Chinese officials, including the hacker who stole from SolarWorld. The unit brought together U.S. attorneys from western Pennsylvania, where the majority of the victims are located, with those in Wisconsin, New York, and Georgia to help build the case, Carlin said. And those lawyers worked with FBI agents in California, Oregon, Oklahoma, and Washington, D.C., he said. "Our team thought creatively. They worked collaboratively. They explored all available options for stopping this activity."

The Justice Department has eyes on more prosecutions. Carlin promised last week that more espionage cases are coming, and officials have said the next targets could be Russian hackers. In his 2012 interview, Carlin said that the United States might also prosecute employees of a corporation. "Whether it is a state-owned enterprise or a state-supported enterprise in China, if you can figure out and prove that they’ve committed the crime, charging the company means they can’t do business in the U.S. or in Europe

," Carlin said. "It affects their reputation and that then causes them to recalculate: ‘Hey, is this worth it?’"

The administration’s legal campaign has drawn howls from Chinese officials, who accuse the United States of hypocrisy because U.S. intelligence agencies also target foreign companies. Carlin has tried to make the case that U.S. spying on foreign companies is qualitatively different than what the Chinese are doing, because the United States doesn’t share the fruits of its espionage directly with companies, the way China does. Chinese officials have long denied that they do that and have challenged the United States to prove its allegations. Last week’s indictments answer that call and help explain what the Obama administration hopes to gain by so publicly naming and shaming Chinese officials.

"The Chinese said, bring us hard evidence, evidence that could stand up in a court, of this criminal activity," Carlin said at Brookings. "And so, one hopes, and continues to hope, that now that we have, that they’ll take action to stop this criminal activity.… I’m not aware of any country that condones this behavior, so now that it’s laid out, maybe it’ll stop."

Jamila Trindle contributed reporting.