UNCLASSIFIED
Targeting U.S. Technologies

East Asia and the Pacific

Case Study

OVERVIEW

Even as total suspicious contact reports (SCRs) from industry multiplied by a factor of almost two and a half from fiscal year 2009 (FY09) to FY10, the East Asian and Pacific region accounted for an even larger percentage of the total in the more recent year, increasing from 36 percent to 43 percent. East Asia and the Pacific provided as many of the reported suspicious contacts as the next three regions combined.

Statistically, the most likely East Asian and Pacific collection attempt consisted of a commercial entity using a direct request for information (RFI) to acquire sensitive information about U.S. information systems (IS) technology. But the picture was dynamic: unknown collectors reduced the previous year’s gap behind commercial entities as the leading collector agents, suspicious network activity (SNA) similarly closed the gap with RFIs as the leading method of operation (MO), while IS re-opened a larger gap with lasers, optics, and sensors (LO&S) as the top targeted technology. The large scope of collection efforts traceable to East Asia and the Pacific meant that considerable efforts were simultaneously directed at many other technologies and that the collection thrust was conducted at a high tempo by many other methods and entities, as well.

COLLECTOR AFFILIATIONS

Collectors linked to East Asia and the Pacific were most commonly affiliated with commercial entities. Collection attempts by commercial entities in the region have consistently increased since 2008. In FY10 such cases accounted for a higher proportion, 35 percent, than government and government-affiliated collectors combined, at 12 and 17 percent respectively. However, the percentage of East Asian and Pacific SCRs ascribed to the commercial category actually declined from the 51 percent of FY09; the unknown category registered the corresponding increase, from 17 to 28 percent. Therefore, even as the overall number of SCRs increased, the most notable change in affiliation suggested that collectors were becoming increasingly adept at camouflaging their identities.

The jump in the number of attempts with unknown affiliations comes in part from the region's high level of suspicious network activity (SNA) in the form of cyber intrusion attempts directed at cleared contractor networks. Specific attribution for such attempts is often difficult to ascertain; for example, while many such requests might appear to originate from a university, a nonacademic entity may be cloaking its collection attempt behind an academic email address. Nonetheless, the Defense Security Service (DSS) successfully resolved a large number of unknown cases to Internet protocol (IP) addresses in East Asia and the Pacific.

An academic nexus showed up in other categories as well. East Asian and Pacific academic institutions such as universities made up a large part of the government-affiliated category, while foreign students applying to cleared contractors associated with U.S. universities made up a large part of the individual category.

When viewed individually, many of the SCRs resolving to commercial entities seemed innocuous. However, DSS observed several separate commercial entities requesting similar or identical technologies in a relatively short time frame. The grouping of the requests suggested that the entities focused their collection activity in a manner that resembled the procurement systems that many foreign countries use to acquire military technology.

Procurement systems vary considerably within East Asia and the Pacific. In some countries, commercial entities may be overtly approved, overseen, and even officially certified by government procurement agencies. Such countries are likely to use acquisition mechanisms that are very similar to the relatively open tender-based tasking of procurement agents characteristic of the United States and other Western countries. Commercial entities working on behalf of such East Asian and Pacific countries often readily admitted that government agencies would be the end users of any technology supplied.

Elsewhere within East Asia and the Pacific, governmental practices are generally more opaque, both as to the relationship between agencies and entities and as to processes. In fact, some of these countries went to great lengths to conceal any connection between commercial and government entities, and became increasingly sophisticated in their camouflage methods. Commercial companies often employed complicated business structures and separate company names—techniques characteristic of front companies. DSS analysis identified a number of such U.S.- or third country-based entities that linked back to government collectors in East Asia and the Pacific, either overtly or through other business connections. These entities used various means of transshipment and specified alternate end uses for the requested technologies.

Analyst Comment: Some East Asian and Pacific collectors showed relative sophistication in their knowledge of best practices for making seemingly innocent requests for cleared contractor systems and of the relevant shipping logistics and export regulations. DSS assesses that it is highly likely that collectors from East Asia and the Pacific, pursuant to substantial interest in the acquisition of particular systems or technologies, conducted campaigns to acquire those technologies resident in U.S. cleared industry, and, upon their acquisition, to evade export controls. (Confidence Level: High)

The military applications for autonomous underwater vehicles (AUVs) are relatively new, but many navies intend to incorporate this technology into their inventories, and it is an area increasingly targeted world-wide for collection attempts. Because AUVs constitute a new direction for many countries, requests targeting AUVs and related technologies often require commercial entities to request technologies well outside the scope of their established, stated business interests. AUVs are a dual-use technology, with many legitimate civilian applications. In most commercial requests, the requestor did not identify the end user or intended use.

Figure 6

METHODS OF OPERATION

In FY09, direct requests represented nearly three-quarters of the cases; in FY10 the corresponding RFIs declined to less than half. Reports of SNA more than doubled.

Analyst Comment: It is likely that there is a correspondence between the decline in the percentage of RFIs and the increase in the SNA percentage. These results likely demonstrate collectors' shift toward less direct methods, conducting their probes while remaining further removed from the cleared contractors. (Confidence Level: Moderate)

However, even as RFIs' percentage of all collection attempts declined in FY10, their number of SCRs increased considerably; and, in contrast to the overall region, in some East Asian and Pacific countries the proportional use of RFIs increased as well.

Both commercial and academic entities used RFIs, including direct purchase requests, in their attempts to gain access to classified or sensitive U.S. technologies. The majority of the attempts were made via relatively blunt emails that stated the technology of interest and the desired quantity. Other requests asked broad, seemingly innocuous questions, but such queries are capable of eliciting replies that would confirm or deny collecting countries' suspicions concerning research on and the capability, strength, and status of sensitive technologies.

Analyst Comment: The use of RFIs makes it very likely that the collector can obtain required information without using the time-consuming and expensive resources employed by a traditional intelligence officer. Thus RFIs offer an approach characterized by low cost yet a potential for high reward. DSS assesses that East Asian and Pacific collectors will almost certainly continue a substantial use of this MO. (Confidence Level: High)

In some incidents, however, the suspicious entity demonstrated a more nuanced approach, such as changing from commercial-grade to military-grade specifications and systems in the course of negotiations with the cleared contractor.

Analyst Comment: Attempting to upgrade specifications or system demands midway through the purchasing process likely constituted an attempt to circumvent the export control process via misdirection or to use the cleared contractor's desire to complete a sale already in process to gain access to otherwise restricted technologies. (Confidence Level: Moderate)

In a noticeable shift in reporting, there was a huge increase—by a factor of eight—from last year to this in attempts to gain access to U.S. technology or information using SNA. The majority of the incidents were unsuccessful brute-force attempts to access cleared contractor networks. Such computer-based intrusion attempts tended to be non-specific in nature, often attempting to extract large amounts of data from cleared contractor networks without targeting any specific technology.

In contrast, DSS analysis categorized roughly 30 percent of these SNA cases as either root- or user-level intrusions. In these instances, foreign entities may have gained access to unclassified cleared contractor networks, potentially compromising sensitive but unclassified information resident on those networks. The most prevalent vector for root- and user-level intrusions was spear phishing emails. This method provides malicious attachments or links to outside websites in an attempt to obtain employees' personal information or credentials or otherwise gain access to the networks.

While many of the attempts were unsophisticated, FY10 saw a number of relatively advanced spear phishing attempts. In order to convince employees to download malicious applications, probers crafted emails that appeared as if they had been sent from within the company, using contact information and uniform resource locators (URLs) designed to match or resemble those affiliated with the cleared facility.

Analyst Comment: Beyond lending an assumed credibility to the email, the use of cleared contractor naming conventions in the URLs also likely facilitated the storage and organization of collected information, implying collaboration between multiple requesting entities. (Confidence Level: Moderate)

Some East Asian and Pacific entities structure their collection campaigns and craft their attempts to take advantage of the fact that computers, and especially computer networks, know no geographical boundaries. DSS correlated network intrusion incidents to known foreign computer network operations intrusion sets. However, the technical indicators of intrusions may be constantly changing. Penetrators used email spoofing, obfuscation techniques, and more advanced tradecraft to assume a false identification, hide their activity on a compromised network, and disguise the destination of the exfiltrated data.

Analyst Comment: Attributing SNA to a particular country is usually harder than for any other MO. While instigators may use a particular country's infrastructure, technical barriers sometimes prevent positive identification of the originating country. Although DSS was often able to attribute SNA attempts to particular countries within East Asia and the Pacific, a significant number of SNA attempts remain in the unknown category. However, even in such cases, DSS efforts may still yield attack indicators and information on MOs that help the United States improve its defenses. (Confidence Level: Moderate)

East Asian and Pacific collectors took steps to get closer to U.S. cleared contractors and their facilities, whether engaged in research, design, laboratory work, or manufacturing.

Collectors for countries already engaged in ongoing patterns of interaction and cooperation with the United States, including existing technology agreements, used the solicitation and marketing services and the targeting of U.S. travelers overseas MOs to capitalize on this advantage. In one case, cleared contractor employees traveled to East Asia and the Pacific to deliver electronic components pursuant to a contract. When the end user reported the components were inoperable, the U.S. company representatives discovered physical evidence that the components had been opened, in contravention to existing technology agreements. This intrusion and others like it may indicate attempted reverse-engineering.

Analyst Comment: Each of these MOs accounted for fewer than 10 percent of the East Asian and Pacific SCRs. DSS assesses that it is likely that these MOs were not more commonly used because of the increased success of RFIs via email and the heightened sensitivity to East Asian and Pacific contacts that made such targeting less successful. (Confidence Level: Moderate)

While technology agreements can be mutually beneficial, DSS assesses that the enhanced exposure combined with aggressive collection attempts means that the threat of exploitation remains high, and some foreign successes will be very likely. (Confidence Level: High)

Approximately eight percent of reported collection attempts from East Asia and the Pacific sought information via the longer-term MO of academic solicitation. This is eight times the number of such approaches in FY09. Students and academic professionals from research institutes and universities sought to engender ties between themselves and cleared contractors. Highly qualified graduate students, including many already in possession of doctoral degrees, were particularly active. Cleared contractors reported a notable number of requests sent to cleared laboratories whose work was incompatible with the requesting individual's field of research.

A shorter-term method was attempts conducted in the form of solicitation and marketing services, in which a commercial entity typically offered to build a relationship with a cleared contractor, either by providing products to the contractor or by marketing the contractor's products in the entity's country of origin.

Analyst Comment: It is likely that many East Asian and Pacific businesses successful in building such relationships use them as a conduit to exploit cleared contractors and acquire sensitive technologies. (Confidence Level: Moderate)

Figure 7

TARGETED TECHNOLOGIES

As defined on the Militarily Critical Technologies List (MCTL), the technologies most targeted by East Asian and Pacific collectors remained generally consistent from last year. The most notable change was a seeming relative ebbing of last year's intense interest in LO&S, with proportional increases noted instead in IS—still the single leading category—and marine systems technology.

This was an overall result, however; some collectors within the region maintained last year's high level of interest in LO&S. Aeronautics systems technologies remained in third place overall; East Asian and Pacific entities with a significant interest in unmanned aerial systems (UAS) and their related components also tended to be interested in the positioning, navigation, and time-related technologies that support such systems.

FY10 reporting indicated that East Asian and Pacific collectors targeted IS more than any other technology section. Where analysis was able to specify, the most coveted technology was command, control, computers, communications, intelligence, surveillance, and reconnaissance (C4ISR) platforms. However, the majority of SCRs concerning IS were non-specific in nature, as they were primarily the result of cyber reporting. Although it was difficult for DSS to determine the specific targeted technology or system in these cases, DSS attributed a number of them to IS, based on the work conducted by the cleared facility in question.

Analyst Comment: The lack of a specific and known targeted technology in many East Asian and Pacific cases involving IS hindered further analysis regarding the goals of such collection attempts. DSS assesses there is at least an even chance that the overall increase in targeting and the technologies sought after demonstrate an interest in upgrading C4ISR capabilities. (Confidence Level: Low)

Despite the overall proportional decrease, in FY10 LO&S remained a major factor in regional collection efforts, as measured by industry reports. Notably, both commercial and academic entities requested a range of subsystems which have substantial applications in military laser technology and AUV sensor systems.

One of the most substantial areas of growth in the data during FY10 was marine systems, with reported collection attempts more than tripling overall and more than doubling within East Asia and the Pacific. This category's sharp increase was driven by reported requests for AUVs. While the growth in this category reflected the numerous commercial and academic entities requesting AUV systems, it failed to fully reflect the frequent requests for AUV enabling technologies in other sections of the MCTL.

AUVs have yet to achieve their full military potential. Militaries around the world are deploying AUV systems for a variety of intelligence collection and warfare applications. In FY10, East Asian and Pacific-affiliated collectors targeted underwater gliders specifically.

Analyst Comment: East Asian and Pacific militaries are interested in both increasing their ability to control and defend littoral areas and extending their reach beyond those waters. It is very likely that they seek to acquire AUVs for integration into indigenous systems. (Confidence Level: High)

Table 1

ANALYTICAL FORECAST

Within East Asia and the Pacific, countries span a wide range in the closeness of their current relationships with the United States: some friendly, some relatively hostile. But the region also represents a wide range of strategic agendas vis-à-vis the United States for the future: some countries are and will likely seek to remain allies, whereas others increasingly are rivals. Therefore, countries will likely continue to vary in their degree of concern over the potential impact on relations with the United States of their attempts to obtain illegal or unauthorized access to classified information or technologies resident in the U.S. cleared industrial base. (Confidence Level: Moderate)

But, the United States aside, several East Asian and Pacific countries are also involved in very active rivalries with other countries within the region. Therefore, it is very likely that none of them will cease their collection attempts, and East Asia and the Pacific will almost certainly remain the most prolific area for reported collections in FY11. (Confidence Level: High)

In pursuit of such efforts, the East Asian and Pacific region is likely to employ collectors of all affiliations. Commercial, academic and government-affiliated actors are likely to continue using overt, seemingly innocuous MOs to mask their true identity and affiliation. But as cleared contractors increasingly recognize that such contacts, regardless of benign initial appearance, are likely designed to exploit cleared industry's technological base, SCRs on suspicious commercial and academic contacts, in particular, are likely to continue to increase. (Confidence Level: Moderate)

The continued high number of RFIs reported and the reliance on other relatively overt methods, such as targeting of U.S. travelers overseas, even by relatively sophisticated collectors, illustrates that such methods probably have been an effective way of illicitly acquiring and exploiting U.S. technology, and will likely be used by East Asian and Pacific collectors as long as they are effective. However, as industry continues to become more aware of the threat that such contacts pose, the use of other MOs will likely continue to increase. (Confidence Level: Moderate)

Along this line, the increased reporting of SNA represents a significant change in DSS data. Intelligence Community reporting documents long-standing reliance by East Asian and Pacific collectors on computer-based MOs. However, DSS assesses that, while the increase in SCRs likely signifies more intrusion attempts, it also likely reflects an increased awareness and reporting among cleared contractors about the use of the cyber domain. Such SCRs will probably continue increasing as members of the cleared industrial base learn to recognize these attempts. (Confidence Level: Moderate)

For some U.S. technologies, alternative sources of similar or equal quality exist in third countries, some of which have more manageable export barriers, and these countries are also subject to collection attempts. But the United States remains a primary target. East Asian and Pacific collectors likely persist in targeting U.S. suppliers because they not only seek to acquire U.S. technology for integration into indigenous systems, but also to understand the capabilities possessed by the U.S. military. It is likely that further military development and exploitation of these technologies will compromise U.S. operational capabilities in East Asia and the Pacific in the future. (Confidence Level: Moderate)

If East Asian and Pacific entities acquire U.S. information or technologies, they are likely to continue to attempt to reverse-engineer acquired technologies. In some cases this will likely be to advance indigenous research and development (R&D) capabilities so as to meet national mandates, including the development of countermeasures, while in others it will likely result from a desire to re-export the technology for profit. (Confidence Level: Moderate)

Back to Top

UNCLASSIFIED