DOE cold case shows limits of U.S.-China cyber cooperation

By Blake Sobczak | 10/06/2015 07:45 AM EDT

In January 2013, hackers stole over 200 gigabytes of Department of Energy data — enough to fill an average laptop at the time. In the days following the breach, agency officials made the investigation their top priority, and the FBI and the Department of Homeland Security became involved. But the case hit a snag when DOE’s Office of Inspector General suggested chasing the hackers back to their suspected home base: China.

In January 2013, Department of Energy computer files began trickling through suspicious Brazilian and Ukrainian networks.

By the time the agency caught on to the intrusion, hackers had stolen over 200 gigabytes of data — enough to fill an average laptop at the time.

The attackers made off with information from hundreds of employees’ security clearance forms, as well as documents from the National Nuclear Security Administration, which oversees the U.S. nuclear weapons arsenal.


In the days following the breach, agency officials made the investigation their top priority. They cut off Internet traffic at affected offices, called in a Microsoft cyber response team and forced workers to change their passwords. The FBI and the Department of Homeland Security became involved. The White House convened a meeting with then-DHS Secretary Janet Napolitano and other unnamed participants, according to documents obtained under the Freedom of Information Act.

But the case hit a snag when the Department of Energy’s Office of Inspector General suggested chasing the hackers back to their suspected home base: China. The response to the hack, which a DOE privacy manager later called "confusing, frustrating and disorganized," highlights sharp limits to Sino-American cyber cooperation. Experts say a new cybersecurity deal between Chinese President Xi Jinping and President Obama won’t lay to rest old suspicions or spying habits.

‘Out of their depth’

The cybersecurity framework Obama and Xi agreed to last month was aimed at stopping state-backed cyber espionage for economic gain.

The two leaders didn’t mention recent data breaches in the U.S. government, such as a cyberattack on the Office of Personnel Management that exfiltrated sensitive background files on more than 21 million federal workers (E&E Daily, July 10).

Senior Obama administration officials have not publicly accused the Chinese government of being behind the OPM hack, despite hinting at Beijing’s role.

U.S. officials also hesitated to blame China following the January 2013 cyberattack on DOE networks, documents show.

When the agency’s Office of Inspector General suggested sending a formal request to China for help in finding the hackers, the Justice Department declined the case "due to the political nature of the location of actors," the OIG wrote in a closing memorandum.

"This looks like an OIG who was out of their depth," James Andrew Lewis, a senior fellow and program director at the Center for Strategic and International Studies, said in an email, adding that "it becomes a counter-espionage issue, where IGs don’t usually play and aren’t informed."

The fact that the White House asked Napolitano to get involved "suggests they took [the case] seriously," Lewis said, "but just didn’t bother asking the Chinese to cooperate in investigating their own [People’s Liberation Army] spies."

Representatives from the Justice and Energy departments did not respond to requests for comment on the case, and a spokeswoman for the FBI’s Cleveland division could not confirm or deny the office’s involvement.

It’s clear from OIG’s summary that U.S. officials weren’t sure what to make of a bombshell report delivered by private cybersecurity firm Mandiant on Feb. 19, just a few weeks after the investigation began. Researchers from Mandiant were able to trace a series of cyberattacks on U.S. government and private-sector targets back to Unit 61398 in China’s People’s Liberation Army (EnergyWire, Dec. 22, 2014).

"It is time to acknowledge the threat is originating from China, and we wanted to do our part to arm and prepare security professionals to combat the threat effectively," Dan McWhorter, the company’s managing director of threat intelligence, said at the time. (Mandiant has since been acquired by cybersecurity firm FireEye.)

Mandiant’s APT1 report drew a scathing response from Chinese officials, who denied any wrongdoing and maintain the government’s innocence to this day.

Meanwhile, the unprecedented findings also gave pause to the U.S. government investigators pursuing the DOE case.

"A meeting is necessarcy [sic] to determine the path of this case due to the public release of Mandiant’s report attributing intrusions to China," the OIG noted.

IP versus NatSec

The Justice Department would go on to accuse five Chinese Army officers of spying on U.S. companies, unsealing indictments against the individuals last year and scrawling their names and likenesses on "Wanted" posters.

The U.S. government suspected those military hackers stole trade secrets that were later fed to Chinese companies, in addition to conducting cyber espionage for noneconomic, national security purposes.

The latest deal’s limitations stem from its focus on the former activity, according to Robert Cattanach, co-chairman of the cybersecurity practice group at law firm Dorsey & Whitney LLP.

In the framework, Obama and Xi agreed to end "cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors."

The heads of state also pledged to provide "timely responses" to requests for information and assistance surrounding hacking investigations.

Cattanach said the framework’s omissions are telling. "The U.S. clearly signaled that it was still fine for China to do whatever it wished in the area of national security cyberespionage — and the subtext there is, because we’re doing it, too," he said.

Problems come up right away, however, due to the fact that "it’s not at all clear where the dividing line is between ‘acceptable’ cyber hacking and ‘unacceptable’ cyber hacking," he said.

"I would not suggest to anybody that, ‘Oh, we can let our guard down now’" that a deal has been announced, he said. "The notion that you have some very skilled hackers right now sort of attached to Chinese government, who are just going to shut down their operations, is very naïve."