U.S. Indicts China-Backed Duo for Massive, Years-Long Spy Campaign

The homeland security implications are significant: the two, working with Beijing-backed APT10, allegedly stole sensitive data from orgs like the Navy and NASA.

The Department of Justice on Thursday charged two Chinese hackers with stealing “hundreds of gigabytes” of data from more than 45 other governmental organizations and U.S.-based companies.

This has potentially significant national security ramifications: Targets included the NASA Goddard Space Center and Jet Propulsion Laboratory; U.S. Department of Energy’s Lawrence Berkeley National Laboratory; and the Navy.

The two hackers, Zhang Shilong and Zhang Jianguo, are alleged to be members of APT10, a well-known China-based threat actor, which is believed to be directly connected to the Chinese Ministry of State Security’s (MSS) Tianjin bureau.

In fact, Zhu and Zhang worked for Huaying Haitai in Tianjin, China, and acted in association with the MSS bureau, said the DoJ’s statement.

The DoJ’s indictment also alleges that the duo’s activity — hacking into systems to steal the intellectual property, sensitive data and personal information of civilians from U.S. entities — stretches back years.

“From at least in or about 2006 up to and including in or about 2018, members of the APT10 group, including Zhu and Zhang, conducted extensive campaigns of intrusions into computer systems around the world,” according to the DoJ release. “The APT10 Group used some of the same online facilities to initiate, facilitate and execute its campaigns during the conspiracy.”

In the case of the Navy, APT10 compromised more than 40 computers to steal sensitive data, including the names, Social Security numbers, dates of birth, salary information, personal phone numbers, and email addresses of more than 100,000 Navy personnel), said the DoJ.

In another campaign, dating back to at least 2014, the two also allegedly worked with members of APT10 to hack into the networks of managed service providers for businesses and governments in at least 12 different countries. APT10 installed multiple variants of keylogging and other malware on the managed service provider computers, which they then scraped credentials from.

“To avoid antivirus detection, the malware was installed using malicious files that masqueraded as legitimate files associated with the victim computer’s operating system,” according to the release. “Such malware enabled members of the APT10 Group to monitor victims’ computers remotely and steal user credentials.”

Terry Ray, CTO of Imperva, said this “trickle-down effect of nation-state hacking is particularly concerning,” as “sophisticated methods used by various governments eventually fall into the hands of resourceful cybercriminals, typically interested in attacking businesses and individuals.”

In a joint statement Thursday by Secretary of State Michael Pompeo and Secretary of Homeland Security Kirstjen Nielsen, the two warned that APT10’s activity violates cyber-commitments made in 2015 by President Xi Jinping to refrain from conducting “cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”

“These actions by Chinese actors to target intellectual property and sensitive business information present a very real threat to the economic competitiveness of companies in the United States and around the globe,” said the statement. “We will continue to hold malicious actors accountable for their behavior, and today the United States is taking several actions to demonstrate our resolve. We strongly urge China to abide by its commitment to act responsibly in cyberspace and reiterate that the United States will take appropriate measures to defend our interests.”

Priscilla Moriuchi, director of strategic threat development at Recorded Future, said in an email that the indictment sends a firm message to China.

“They continue to draw a clear line for China regarding what type of behavior is and is not acceptable for states to conduct in cyberspace,” said Moriuchi. “In particular, that leveraging government and military resources to conduct cyber-operations in order to steal intellectual property from private companies is unacceptable.”

 

Suggested articles