Cybercrime , Cyberwarfare / Nation-state attacks , Fraud Management & Cybercrime
Prosecutors Say They Were Part of APT10 Group and Had Government Ties(HealthInfoSec) • December 20, 2018The U.S. Department of Justice on Thursday unsealed an indictment charging two Chinese nationals in connection with a cyber espionage campaign, alleging they acted in association with a government agency.
See Also: Third-Party Cyber Risk Management - A Data-Driven Approach
"The indictment alleges that the defendants were part of a group that hacked computers in at least a dozen countries and gave China's intelligence service access to sensitive business information," said Deputy Attorney General Rod Rosenstein.
The indictment, which was preceded by similar indictments of Chinese nationals revealed in October, could further increase U.S. tensions with China. The U.S. reached a landmark agreement with China in 2015 to stop cyberattacks aimed at stealing intellectual property. But after a lull, experts say suspected China-backed attacks have resumed.
The security industry has often referred to the group as APT 10 or "Cloud Hopper," because the attackers targeted IT managed service providers (MSPs). Because MSPs serve many corporate customers, it meant that a successful attack against one MSP could result in the compromise of many more companies.
"APT10 has been tracked by FireEye for years and is one of the most prolific cyber espionage groups", says Ben Read, senior manager, cyber espionage analysis, with FireEye.
Chris Pierson, CEO of BlackCloak, says attacking MSPs can result in high return for hackers.
"Why attack one specific target company when you can attack someone who can give you access to one thousand other companies or their intellectual property?" Pierson says.
Members of APT10 Group
The Justice Department says the two hackers - Zhu Hua and Zhang Shilong, who both go by a variety of other aliases - were members of the APT10 hacking group operating in China.
—Dermot O'Reilly, U.S. Department of Defense
Prosecutors say the two defendants worked for the Chinese company Huaying Haitai Science and Technology Development Company - or Huaying Haitai - and acted in association with the Chinese Ministry of State Security's Tianjin State Security Bureau.
The two are charged with conspiracy to commit computer intrusions, conspiracy to commit wire fraud and aggravated identity theft.
Prosecutors say that through their involvement with the APT10 Group, from about 2006 to about 2018, the two conducted global campaigns of computer intrusions targeting, among other data, intellectual property and confidential business and technological information at managed service providers.
Those MSPs remotely manage the information technology infrastructure of businesses and governments around the world. Those targeted included more than 45 technology companies in at least a dozen U.S. states, and U.S. government agencies, the DOJ notes.
The APT10 Group targeted a diverse array of commercial activity, industries and technologies, including aviation; satellite and maritime technology; industrial factory automation; automotive supplies; laboratory instruments; banking and finance; telecommunications and consumer electronics; computer processor technology; information technology services; packaging; consulting; medical equipment; healthcare; biotechnology; pharmaceutical manufacturing; mining; and oil and gas exploration and production, the DOJ says.
"Among other things, Zhu and Zhang registered IT infrastructure that the APT10 Group used for its intrusions and engaged in illegal hacking operations," prosecutors say.
"The theft of sensitive defense technology and cyber intrusions are major national security concerns and top investigative priorities for the DCIS," said Dermot O'Reilly, director of the Defense Criminal Investigative Service of the U.S. Department of Defense.
Extensive Espionage Campaigns
Prosecutors say members of the APT 10 Group, including Zhu and Zhang, conducted extensive campaigns of intrusions into computer systems around the world. The group used some of the same online facilities to initiate, facilitate and execute its campaigns during the conspiracy.
Beginning in about 2014, members of the APT10 Group, including Zhu and Zhang, targeted MSPs to leverage their networks to gain unauthorized access to the computers and computer networks of the MSPs' clients and to steal, among other data, intellectual property and confidential business data on a global scale, prosecutors allege.
"For example, through the MSP theft campaign, the APT10 Group obtained unauthorized access to the computers of an MSP that had offices in the Southern District of New York and compromised the data of that MSP and certain of its clients ..." prosecutors say.
Earlier, beginning about 2006, members of the APT10 Group, including Zhu and Zhang, engaged in an intrusion campaign to obtain unauthorized access to the computers and computer networks of more than 45 technology companies and U.S. government agencies in order to steal information and data concerning a number of technologies, prosecutors say.
Through this technology theft campaign, the APT10 Group stole hundreds of gigabytes of sensitive data and targeted the computers of victim companies in several industries, according to DOJ.
As part of the APT10 Group's intrusion campaigns, Zhu and Zhang, worked for Huaying Haitai and registered malicious domains and infrastructure. In addition, Zhu, a penetration tester, engaged in hacking operations on behalf of the APT10 Group and recruited other individuals to the APT10 Group, and Zhang developed and tested malware for the APT10 Group, prosecutors say.
APT10 touched many countries. Australia issued a warning in April 2017 about attacks against global MSPs, some of which had operations in the country. The Australian Cyber Security Centre said it was working with international partners to track the activity.
On Friday, the Australian government warned that China risks abrogating commitments it made at the G20 meeting in 2017 and separately with Australia in 2017 regarding cyberattacks.
"Australia calls on all countries - including China - to uphold commitments to refrain from cyber-enabled theft of intellectual property, trade secrets and confidential business information with the intent of obtaining a competitive advantage," according to a statement from Foreign Affairs Minister Marisa Payne and Home Affairs Minister Peter Dutton.
On Thursday, the U.K. Foreign Minister Jeremy Hunt warned governments against undertaking attacks aimed at intellectual property and commercial data.
"Our message to governments prepared to enable these activities is clear: together with our allies, we will expose your actions and take other necessary steps to ensure the rule of law is upheld," Hunt says.
U.S. Legal Pressure On China
On Oct. 18, federal prosecutors filed an indictment of two Chinese intelligence officers and eight others for stealing trade secrets intended to help the country shortcut the development of a turbofan airplane engine plus other technology (see U.S. Again Indicts Chinese Intel Agents Over Hacking).
In that case, prosecutors said the two officers, Chai Meng and Zha Rong, worked for the Jiangsu Province Ministry of State Security in Nanjing, a provincial foreign intelligence arm of the People's Republic of China's Ministry of State Security.
The two men were accused of orchestrating an extensive scheme running between January 2010 to May 2015 that recruited other hackers to gain access to companies as well as recruiting insiders to plant malware.
And on Oct. 10, the Justice Department announced that an alleged Chinese Ministry of State Security officer had been charged with economic espionage and attempting to steal trade secrets. Yanjun Xu was arrested in Belgium and extradited to the U.S. He's accused of stealing data from "multiple U.S. aviation and aerospace companies."