DOJ indicts two Chinese nationals for APT10 group cyberattacks

The U.S. Department of Justice on Thursday indicted two Chinese nationals accused of cyberattacks around the world in association with the Chinese state-sponsored hacking group known as APT10.

The two individuals, Zhu Hua and Zhang Shilong, were indicted on several charges in connection with cyberattacks and intellectual property (IP) theft, including conspiracy to commit computer intrusions, conspiracy to commit wire fraud and aggravated identity theft.

The Department of Justice (DOJ) said APT10 began attacks in 2006, targeting "more than 45 technology companies in at least a dozen U.S. states and U.S. government agencies." Then, in 2014, the group began targeting managed service providers (MSPs) in 12 countries, rather than attacking organizations directly.

"The APT10 Group targeted MSPs in order to leverage the MSPs' networks to gain unauthorized access to the computers and computer networks of the MSPs' clients and to steal, among other data, intellectual property and confidential business data on a global scale," the DOJ wrote in its announcement. "For example, through the MSP theft campaign, the APT10 Group obtained unauthorized access to the computers of an MSP that had offices in the Southern District of New York and compromised the data of that MSP and certain of its clients involved in banking and finance, telecommunications and consumer electronics, medical equipment, packaging, manufacturing, consulting, healthcare, biotechnology, automotive, oil and gas exploration, and mining."

During a press conference announcing the indictments, FBI Director Christopher Wray called out the Chinese government for its extensive hacking campaigns against U.S. companies and government agencies.

"No country poses a broader, more severe long-term threat to our nation's economy and cyber infrastructure than China," Wray said.

In August, cybersecurity vendor CrowdStrike published a report on APT10, also known as Stone Panda, that named Shilong as a suspected member of the group and provided information connecting APT10 to China's Ministry of State Security.

"It is unprecedented and encouraging to see the U.S. government, joined by so many international allies, taking a decisive stance against Chinese state-sponsored economic espionage," CrowdStrike co-founder and CTO Dmitri Alperovitch wrote in a statement. "For the past year, CrowdStrike has been reporting on the increase of activity we've seen from Chinese state-affiliated cyber threat actors, aimed at stealing trade secrets from nearly every sector of the economy, including biotech, defense, mining, pharmaceutical, professional services, transportation, and more.

"Today's announcement of indictments against Ministry of State Security (MSS), whom we deem now to be the most active Chinese cyber threat actor, is another step in a campaign that has been waged to indicate to China that its blatant theft of IP is unacceptable and will not be tolerated. While this action alone will not likely solve the issue and companies in U.S., Canada, Europe, Australia and Japan will continue to be targeted by MSS for industrial espionage, it is an important element in raising the cost and isolating them internationally."

Christiaan Beek, lead scientist and senior principal engineer at McAfee, based in Santa Clara, Calif., said, "Attacking the MSP means that, as an organization, it is out of your sight and control. Secondly, targeting the MSP means also more insight into multiple organizations at the same time instead of setting up separate campaigns for potential victims."

Terry Ray, CTO of Imperva, based in Redwood Shores, Calif., said the APT10 group attacks should be a case that enterprises learn from.

"This scenario of targeting MSPs, rather than organizations directly, is yet another example of the trickle-down effect -- attacking one target to gain access to something they wouldn't normally expect," Ray said. "In this case, the trickle-down is the use of one service to gain access to another. This is exactly why security teams need to take that step back away from their own company's concerns and look at how a breach of their systems could impact their customers, employees, partners and other."

Jake Olcott, vice president at Boston-based BitSight, said MSP compromises have "become a global phenomenon."

"Most organizations blindly trust that their service providers are protecting their data. Trust is not a strategy that works in the 21st century," Olcott said. "Organizations everywhere are at risk due to the rise in outsourcing and contracting. These incidents represent the No. 1 cyber-risk to organizations today, and also threaten global commerce."   

As part of the campaign beginning in 2006, the DOJ said the two Chinese hackers and APT10 "stole hundreds of gigabytes of sensitive data" from technology companies, including NASA, and stole sensitive data like Social Security numbers and dates of birth for more than 100,000 Navy personnel.

Carl Wright, chief commercial officer of AttackIQ, based in San Diego, praised the indictment of the APT10 group members, because "the blatant theft of IP and other sensitive data is unacceptable."

"Despite these indictments, prosecutions are unlikely, given that the hackers are Chinese residents and extraditions are a rarity," Wright said. "These charges will restrict the international travels of those named in the filing and will send a warning to those who have not been named, potentially deterring motivation for future attacks against the United States."

Jonathan Bensen, interim CISO and director of product management at Balbix, based in San Jose, Calif., noted that the APT10 indictment "has effectively scrubbed the bilateral agreement between the United States and China in 2015 that called for a truce against hostile cyberattacks and espionage."