Lance Bellers - Fotolia

CrowdStrike founder: China hacking indictments are working

During his RSA Conference keynote, CrowdStrike co-founder Dmitri Alperovitch explains why the U.S. Department of Justice's indictments against Chinese hackers has been effective.

SAN FRANCISCO -- Despite the challenges of bringing foreign adversaries to justice, CrowdStrike co-founder and former CTO Dmitri Alperovitch said the U.S. Department of Justice's indictment strategy against Chinese state-sponsored hackers has been a success.

At his RSA Conference keynote Wednesday, titled "Hacking Exposed: Global Threat Brief," Alperovitch discussed global threats, offered predictions, and discussed trends seen in the cybersecurity space this past year. He referenced nation-state threats from China and offered what he called a "controversial" view of the DOJ's strategy: The China hacking indictments are working.

"From everything I've seen and talked to lots of folks in the industry, the Chinese really seem to be impacted by the U.S. Justice Department actions, the indictments that we have seen, in a way that I have not seen from any other actor. Not from the Iranians, not from the Russians, not from the North Koreans, who have been indicted for the various cyber operations over the years," he said during his keynote.

In calling special attention to the China hacking indictments, he mentioned that People's Liberation Army (PLA) Unit 61398 "basically vanished" following its indictment in May 2014, though he notes it's possible officers were moved to other units or experienced "some sort of punishment."

However, he noted two groups of contractors with China's Ministry of State Security (MSS), Boyusec (also known as APT3) and Huaying Haitai (APT10), that have likewise disappeared since being indicted.

"When it comes to those specific units, they seem to have been impacted or at a minimum retooled and reemerged as new groups, which in a way is still a success because you're making life a lot harder for them," Alperovitch said.

He said that one of the most interesting cases about China is what happened to the PLA's hacking presence. "I mentioned the Obama-Xi agreement that was struck in 2015 and the lull in activity from China from all threat actors in China for a period of time afterwards, and when they reemerged, virtually everything we were seeing in the industry was MSS-affiliated groups. Not the PLA."

Lastly, Alperovitch mentioned the Equifax breach in 2017. "That is why the indictment for the Equifax breach was so interesting, where for the first time really since 2015, the Justice Department has pointed a finger at the PLA ... for being responsible for the Equifax breach," he said.

Alperovitch noted that in the Equifax breach indictments, the PLA officers were part of a new unit called the 54th Research Institute. "We'll see what else [the PLA] may be doing," he said. "It may be that their mission has been restructured toward more military-on-military confrontations, and MSS has been the primary beneficiary of collecting intellectual property and conducting industrial espionage."

In another RSA Conference session, Equifax CISO Jamil Farshchi said the recent indictments were a "milestone." "I'm proud to say that the FBI, through a concerted effort over the last two years, were able to identify the perpetrators of our breach. To me, it's a milestone, " he said. "The way I look at it is, it's progress. We weren't able to apprehend them because we don't have extradition [agreements] with China, but we did take a critical first step, at least in terms of identifying who they are."

Last week, Alperovitch left CrowdStrike in order to launch a new nonprofit accelerator focused on creating geopolitical cybersecurity policy.

Next Steps

Nation-state hacker indictments: Do they help or hinder?

Dig Deeper on Threats and vulnerabilities