Start your day with intelligence. Get The OODA Daily Pulse.
Informing your decisions with actionable intelligence
Start your day with intelligence. Get The OODA Daily Pulse.
Informing your decisions with actionable intelligence
Every year, we make a point of returning to a few social psychology, organizational behavior, and human behavioral psychology factors, namely how your organization should integrate the threat of human targeting and social engineering into your overall company culture and cybersecurity strategy. This post is an update from the frontlines, offering some assurance that the feds are doing some serious blocking and tackling – using formal prosecution and criminal accountability as a deterrent across the public and private sectors. Recent offensive and defensive tactics from the Justice Department, the Department of the Treasury, the State Department, and a CISA/FBI/NSA joint advisory are summarized here, followed by a black swan, worst-case scenario analysis.
Defendants Operated as Part of the APT31 Hacking Group in Support of China’s Ministry of State Security’s Transnational Repression, Economic Espionage and Foreign Intelligence Objectives
An indictment was unsealed today charging seven nationals of the People’s Republic of China (PRC) with conspiracy to commit computer intrusions and conspiracy to commit wire fraud for their involvement in a PRC-based hacking group that spent approximately 14 years targeting U.S. and foreign critics, businesses, and political officials in furtherance of the PRC’s economic espionage and foreign intelligence objectives. The defendants are Ni Gaobin (倪高彬), 38; Weng Ming (翁明), 37; Cheng Feng (程锋), 34; Peng Yaowen (彭耀文), 38; Sun Xiaohui (孙小辉), 38; Xiong Wang (熊旺), 35; and Zhao Guangzong (赵光宗), 38. All are believed to reside in the PRC.
As alleged in the indictment and court filings, the defendants, along with dozens of identified PRC Ministry of State Security (MSS) intelligence officers, contractor hackers, and support personnel, were members of a hacking group operating in the PRC and known within the cybersecurity community as Advanced Persistent Threat 31 (the APT31 Group). The APT31 Group was part of a cyber espionage program run by the MSS’s Hubei State Security Department, located in the city of Wuhan. Through their involvement with the APT31 Group, since at least 2010, the defendants conducted global campaigns of computer hacking targeting political dissidents and perceived supporters located inside and outside of China, government and political officials, candidates, and campaign personnel in the United States and elsewhere, and American companies. The defendants and others in the APT31 Group targeted thousands of U.S. and foreign individuals and companies. Some of this activity resulted in successful compromises of the targets’ networks, email accounts, cloud storage accounts, and telephone call records, with some surveillance of compromised email accounts lasting many years. (Read more…)
Defendants Allegedly Conspired to Send Millions of Dollars-Worth of Trade Secrets to Undercover Law Enforcement Officers Posing as Potential Customers
Klaus Pflugbeil, 58, a Canadian national and resident of the People’s Republic of China (PRC), was arrested today in Nassau County, New York, for conspiring with co-defendant Yilong Shao, 47, of Ningbo, China, to send to undercover law enforcement officers trade secrets that belonged to a leading U.S.-based electric vehicle company (Victim Company-1).
According to court documents, Pflugbeil and Shao are operators of a PRC-based business (Business-1) that sold technology used for the manufacture of batteries, including batteries used in electric vehicles. The defendants built Business-1 using Victim Company-1’s sensitive and proprietary information and marketed their business as a replacement for Victim Company-1’s products. Pflugbeil was arrested this morning after he sent multiple Victim Company-1 trade secrets to an undercover agent and traveled to Nassau County for a meeting with who he believed to be Long Island-based businesspeople, but who in reality were undercover law enforcement agents. Pflugbeil is scheduled to make his initial appearance today before U.S. Magistrate Judge Peggy Kuo. His co-defendant Shao remains at large. Victim Company-1 is a U.S.-based leading manufacturer of battery-powered electric vehicles and battery energy systems. In 2019, Victim Company-1 acquired a Canada-based manufacturer of automated, precision dispensing pumps and battery assembly lines (the Canadian Manufacturer). Prior to its purchase by Victim Company-1, the Canadian Manufacturer sold battery assembly lines to customers who manufactured alkaline and lithium-ion batteries for consumer use. The battery assembly lines contained or utilized a proprietary technology now owned by Victim Company-1: continuous motion battery assembly (the Battery Assembly Trade Secret). (Read more…)
Defendant Allegedly Pilfered Technology from Google While Secretly Working for Two PRC-Based Technology Companies
A federal grand jury indicted Linwei Ding, aka Leon Ding, charging him with four counts of theft of trade secrets in connection with an alleged plan to steal from Google LLC (Google) proprietary information related to artificial intelligence (AI) technology. The announcement was made by Attorney General Merrick B. Garland this afternoon while participating in a “Fireside Chat” at the American Bar Association’s 39th National Institute on White Collar Crime in San Francisco.
According to the indictment, returned on March 5 and unsealed earlier today, Ding, 38, a national of the People’s Republic of China and resident of Newark, California, transferred sensitive Google trade secrets and other confidential information from Google’s network to his personal account while secretly affiliating himself with PRC-based companies in the AI industry. Ding was arrested earlier this morning in Newark.
According to the indictment, Google hired Ding as a software engineer in 2019. Ding’s responsibilities included developing the software deployed in Google’s supercomputing data centers. In connection with his employment, Ding was granted access to Goggle’s confidential information related to the hardware infrastructure, the software platform, and the AI models and applications they supported. The indictment alleges that on May 21, 2022, Ding began secretly uploading trade secrets that were stored in Google’s network by copying the information into a personal Google Cloud account. According to the indictment, Ding continued periodic uploads until May 2, 2023, by which time Ding allegedly uploaded more than 500 unique files containing confidential information. (Read more…)
…the Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Wuhan Xiaoruizhi Science and Technology Company, Limited (Wuhan XRZ), a Wuhan, China-based Ministry of State Security (MSS) front company that has served as cover for multiple malicious cyber operations. OFAC is also designating Zhao Guangzong and Ni Gaobin, two Chinese nationals affiliated with Wuhan XRZ, for their roles in malicious cyber operations targeting U.S. entities that operate within U.S. critical infrastructure sectors, directly endangering U.S. national security. This action is part of a collaborative effort with the U.S. Department of Justice, Federal Bureau of Investigation (FBI), Department of State, and the United Kingdom Foreign, Commonwealth & Development Office (FCDO). People’s Republic of China (PRC) state-sponsored malicious cyber actors continue to be one of the greatest and most persistent threats to U.S. national security, as highlighted in the most recent Office of the Director of National Intelligence Annual Threat Assessment.
APT 31 is a collection of Chinese state-sponsored intelligence officers, contract hackers, and support staff that conduct malicious cyber operations on behalf of the Hubei State Security Department (HSSD). APT 31 has targeted a wide range of high-ranking U.S. government officials and their advisors integral to U.S. national security including staff at the White House; the Departments of Justice, Commerce, the Treasury, and State; members of Congress, including both Democrat and Republican Senators; the United States Naval Academy; and the United States Naval War College’s China Maritime Studies Institute.
APT 31 has targeted victims in some of America’s most vital critical infrastructure sectors, including the Defense Industrial Base, information technology, and energy sectors. APT 31 actors have gained unauthorized access to multiple Defense Industrial Base victims, including a defense contractor that manufactured flight simulators for the U.S. military, a Tennessee-based aerospace and defense contractor, and an Alabama-based aerospace and defense research corporation. Additionally, APT 31 actors gained unauthorized access to a Texas-based energy company, as well as a California-based managed service provider.
As a result of today’s action, all property and interests in property of the designated persons and entity described above that are in the United States or in the possession or control of U.S. persons are blocked and must be reported to OFAC. In addition, any entities that are owned, directly or indirectly, individually or in the aggregate, 50 percent or more by one or more blocked persons are also blocked. Unless authorized by a general or specific license issued by OFAC, or exempt, OFAC’s regulations generally prohibit all transactions by U.S. persons or within (or transiting) the United States that involve any property or interests in property of designated or otherwise blocked persons. In addition, financial institutions and other persons that engage in certain transactions or activities with the sanctioned entities and individuals may expose themselves to sanctions or be subject to an enforcement action. The prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any designated person, or the receipt of any contribution or provision of funds, goods, or services from any such person. (Read more…)
The authoring agencies urge leaders to recognize cyber risk as a core business risk. This recognition is both necessary for good governance and fundamental to national security.
This fact sheet provides an overview for executive leaders on the urgent risk posed by People’s Republic of China (PRC) state-sponsored cyber actors known as “Volt Typhoon.” CISA—along with the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and other U.S. government and international partners —released a major advisory on Feb. 7, 2024, in which the U.S. authoring agencies warned cybersecurity defenders that Volt Typhoon has been pre-positioning themselves on U.S. critical infrastructure organizations’ networks to enable disruption or destruction of critical services in the event of increased geopolitical tensions and/or military conflict with the United States and its allies. This is a critical business risk for every organization in the United States and allied countries.
The advisory provides detailed information related to the groups’ activity and describes how the group has successfully compromised U.S. organizations, especially in the Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors. The authoring organizations urge critical infrastructure owners and operators to review the advisory for defensive actions against this threat and its potential impacts on national security. CISA and partners are releasing this fact sheet to provide leaders of critical infrastructure entities with guidance to help prioritize the protection of critical infrastructure and functions.
For the full joint advisory, go to this link.
Competing cyber capabilities (on a spectrum from nation-state to non-state actors alike) and cyber-based conflict will continue to restructure, reformulate, and transform the very essence of what power, prestige, international governance, and geopolitical strategy are in the 21st century – and large language models are the new force multiplier. Microsoft and OpenAI have quantified the breadth and scope of this new threat vector – including the major state sponsored actors. Meanwhile, the State Department goes with an old-school bounty to counter the ransomware threat. (Read more…)
These influence operations are part of a broader attempt to undermine the cohesion of societies and the legitimacy of democratic institutions, thereby weakening China’s adversaries from within.
China’s human targeting efforts are a critical component of its broader strategy to advance its national interests, undermine its adversaries, and reshape the global order in its favor. These efforts pose significant challenges to global security and stability, necessitating a robust and coordinated from the international community.
Chinese human targeting efforts, as part of a broader strategy of cyber espionage and influence, represent a sophisticated approach to advancing China’s national interests and undermining those of its adversaries. These efforts are deeply integrated into China’s broader strategies of cyber espionage, influence, and disruption, aiming not only to collect valuable intelligence but also to shape global narratives in favor of Chinese policy objectives.
At the heart of China’s human targeting efforts is a persistent focus on cyber espionage against key technology sectors, government agencies, and critical infrastructure systems in the United States and other countries. The theft of twenty-two million records from the Office of Personnel Management in 2015 is a stark illustration of China’s capabilities and intentions in this domain. This incident, among others, underscores China’s adeptness at leveraging cyber operations to collect intelligence that could be used against the United States and its allies, thereby undermining their security and economic stability.
China’s operations are characterized by the exploitation of big data and efforts to influence online information. These activities highlight a sophisticated understanding of the digital domain as a battleground for geopolitical competition. Chinese operatives have become adept at targeting and exploiting big data, which can be used for intelligence and counterintelligence purposes as well as driving advancements in machine learning. This capability enables China to not only gather intelligence but also manipulate information landscapes to its advantage.
China’s human targeting efforts extend beyond cyber espionage to include influence operations aimed at shaping political environments and public discourse. Beijing intensifies efforts to shape the political environment in the United States to promote its policy preferences, mold public discourse, pressure political figures whom Beijing believes oppose its interests, and muffle criticism of China on various issues.
In the most extreme scenarios, these tactics could converge in a coordinated campaign designed to cripple the United States from within.
The worst-case scenarios for human targeting, social engineering, and cyber espionage as acts of war against the United States are chilling – reflecting a dark tapestry of potential vulnerabilities and catastrophic outcomes. These scenarios are not merely speculative fiction; they are grounded in a sobering assessment of the capabilities and intentions of adversarial actors, as well as the intrinsic vulnerabilities of our interconnected society.
Human targeting, in its most nefarious form, could see key political, military, and economic leaders manipulated, compromised, or even neutralized. This could be achieved through sophisticated social engineering campaigns designed to exploit personal vulnerabilities or through direct cyber intrusions into their digital lives. The ramifications of such targeting could range from the erosion of strategic decision-making capabilities to the outright manipulation of leadership actions, effectively turning leaders into unwitting agents of foreign powers.
Social engineering, elevated to the level of a strategic weapon, could precipitate widespread distrust within society. By crafting and disseminating disinformation designed to exploit societal fractures, adversaries could amplify divisions, incite civil unrest, or even provoke violent conflicts. The 2016 Russian interference in the U.S. presidential election serves as a stark reminder of the potency of such tactics. In a worst-case scenario, the fabric of society could be torn asunder, leaving the nation vulnerable to further exploitation and attack.
Cyber espionage, when employed as an act of war, represents a profound threat to national security. The theft of sensitive military, economic, and technological secrets could erode the United States’ strategic advantages, leaving it vulnerable to military and economic coercion. The SolarWinds breach, attributed to Russian actors, underscores the potential scale and impact of such operations, revealing how deeply adversaries can penetrate the heart of American institutions.
In the most extreme scenarios, these tactics could converge in a coordinated campaign designed to cripple the United States from within. Critical infrastructure could be targeted, leading to widespread chaos and potentially catastrophic loss of life. The financial system could be destabilized, plunging the economy into turmoil. The military’s command and control systems could be compromised, blinding and binding America’s defense capabilities at a critical juncture.
The potential for these worst-case scenarios to unfold necessitates a robust and proactive stance on cybersecurity, emphasizing resilience, deterrence, and the cultivation of a sophisticated understanding of the cyber threat landscape. The United States must also foster international cooperation to establish norms and mechanisms that deter such acts of aggression in cyberspace. Mitigating human targeting, particularly in the context of social engineering and cyber espionage, requires an approach that emphasizes both technological solutions and human-centric strategies.
The essence of countering such threats lies not only in deploying advanced security technologies but also in fostering a culture of security awareness and resilience among individuals and organizations.
NOTE: This OODA Loop Original Analysis was partially generated with the cognitive augmentation of and in collaboration with ALTzero Project – MattGPT.
For further OODA Loop News Briefs and Original Analysis on these topics, go to:
Cyber Defense Insights and Resources for the Corporate Board (Human Risk Management, Social and Human Engineering): What role should corporate boards play in human risk management, as well as social and human engineering defenses? Following are OODA Loop resources on these cyber threats, addressing the question of whether “the human factor” is properly addressed at the company culture level – or is it purely an IT operational concern?
New Open-Source Report Documents China’s Decades-long Success with Human Targeting Efforts: At least 154 scientists at America’s top nuclear lab over the last two decades were recruited by China to conduct sensitive research, according to a report from Strider Technologies, Inc.
Russians and Chinese using human targeting – amongst other tools- to achieve security advantage in key emerging technologies by 2030: The National Counterintelligence and Security Center (NCSC) issued a report warning of China’s goal to achieve a technological advantage over the U.S. in certain key emerging technologies. Beijing’s long-term goal is a strategic advantage over the U.S. and its security interests by 2030 in areas such as biotechnology, genomic technology, artificial intelligence, and semiconductors. Russia is making strides in this direction as well, according to reporting by The Record, although “resource constraints have forced Moscow to focus more on indigenous efforts.” The NCSC (a branch of the Office of the Director of National Intelligence) report highlights China as the “primary strategic competitor to the United States because it has a well-resourced and comprehensive strategy to acquire and use technology to advance its national goals.”
Corporate Board Accountability for Cyber Risks: With a combination of market forces, regulatory changes, and strategic shifts, corporate boards and their directors are now accountable for cyber risks in their firms. See: Corporate Directors and Risk
Computer Chip Supply Chain Vulnerabilities: Chip shortages have already disrupted various industries. The geopolitical aspect of the chip supply chain necessitates comprehensive strategic planning and risk mitigation. See: Chip Stratigame
Proactive Mitigation of Cyber Threats: The relentless nature of cyber adversaries, whether they are criminals or nation-states, necessitates proactive measures. It’s crucial to remember that cybersecurity isn’t solely the responsibility of the IT department or the CISO – it’s a collective effort that involves the entire leadership. Relying solely on governmental actions isn’t advised given its inconsistent approach towards aiding industries in risk reduction. See: Cyber Defenses
The Necessity of Continuous Vigilance in Cybersecurity: The consistent warnings from the FBI and CISA concerning cybersecurity signal potential large-scale threats. Cybersecurity demands 24/7 attention, even on holidays. Ensuring team endurance and preventing burnout by allocating rest periods are imperative. See: Continuous Vigilance
Embracing Corporate Intelligence and Scenario Planning in an Uncertain Age: Apart from traditional competitive challenges, businesses also confront external threats, many of which are unpredictable. This environment amplifies the significance of Scenario Planning. It enables leaders to envision varied futures, thereby identifying potential risks and opportunities. All organizations, regardless of their size, should allocate time to refine their understanding of the current risk landscape and adapt their strategies. See: Scenario Planning
About the Author
Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.
Informing your decisions with actionable intelligence
Informing your decisions with actionable intelligence