On December 20, 2018, the Department of Justice and the FBI announced the indictment of two Chinese hackers, Zhu Hua and Zhang Shilong, who have been charged in a years-long global hacking campaign that resulted in the theft of sensitive information from companies and government agencies around the world.
The two hackers, members of the hacking group known as Advanced Persistent Threat 10 (APT10) (also known as MenuPass Group or Stone Panda), which is associated with the Chinese Ministry of State Security, were charged with conspiracy to commit computer intrusions, conspiracy to commit wire fraud, and aggravated identity theft after stealing intellectual property and confidential business information from victim organizations from 2006 to 2018.
The attacks targeted a diverse range of industries, including engineering, aerospace, and telecom firms, as well as over 45 technology companies. The indictment also accuses the hackers of carrying out a hacking campaign against various Managed Service Providers (MSPs), which are businesses that provide IT infrastructure for companies. By targeting MSPs, the attackers were able to indirectly gain access to the data of numerous companies around the world.
The hackers allegedly generally used spear phishing techniques to introduce malware into targeted computers, and then employed customized variants of a remote access Trojan (such as PlugX, RedLeaves, and QUASARRAT) and keystroke loggers to monitor victim computers and steal user credentials. In the case of MSPs, the attackers could use stolen administrative credentials from MSP computers to connect to other systems within the MSP as well as its clients’ networks. To help prevent future attacks, companies should refer to recent DHS alerts regarding the threat against MSPs and the broader tactics, techniques, and procedures used by APT10 and other Chinese government cyber threat actors, such as trusted network exploitation.
The indictment and press release underscore the DOJ’s treatment of such intrusions as a major national security concern and reflect growing tensions between China and the U.S. over government-supported cyber espionage. As noted by Deputy Attorney General Rod Rosenstein during the December 20th press conference, such activity is suspected to have violated China’s 2015 commitment not to conduct or knowingly support cyber-enabled theft for commercial advantage. Of significance, in the days following the DOJ announcement, 12 other countries, including the other countries of the “Five Eyes” intelligence alliance, joined the U.S. in criticizing China over what is perceived as a global campaign to misappropriate technology and trade secrets.