This is a story of global geopolitics, economics, and of nation-state sponsored cyber-attacks where the targets – then world leading firms – went out of business faster than the average tenure of a CEO.
This is the story of APT1, three years on.
Who were APT1?
For those unfamiliar, APT1 (Advanced Persistent Threat) were a highly prolific cyber-attack group operating out of China. Tracked by security firm Mandiant, they were exposed as targeting several key industries globally, with a specific focus on cyber-espionage where English was the primary language.
In an incredibly rare move, the level of attribution was such that the US legal system felt able to bring charges against the Chinese nationals involved. A crime needs a victim, and as such, in 2014 we were presented with some of the only public examples of nation-state sponsored cyber-attack targets – Solarworld, Westinghouse, ATI Metals, U.S. Steel and a workers’ union.
In 2014, at the time these attacks were exposed, Solarworld, Westinghouse and ATI Metals were global leaders in their respective industries of solar, nuclear and specialist materials. All had their competitive advantage locked into a powerful combination of advanced intellectual property and global contracts. Fast forward to 2017; Solarworld and Westinghouse have both been declared insolvent, while ATI has consistently traded at less than half of its 2014 high. U.S. Steel has also struggled for geopolitical reasons related to APT1, but as more of a commodity vendor with its problems rooted well before these cyber-attacks.
How do three firms, market leaders in their respective industries, owners of cutting-edge IP and global contracts, end up insolvent or lose so much value so quickly?
The World in 2014
In 2014, the world was a great place to be for the APT1 target firms. Solarworld was the world leader in solar panel production, turning over €750 million a year and holding key contracts and intellectual property. It was well positioned to take advantage of a rapidly growing industry with global demand.
Westinghouse was the world leader in nuclear power reactor design, with the recently released AP1000 the world benchmark for safe and efficient reactors. Westinghouse designs underpinned the most advanced nuclear reactors in production, which it sold globally.
ATI was and still is a diverse organization with its business units either in commodity metal production or the supply of High Performance Materials to aerospace, defense and energy sectors, among others.
It would be remiss to take a historic look at the APT1 victims without also including China, the host-nation of the APT1 cyber-attack group. China’s five-year plan from 2011-16 was designed to help the country solve key challenges around urbanization, environmental protection and increased domestic consumption. As such, R&D – particularly around developing the efficiency of nuclear power and renewable energy technologies – was high on the agenda.
What Became of the APT1 Targets?
Moving to the present day (2017), and the fate of the APT1 cyber-attack victims is striking.
SolarWorld was officially declared bankrupt as of August 2017, with Chinese market saturation – commencing at the time of the APT1 attack of 2012 – bringing the company to a swift end.
As the U.S. Justice Department states: “The perpetrators stole trade secrets that would have been particularly beneficial to Chinese companies at the time they were stolen.”
The effect this had on SolarWorld was profound. As Ben Santarris, Director of Strategic Affairs was quoted at the time: ”There were thousands of emails exfiltrated, many with sensitive data that would pose to serve all kinds of unfair advantages.” Those unfair advantages included IP, sensitive pricing information, and even ways for Chinese competitors to bypass U.S. regulation in flooding the market.
In stark contrast, China has since cemented its place as the world’s leading solar nation, smashing its 2020 solar targets in August 2017 with 112 gigawatts of output, equivalent to around 100 large coal-fired powerplants. At exactly the same time (August 2017), China announced the cancellation of 134 coal projects, in line with the ‘future energy development’ goals of the 13th five-year plan of 2016-2020. That the Chinese success stories and the SolarWorld insolvency were announced in the same month is a cruel twist of fate that only serves to highlight their inversely linked fortunes since the APT1 attack.
Simultaneous attack on DuPont (non-cyber side note)
At the same time as the APT1 attacks, the specialist chemicals arm of DuPont became the victim of economic espionage, as former employee Liu Yuanxuan delivered the secrets behind the efficient production of Titanium Dioxide to Chinese state-owned companies.
Perhaps predictably, in 2014, China for the first time became a major producer of Titanium Dioxide with a 100,000 ton factory in Chongqing. Why is this relevant to Solarworld, and indeed to China’s successful solar strategy? Titanium Dioxide just so happens to be a key material in the production of cheap and efficient solar panels.
Westinghouse Nuclear filed for bankruptcy in March 2017, three years after the 2014 indictment against members of APT1, for cyber-attacks against the company in 2010/11.
The U.S. Justice Department indictment declares that “the conspirators stole, among other things, proprietary and confidential technical and design specifications… for those nuclear power plants that would enable any competitor looking to build a similar plant to save on research and development costs in the development of such designs.”
Directly linking Westinghouse’s insolvency with the APT1 attack is simplistic, despite parent company Toshiba admitting that “The Group’s competitive power may be weakened and the Group’s business, operating results and financial condition may be subject to negative influences” if confidential data is stolen. The insolvency itself is well documented; essentially Westinghouse ran out of money when attempting to build its own flagship AP1000 reactor designs at two locations in the U.S. As a design firm that had little experience in the actual construction of reactors, it is perhaps no surprise when the projects ran into serious financial trouble. The obvious question then, is: why did they even need to try?
The answer may, again, partly lie in Beijing which by far represents the biggest market for the sale of the AP1000, with an initial 40 (some sources say up to 130) earmarked for construction in China alone, more than every other country combined. With global nuclear projects stalling, the Westinghouse order pipeline and the continued success of the company was intrinsically tied to Chinese interest.
The first four AP1000s in China (or anywhere) are due to come online later in 2017. Throughout the eight year build process, Westinghouse entered joint-agreements with the State Nuclear Power Technology Corp to transfer knowledge and train scientists, and in 2010 alone – the time of the APT1 attack on Westinghouse – shared over 75,000 documents, forcing the then president of Westinghouse in Asia to admit that after the first four reactors came online, there were no guarantees of further nuclear projects involving Westinghouse – at all. Effectively, the Chinese would be able to go it alone.
This possibility was perhaps further signaled by the licensed Chinese spin-off of the AP1000, the CAP1400, a larger variant of the Westinghouse reactor with the IP owned by China. Signed off for construction in 2014, the first CAP1400 reactor will come online in 2017, sending a strong message about the future of the AP1000 itself in the Chinese market.
With this in mind, back to the key question – why did Westinghouse, a company that was profitable in selling designs and equipment, contract to deliver the entire build of two major nuclear construction projects in the U.S. – something in which it had little experience and proved to be its downfall?
The most likely explanation is that the Chinese steps towards autonomy – subsequently aided (in part) by the APT1 cyber-attack – put Westinghouse under huge pressure to show its designs were profitable to build and operate in a difficult domestic U.S. market. It took on the challenge itself, and ultimately failed.
The third APT1-targeted firm was ATI Metals, still a world-leader in specific industries, but as of September 2017 trading at less than half of its 2014 three-year high.
As the U.S. Justice Department states in its APT1 indictment: “Defendant WEN stole network credentials for virtually every employee at the company, which would have allowed wide-ranging and persistent access to ATI’s computers.” ATI was exposed to a massive loss of competitive advantage and has halved in value – the question is, why, and are the two events linked?
At first glance, the loss in value is easily attributed to the challenges faced by the steel industry. In 2012, exactly 50% of ATI Metals’ revenue came from commodity metals, with sales of $2.3 billion – a figure that by 2016 had nearly halved to $1.2 billion as the firm restructured to focus on its other business unit, High Performance Materials. The loss in revenue from the commodity metals side of ATI has been reflected across a struggling steel industry – as per U.S. Steel, coincidentally the remaining APT1 commercial victim. This struggle was allegedly influenced by the Chinese dumping of steel into global markets, which commenced in the early 2000s, with accusations of state-sponsored subsidy increases to the steel industry enabling Chinese firms to out-compete their US rivals. As such, the effect on ATI by global steel competition is already ‘priced in’ and cannot be said to be impacted by the APT1 attack in a meaningful way.
So what of the other half of ATI, the High Performance Materials division? This side of the business should be locked into sustainable competitive advantage through its R&D programs and specialist IP – and we would expect the renewed ATI focus in this area to yield significant recent growth.
Interestingly, it seems ATI’s competitive advantage in High Performance Materials is not particularly sustainable – the division went from $2.3 billion of sales in 2012 to $1.9 billion in 2016, with a fairly steady decline each year.
Furthermore, despite falling revenues in High Performance Materials overall, High Performance sales to the aerospace and defense sectors (largely domestic) remained constant, meaning the bulk of the losses in sales were incurred in global markets across the electrical energy, oil and gas, and other specialist sectors. Indeed, between them, these sectors experienced a loss in annual revenue from $810m in 2012 to $483m in 2016.
Focusing on a single product line might help provide further clarity and enable some kind of tangible impact from the APT1 attack. While we could examine each ATI product line, a good starting point, and an area in which ATI is highly specialist, is in the production of Zirconium alloys. In keeping with the theme of this article, Zirconium alloys are essential for the cladding of Uranium fuel rods in nuclear reactors.
Until recently, China had little self-sufficiency in the manufacture of Zirconium alloy, relying instead on third party suppliers. However, this changed in 2011, with the formation of the Shanghai Tubing Company and the State Nuclear Zirconium manufacturing plants, responsible for supplying China’s nuclear expansion projects with specialist Zirconium alloy. While Zirconium represents less than 10% of ATI’s sales, it might just be representative of the wider challenges facing the business.
What can we learn from this?
This article isn’t really about APT1, Solarworld, Westinghouse or ATI, but instead about how business leaders see risk – and particularly, cyber-risk.
In today’s short-term world of quarterly shareholder reports and rolling 24 hour news cycles, there is a tendency for business leaders to focus on those risks that carry impacts to their firms that will be felt immediately. Perversely, from a cyber-breach perspective, those immediate impacts tend to be externalities foisted on the victim of an attack by regulators and legal structures (fines, litigation), or our societal behavior in reacting to bad news (reputational damage, loss of custom).
What the APT1 attacks have shown us, and the three short years in between, is that the direct impact from a cyber-attack – the zero sum game between what the attacker gains, and what the victim loses – can now be felt quickly enough and severely enough to put a world-leading organization out of business within the average tenure of a CEO. Against this backdrop, firms would do well to consider what is valuable not just to them, but also to potential attackers in a geopolitical and economic context.
Euractiv ‘China eclipses Europe as 2020 solar power target is smashed’ https://www.euractiv.com/section/energy/news/china-eclipses-europe-as-2020-solar-power-target-is-smashed/ August 2017
Thomson Reuters ‘SolarWorld seeks probe into claims of Chinese cyber-spying’ http://www.reuters.com/article/usa-trade-solar/update-1-solarworld-seeks-probe-into-claims-of-chinese-cyber-spying-idUSL2N0PC2LN20140701 July 2014
Thomson Reuters ‘German Sun King’s SolarWorld to file for insolvency’ http://www.reuters.com/article/us-solarworld-bankruptcy/german-sun-kings-solarworld-to-file-for-insolvency-idUSKBN1862MN May 2017
South China Morning Post ‘China’s ageing solar panels are going to be a big environmental problem’ http://www.scmp.com/news/china/society/article/2104162/chinas-ageing-solar-panels-are-going-be-big-environmental-problem July 2017
Knoxville News Sentintel ‘Secrecy surrounds sentencing of Chinese government operative in nuclear tech spy case’ http://www.knoxnews.com/story/news/crime/2017/08/29/secrecy-surrounds-sentencing-chinese-government-operative-nuclear-tech-spy-case/611490001/ August 2017
Chemical & Engineering News ‘Prosecutors charge that DuPont’s titanium dioxide technology was stolen at behest of government officials’ http://cen.acs.org/articles/90/web/2012/02/China-Tied-Trade-Secret-Theft.htmlFebruary 2012
Bloomberg ‘How a corporate spy swiped plans for DuPont’s billion-dollar color formula’ https://www.bloomberg.com/features/2016-stealing-dupont-white/ February 2016
Fireeye ‘APT1: Exposing One of China’s Cyber Espionage Units’ https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf February 2013
Pittsburgh Post-Gazette ‘Westinghouse’s data stolen despite big deal with China’ http://www.post-gazette.com/local/city/2014/05/20/Westinghouse-s-data-stolen-despite-big-deal-with-China/stories/201405200086 May 2014
United States Securities & Exchange Commission ‘Allegheny Technologies Incorporated, United States Securities and Exchange Commission Form 10-K filing’ https://www.sec.gov/Archives/edgar/data/1018963/000101896317000007/atify201610-k.htm December 2016
France-metallurgie ‘ATI, Alcoa, US Steel and Westinghouse hacked by Chinese Army according to US gov’ http://www.france-metallurgie.com/ati-alcoa-us-steel-and-westinghouse-hacked-by-chinese-army-according-to-us-gov-us-2/ May 2014
Financial Times ‘UK chief executives spend less than five years in the job’ https://www.ft.com/content/ded1823a-370e-11e7-99bd-13beb0903fa3 May 2017
Forbes ‘Westinghouse Electrics Chinese Trojan Horse’ https://www.forbes.com/sites/kenrapoza/2016/05/17/westinghouse-electrics-chinese-trojan-horse/#4d02c1e776ca May 2016
United States Department of Justice ‘US district court, Western District of Pennsylvania indictment May 2014’ https://www.justice.gov/iso/opa/resources/5122014519132358461949.pdf May 2014
China National Nuclear Corporation ‘CNNC accomplishes a new generation intl advanced fuel element: zirconium alloy cladding material’ http://en.cnnc.com.cn/2016-12/02/c_62928.htm December 2016
International Atomic Energy Agency ‘The Nuclear Fuel Supply in China to Match the Development of Nuclear Power’ https://www.iaea.org/OurWork/ST/NE/NEFW/Technical-Areas/NFC/documents/infcis/NFCIS-2014/20-nuclear_fuel_cycle_information_system_PPT20141207_-IAEA.pdf December 2014
World Nuclear Association ‘Nuclear power in China’ http://www.world-nuclear.org/information-library/country-profiles/countries-a-f/china-nuclear-power.aspxSeptmeber 2017
Solarworld ‘Annual report 2016’ https://www.solarworld.de/fileadmin/sites/sw/ir/pdf/finanzberichte/2016/solarworld_ar_2016_incl_sustainability_en_web.pdf 2016
ATI ‘Annual Reports’ http://ir.atimetals.com/financials-and-sec-filings/annual-reports Various
This article was also published on Countercept