Skip to content

Trending tags

APT1 – what happened next?

Noora Hyvärinen

29.09.17 12 min. read

APT1 (Advanced Persistent Threat) are a highly prolific cyber-attack group operating out of China. Tracked by security firm Mandiant, they were exposed as targeting several key industries globally, with a specific focus on cyber espionage where English was the primary language.

In an incredibly rare move, the evidence was such that the US Department of Justice brought charges against the Chinese nationals involved. Solarworld, Westinghouse, and ATI Metals were publicly named as APT1 victims.

At the time these attacks were exposed, Solarworld, Westinghouse and ATI Metals were global leaders in their respective industries of solar, nuclear and specialist materials. All had their competitive advantage locked into a powerful combination of advanced intellectual property and global contracts. Fast forward three years: Solarworld and Westinghouse have both been declared insolvent, while ATI consistently trades at less than half of its NASDAQ high.

How do three firms, market leaders in their respective industries, owners of cutting-edge IP and global contracts, end up insolvent or lose so much value so quickly?

The world in 2014

At the time of the APT1 compromise, Solarworld was the world leader in solar panel production, turning over €750 million a year and holding key contracts and intellectual property. It was well positioned to take advantage of a rapidly growing industry with global demand.

Westinghouse was the world leader in nuclear power reactor design, with the recently released AP1000 the world benchmark for safe and efficient reactors. Westinghouse designs underpinned the most advanced nuclear reactors in production, which it sold globally.

ATI was and still is a diverse organization with its business units either in commodity metal production or the supply of High Performance Materials to aerospace, defense and energy sectors, among others.

It would be remiss to take a historic look at the APT1 victims without also including China, the host-nation of the APT1 cyber-attack group. China’s five-year plan from 2011-16 was designed to help the country solve key challenges around urbanization, environmental protection and increased domestic consumption. As such, research and development (R&D) – particularly around developing the efficiency of nuclear power and renewable energy technologies – was high on the agenda.



Moving to the present day (2017), and the fate of the APT1 cyber-attack victims is striking.

SolarWorld was officially declared bankrupt as of August 2017, with Chinese market saturation – commencing at the time of the APT1 attack of 2012 – bringing the company to a swift end.

As the US Department of Justice stated: “The perpetrators stole trade secrets that would have been particularly beneficial to Chinese companies at the time they were stolen.”

The effect this had on SolarWorld was profound. As Ben Santarris, Director of Strategic Affairs was quoted at the time: “There were thousands of emails exfiltrated, many with sensitive data that would pose to serve all kinds of unfair advantages.” Those unfair advantages included IP, sensitive pricing information, and even ways for Chinese competitors to bypass US regulation in flooding the mark

In stark contrast, China has since cemented its place as the world’s leading solar nation, smashing its 2020 solar targets in August 2017 with 112 gigawatts of output, equivalent to around 100 large coal-fired powerplants. At exactly the same time (August 2017), China announced the cancellation of 134 coal projects, in line with the ‘future energy development’ goals of the 13th five-year plan of 2016-2020. That the Chinese success stories and the SolarWorld insolvency were announced in the same month is a cruel twist of fate that only serves to highlight their inversely linked fortunes since the APT1 attack.


Westinghouse Nuclear filed for bankruptcy in March 2017, three years after the 2014 indictment against members of APT1, for cyber attacks against the company in 2010/11.

The US Department of Justice indictment declared that “the conspirators stole, among other things, proprietary and confidential technical and design specifications… for those nuclear power plants that would enable any competitor looking to build a similar plant to save on research and development costs in the development of such designs.t

Directly linking Westinghouse’s insolvency with the APT1 attack is simplistic, despite parent company Toshiba admitting that “The Group’s competitive power may be weakened and the Group’s business, operating results and financial condition may be subject to negative influences” if confidential data is stolen. The insolvency itself is well documented; essentially Westinghouse ran out of money when attempting to build its own flagship AP1000 reactor designs at two locations in the U.S. As a design firm that had little experience in the actual construction of reactors, it is perhaps no surprise when the projects ran into serious financial trouble. The obvious question then, is: why did they even need to try?

The answer may, again, partly lie in Beijing, which by far represents the biggest market for the sale of the AP1000, with an initial 40 (some sources say up to 130) earmarked for construction in China alone, more than every other country combined. With global nuclear projects stalling, the Westinghouse order pipeline and the continued success of the company was intrinsically tied to Chinese interest.

The first four AP1000s in China (or anywhere) are due to come online later in 2017. Throughout the eight year build process, Westinghouse entered joint-agreements with the State Nuclear Power Technology Corp to transfer knowledge and train scientists, and in 2010 alone – the time of the APT1 attack on Westinghouse – shared over 75,000 documents, forcing the then president of Westinghouse in Asia to admit that after the first four reactors came online, there were no guarantees of further nuclear projects involving Westinghouse – at all. Effectively, the Chinese would be able to go it alone.

This possibility was perhaps further signaled by the licensed Chinese spin-off of the AP1000, the CAP1400, a larger variant of the Westinghouse reactor with the IP owned by China. Signed off for construction in 2014, the first CAP1400 reactor will come online in 2017, sending a strong message about the future of the AP1000 itself in the Chinese market.

With this in mind, back to the key question – why did Westinghouse, a company that was profitable in selling designs and equipment, contract to deliver the entire build of two major nuclear construction projects in the US – something in which it had little experience and proved to be its downfall?

The most likely explanation is that the Chinese steps towards autonomy – subsequently aided (in part) by the APT1 cyber-attack – put Westinghouse under huge pressure to show its designs were profitable to build and operate in a difficult domestic US market. It took on the challenge itself, and ultimately failed.

ATI Metals

The third APT1-targeted firm was ATI Metals, still a world-leader in specific industries, but as of September 2017 trading at less than half of its 2014 three-year high.

As the US Department of Justice stated in its APT1 indictment: “Defendant WEN stole network credentials for virtually every employee at the company, which would have allowed wide-ranging and persistent access to ATI’s computers.” ATI was exposed to a massive loss of competitive advantage and has halved in value – the question is, why, and are the two events linked?

At first glance, the loss in value is easily attributed to the challenges faced by the steel industry. In 2012, exactly 50% of ATI Metals’ revenue came from commodity metals, with sales of $2.3 billion – a figure that by 2016 had nearly halved to $1.2 billion as the firm restructured to focus on its other business unit, High Performance Materials. The loss in revenue from the commodity metals side of ATI has been reflected across a struggling steel industry – as per U.S. Steel, coincidentally the remaining APT1 commercial victim. This struggle was allegedly influenced by the Chinese dumping of steel into global markets, which commenced in the early 2000s, with accusations of state-sponsored subsidy increases to the steel industry enabling Chinese firms to out-compete their US rivals. As such, the effect on ATI by global steel competition is already ‘priced in’ and cannot be said to be impacted by the APT1 attack in a meaningful way.

So what of the other half of ATI, the High Performance Materials division? This side of the business should be locked into sustainable competitive advantage through its R&D programs and specialist IP – and we would expect the renewed ATI focus in this area to yield significant recent growth.

Interestingly, it seems ATI’s competitive advantage in High Performance Materials is not particularly sustainable – the division went from $2.3 billion of sales in 2012 to $1.9 billion in 2016, with a fairly steady decline each year.

Furthermore, despite falling revenues in High Performance Materials overall, High Performance sales to the aerospace and defense sectors (largely domestic) remained constant, meaning the bulk of the losses in sales were incurred in global markets across the electrical energy, oil and gas, and other specialist sectors. Indeed, between them, these sectors experienced a loss in annual revenue from $810m in 2012 to $483m in 2016.

Focusing on a single product line might help provide further clarity and enable some kind of tangible impact from the APT1 attack. While we could examine each ATI product line, a good starting point, and an area in which ATI is highly specialist, is in the production of Zirconium alloys. In keeping with the theme of this article, Zirconium alloys are essential for the cladding of Uranium fuel rods in nuclear reactors.

Until recently, China had little self-sufficiency in the manufacture of Zirconium alloy, relying instead on third party suppliers. However, this changed in 2011, with the formation of the Shanghai Tubing Company and the State Nuclear Zirconium manufacturing plants, responsible for supplying China’s nuclear expansion projects with specialist Zirconium alloy. While Zirconium represents less than 10% of ATI’s sales, it might just be representative of the wider challenges facing the business.


This article isn’t really about APT1, Solarworld, Westinghouse or ATI, but instead about how business leaders see risk – and particularly, cyber risk.

In today’s short-term world of quarterly shareholder reports and rolling 24-hour news cycles, there is a tendency for business leaders to focus on those risks that carry impacts to their firms that will be felt immediately. Perversely, from a cyber-breach perspective, those immediate impacts tend to be externalities foisted on the victim of an attack by regulators and legal structures (fines, litigation), or our societal behavior in reacting to bad news (reputational damage, loss of custom).

What the APT1 attacks have shown us, and the three short years in between, is that the direct impact from a cyber attack – the zero sum game between what the attacker gains, and what the victim loses – can now be felt quickly enough and severely enough to put a world-leading organization out of business within the average tenure of a CEO. Against this backdrop, firms would do well to consider what is valuable not just to them, but also to potential attackers in a geopolitical and economic context.



Euractiv ‘China eclipses Europe as 2020 solar power target is smashed’ August 2017

Thomson Reuters  ‘SolarWorld seeks probe into claims of Chinese cyber-spying’ July 2014

Thomson Reuters ‘German Sun King’s SolarWorld to file for insolvency’ May 2017

South China Morning Post ‘China’s ageing solar panels are going to be a big environmental problem’ July 2017

Knoxville News Sentintel ‘Secrecy surrounds sentencing of Chinese government operative in nuclear tech spy case’ August 2017

Chemical & Engineering News ‘Prosecutors charge that DuPont’s titanium dioxide technology was stolen at behest of government officials’ February 2012

Bloomberg ‘How a corporate spy swiped plans for DuPont’s billion-dollar color formula’ February 2016

Fireeye ‘APT1: Exposing One of China’s Cyber Espionage Units’ 2013

Pittsburgh Post-Gazette ‘Westinghouse’s data stolen despite big deal with China’ May 2014

United States Securities & Exchange Commission  ‘Allegheny Technologies Incorporated, United States Securities and Exchange Commission Form 10-K filing’ December 2016

France-metallurgie ‘ATI, Alcoa, US Steel and Westinghouse hacked by Chinese Army according to US gov’ May 2014

Financial Times ‘UK chief executives spend less than five years in the job’  May 2017

Forbes ‘Westinghouse Electrics Chinese Trojan Horse’ May 2016

United States Department of Justice ‘US district court, Western District of Pennsylvania indictment May 2014’ May 2014

China National Nuclear Corporation ‘CNNC accomplishes a new generation intl advanced fuel element: zirconium alloy cladding material’ December 2016

International Atomic Energy Agency ‘The Nuclear Fuel Supply in China to Match the Development of Nuclear Power’ December 2014

World Nuclear Association ‘Nuclear power in China’ Septmeber 2017

Solarworld ‘Annual report 2016’ 2016

ATI ‘Annual Reports’ Various


Noora Hyvärinen

29.09.17 12 min. read


How to protect yourself against targeted cyber attacks?

Contact us

Highlighted article

Related posts

Newsletter modal

Thank you for your interest towards F-Secure newsletter. You will shortly get an email to confirm the subscription.

Gated Content modal

Congratulations – You can now access the content by clicking the button below.