___. ___. .__
_______ ____\_ |__ _____\_ |__ | | ____ ____
\_ __ \/ _ \| __ \ / ___/| __ \| | / _ \ / ___\
| | \( <_> ) \_\ \\___ \ | \_\ \ |_( <_> ) /_/ >
|__| \____/|___ /____ >|___ /____/\____/\___ /
\/ \/ \/ /_____/
Cyber Persistence, AI Security, Wargaming.
Est. © 2025 - Greetz DC38338.
robert's blog
Home
Archives
Search
Feed
Robert Sh, Jul 6. 2025. Recommended reading related to this post: Hacker and the State
State-sponsored cyber campaigns increasingly serve economic ends. Economic cyber-espionage — stealing intellectual property, trade secrets, and technological know-how for commercial advantage — has surged as nations seek shortcuts to competitiveness. However, merely hacking into foreign systems is not enough. Turning a network intrusion into tangible state-level economic gain requires a coordinated sequence of steps.
There is a materialization killchain that bridges cyber exploitation to real-world payoff. This chain comprises nine stages:
Each stage performs a discrete function essential to converting stolen data into national economic power. Recent estimates of U.S. losses (≈ $225–$600 billion per year) from IP theft underscore the stakes. The sections below explain how each link turns cyber exploits into measurable economic gain for the state.
Authorization is the strategic trigger of the killchain. In this stage, a state’s leadership grants approval and resources for cyber operations explicitly aimed at economic objectives. The function of Authorization is to provide top-level sanction and legal/policy cover so that intelligence units or military cyber agencies can pursue foreign industrial secrets without domestic impediment. This often involves aligning the operation with national economic plans or security strategy.
For example, Chinese state directives have historically sanctioned cyber-espionage to advance development goals. By officially authorizing economic cyber operations, the state ensures all relevant organs — intelligence, military, and industry — are mobilized toward a common goal. Authorization is essential because without political blessing, an economic cyber campaign may lack direction or face bureaucratic roadblocks, undermining its effectiveness from the outset.
Importantly, formal authorization also sets risk tolerances and priorities. High-level approval signals that the anticipated economic gains justify potential diplomatic fallout if the operation is exposed. In effect, this stage establishes that the ends (national economic advancement) justify the means (aggressive cyber theft). Only with clear authorization can subsequent stages proceed with confidence that the mission aligns with state interests and that operatives will be protected or even rewarded for success.
Once a campaign is authorized, the state must decide what to target. Prioritization is the stage of selecting which industries, technologies, or companies to go after, based on potential economic payoff and alignment with national strategy. The function of Prioritization is to maximize return on investment for cyber efforts by focusing on high-impact targets. States typically prioritize sectors that advance critical domestic initiatives or close strategic gaps — for instance, cutting-edge manufacturing, energy technologies, pharmaceuticals, or any field identified as vital in national development plans.
Indeed, cyber espionage targets often map closely to a country’s industrial policy goals. A striking example was PLA Unit 61398 (APT1), which systematically breached firms in sectors that China’s Five-Year Plans had marked as strategic priorities. In practice, this meant that out of 20 industries compromised by APT1, many fell among China’s “strategic emerging industries” for growth.
Effective prioritization ensures the state steals what it actually needs. Rather than opportunistically grabbing data that might not be useful, the state directs its cyber resources toward areas where stolen information can fill domestic R&D gaps or accelerate indigenous projects. For example, if a nation aims to build a semiconductor industry, it will prioritize chip design firms or fabrication process data from more advanced economies.
Prioritization is essential because it aligns cyber operations with economic strategy — choosing the targets most likely to yield a meaningful competitive edge. Without this stage, even a successful hack might produce information of limited relevance, wasting the opportunity. In short, prioritization translates broad strategic aims into concrete target lists, guiding intelligence tasking toward the highest-value economic intelligence.
With targets set, Tasking is the stage where leadership’s priorities are translated into operational directives for the cyber units or affiliated operators. The function of Tasking is to assign specific missions: which networks to infiltrate, what data to exfiltrate, and any parameters or timelines. At this point, the state’s intelligence agencies (or military cyber command) break down the high-level target list into actionable tasks for teams of operators. This may involve creating detailed requirements such as “Obtain proprietary designs for X technology from Company Y” or “Collect research data on Z from University Lab Q.” Tasking often leverages specialized threat groups tailored to the job — for example, a team experienced in targeting aerospace companies might be tasked with stealing jet engine blueprints, while another focuses on pharmaceutical formulas.
By clearly tasking cyber operatives, the state ensures focus and coordination in execution. This stage also establishes accountability: units know what deliverables are expected (e.g. specific documents, databases, or software source code) and can be evaluated on their success. A real-world illustration came from the case of a Chinese businessman, Su Bin, who worked with military hackers to identify which persons, companies, and technologies to target and then relayed those requirements to the hacking team. In structured campaigns, tasking orders might even be passed down as formal requirements or via tasking meetings between intelligence officers and hacker groups. Without Tasking, even a well-chosen objective can flounder — operatives might duplicate efforts or collect the wrong data. Thus, Tasking is indispensable for orchestrating the complex cyber operations that follow, ensuring everyone knows the plan and their role in it.
Acquisition is the cyber operation itself — the stage where the state’s hackers penetrate target networks and steal the desired data or technology. Its function is straightforward but critical: to obtain the valuable information that was identified and tasked in earlier stages. This typically involves the full spectrum of cyber intrusion tactics (reconnaissance, spear-phishing, malware deployment, privilege escalation, etc.) to breach defenses and exfiltrate data. Successful Acquisition can yield massive troves of intellectual property. For instance, the notorious APT1 group stole hundreds of terabytes of data from at least 141 organizations over several years. The stolen materials ranged from technology blueprints and proprietary manufacturing processes to business plans and internal emails — all ingredients that could be extremely useful to a competitor or state-owned firm.
In the economic context, Acquisition often focuses on technical information: design schematics, source code, formulas, test results, and market strategies. The key is that these raw materials represent the knowledge capital that the victim firm invested heavily to develop. By seizing them, the state actor essentially leapfrogs the need to reinvent those innovations. However, Acquisition alone does not guarantee value.
History is replete with cases of impressive hacks that failed to translate into strategic advantage. Stolen data sitting on an intelligence service’s servers is like ore that has been mined but not yet refined. Thus, while Acquisition is a centerpiece of the cyber killchain (it is often the most resource-intensive and technically challenging phase), it is still an intermediate step. The materialization concept reminds us that a successful hack is only the midpoint — what comes next will determine if that stolen trove actually benefits the state’s economy.
Once data is stolen, it must reach those who can use it. Transfer is the stage of conveying the exfiltrated information from the cyber realm into the hands of the state’s domestic beneficiaries — typically state-owned enterprises, defense contractors, universities, or favored private companies. The function of Transfer is to bridge the gap between the intelligence apparatus and the economic actors who will exploit the data. In practical terms, this could mean delivering hacked documents to a state-owned manufacturer or routing them through a secret government office that liaises with industry.
Some countries formalize this pipeline. China, for example, has been observed to enlist a broad range of actors across government and industry as part of a technology acquisition program. In such a system, once cyber operators pull data from abroad, it can be swiftly shared with domestic firms because legal barriers (like intellectual property protections) are minimal or ignored. Beijing’s model of state–industry collaboration allows stolen R&D and blueprints to be absorbed almost immediately by Chinese companies.
The Transfer stage is essential because without it, stolen data would remain isolated within intelligence circles. A covert agency itself typically does not build jet engines or manufacture pharmaceuticals — it must pass the information to those who do. For instance, in a 2018 U.S. indictment, Chinese intelligence officers hacked a foreign aerospace firm’s engine designs at the very time a Chinese aerospace company was developing a similar engine. The implication is that the data was meant to flow directly to that company’s project.
In effect, Transfer is about handing off the baton — moving information out of spy agencies’ vaults into corporate R&D labs or factory floors. This stage requires a permissive environment: if domestic companies are unwilling or unable to use stolen IP (due to legal concerns or lack of capacity), the whole chain breaks. Thus, states that excel at materialization often have structures to secretly share and incentivize use of collected data. Transfer solidifies the connection between espionage and industry, ensuring the theft doesn’t die in a file drawer but instead becomes fuel for domestic innovation.
Comprehension is the often-overlooked analytical stage: making sense of the stolen information. Raw data must be processed into usable knowledge. The function of Comprehension is to interpret, translate, and verify the exfiltrated material so that it can be effectively applied. This can involve decryption, cleaning and organizing large data sets, translating documents (e.g. from English to Chinese), and having experts study the content. In many cases, stolen trade secrets are complex — think of millions of lines of source code, or scientific research data filled with jargon. The recipient needs to understand exactly what was obtained and how it can be utilized. A concrete example of Comprehension occurred in the Su Bin espionage case, where after hackers stole aircraft design files, Su Bin translated technical documents from English to Chinese for Chinese aerospace entities. That translation was crucial for Chinese engineers to grasp the nuances of U.S. designs.
Beyond language, Comprehension can include reverse engineering and synthesis. If an operation stole a proprietary manufacturing process, specialists might run simulations or small-scale tests to confirm it works as described. They may also strip away any digital protections or watermarks that the victim embedded to trace leaks. In essence, this stage is about turning stolen data into actionable plans. Without Comprehension, a pile of stolen blueprints might be indecipherable or misapplied by the receiving industry, nullifying the potential gain. Each document or file must be contextualized: What problem was this design solving? How does it integrate with what we already know? The end goal is to emerge from the Comprehension phase with a clear understanding such that the domestic engineers or developers could proceed as if the knowledge were their own. This stage, therefore, is indispensable for ensuring that subsequent integration or production efforts are built on solid understanding rather than guesswork.
In the Integration stage, the state or its companies incorporate the newly understood knowledge into domestic projects or products. The function of Integration is to combine the stolen intellectual assets with indigenous capabilities to create something concrete. This may mean adapting a foreign technology to local manufacturing processes, merging stolen R&D results with homegrown research, or using a competitor’s product designs as a template for one’s own development. Integration is where the stolen information truly enters the production pipeline. For example, if blueprints for an advanced semiconductor were acquired and comprehended, this stage would involve modifying those designs to fit the local fabrication facilities and supply chain. Often, stolen tech is not a plug-and-play solution — integrating it can require significant engineering effort. But having the blueprint or formula gives a huge head start. It was reported that after Chinese hackers stole advanced steel formulas and production techniques from U.S. Steel, Chinese steelmakers were able to commercialize their own version of that advanced alloy within two years, despite never having produced it before. This rapid integration of stolen process know-how into Chinese metallurgy R&D was something that simply would not have been possible so quickly without cyber espionage.
The Integration stage demonstrates why earlier steps (like Prioritization and Comprehension) are so vital. The state chose a target whose data it could use, obtained and understood it — now comes the payoff in engineering terms. A well-executed integration means the foreign innovation becomes part of the domestic knowledge base. In China’s case, stolen proprietary IP has been directly infused into industrial designs, whether for high-speed trains, wind turbines, or pharmaceuticals, often dramatically shortening development timelines and costs. (One U.S. indictment noted that pilfered jet engine data could help Chinese firms build a comparable engine “without incurring substantial research and development expenses.”) Integration is indispensable because it closes the loop between espionage and innovation — it’s the step where the abstract knowledge is operationalized. If integration fails — say, the stolen tech can’t be adapted or local engineers lack skill to implement it — the value of the espionage sharply diminishes. But when integration succeeds, the state has effectively assimilated an external innovation, moving one step closer to reaping tangible benefits.
Production is the stage of actually producing a new or improved product or process based on the integrated knowledge. In this phase, prototypes turn into real products; pilot processes scale up to full manufacturing. The function of Production is to realize the technical knowledge in physical or marketable form — whether it’s a new piece of hardware, a manufactured good, or an improved industrial process that boosts efficiency. This stage often involves retooling factories, launching new product lines, or implementing updated techniques on the shop floor. For a state leveraging stolen IP, Production marks the point at which the fruits of cyber theft become tangible. Continuing the earlier example: after integrating U.S. Steel’s stolen formula, Chinese mills proceeded to mass-produce that advanced high-strength steel domestically. Likewise, in the aerospace case, if engine blueprints were successfully integrated, this is when a Chinese-engineered turbofan prototype gets built and tested. The critical aspect is that something of economic value is being created — be it units of a product that can be sold, or a cost-saving process that improves competitiveness.
By entering Production, the state or its companies can now compete in the market or use the capability internally. Often, this stage is accompanied by heavy state support (subsidies, directives to use the new product, etc.) to ensure it succeeds commercially. The time factor is key: because earlier stages shortcut R&D, production can begin much sooner than it would have otherwise. For example, Chinese firms that acquired foreign IP have been able to bring complex products to market years faster, essentially skipping costly development cycles. One illustrative outcome: after data theft, Chinese aerospace manufacturers aimed to build indigenous jet engines for the C919 passenger jet without the billions in R&D that Western firms invested, compressing the timeline to challenge Boeing and Airbus.
This acceleration from integration to production is precisely why state actors invest in economic cyber espionage — it provides a fast-track to industrial output. Production is indispensable because only through this stage does stolen innovation translate into something that can generate economic value (revenue, exports, improved infrastructure, etc.). If a stolen design never leaves the drawing board, the state gains little; but once it’s rolling off production lines, the strategic payoff is at hand.
Realization is the endgame of the materialization killchain — the stage where the state reaps the economic gains from all the prior effort. The function of Realization is to convert the new production capability into measurable advantages like profits, market share, jobs, or broader economic growth that benefit the state. In this stage, the once-stolen technology or product competes in the global or domestic market (or bolsters a strategic sector), and the state sees the returns. For example, after Chinese steel companies began producing that high-strength steel derived from U.S. Steel’s trade secrets, they exported it to customers and edged out the U.S. company in certain markets. The outcome: Chinese firms gained revenue and global market presence, while the U.S. firm lost sales — a clear transfer of economic benefit facilitated by the cyber theft. Realization can also manifest as increased self-sufficiency: a country that steals technology to build its own jet engines or semiconductor chips can reduce imports, nurture domestic champions, and secure supply chains, all of which have macroeconomic and national security payoffs.
Each preceding stage is necessary but not sufficient for Realization. This final stage is where the value materializes in the real economy — it might be seen in improved GDP figures, in the growth of a strategic industry, or even in stock prices of state-favored companies. Notably, Realization often happens over a longer term: it might be years after the initial hack that the stolen innovation yields a dominant market position. But when it does, the impact can be significant. A 2017 study estimated that U.S. economic losses from foreign IP theft reach hundreds of billions annually — essentially, that is value being realized elsewhere, often by the states or companies that benefited from the stolen IP.
In sum, Realization is the culmination of the killchain: the point at which cyber exploitation truly becomes statecraft. It underscores why each link — from Authorization through Production — must hold. If any stage falters (say, data isn’t properly analyzed or fails to be integrated), the chain breaks and the ultimate economic gains evaporate. But when every stage clicks, a state can turn a few malicious network intrusions into a leap in industrial capability or a surge in exports. Realization is thus the metric of success for economic cyber operations: it answers the question, did the cyber theft translate into real power or profit? — bringing the concept full circle from the initial exploit to the tangible reward.
Published on July 6, 2025.