US prosecutors have unsealed charges today against two Chinese nationals who they say are part of China's state-sponsored hacking units.
According to an indictment published by the US Department of Justice (DOJ) the suspects have been accused of carrying out cyber-attacks against more than 45 US companies, US government agencies, and several unnamed managed service providers.
Intrusions were also detected at companies in eleven other countries, but which were not the subject of the indictment. Affected countries include Brazil, Canada, Finland, France, Germany, India, Japan, Sweden, Switzerland, the United Arab Emirates, and the United Kingdom.
The list of victims is a list of "who's who of the global economy," said DOJ officials in a press conference today.
Suspects are part of APT10
The two hackers are part of a cyber-espionage group that's been on the radar of cyber-security firms all over the world under codenames such as APT10 (FireEye), Red Apollo (PwC), CVNX (BAE Systems), Stone Panda (CrowdStrike), POTASSIUM (Microsoft), and MenuPass (Trend Micro).
According to court documents, the attacks started in 2006. Investigators said the two nationals and fellow APT10 hackers used spear-phishing to collect credentials from employees at various companies. They used these credentials to plant malware on a company's network, which they later used to steal gigabytes of intellectual property.
Attacks later targeted the infrastructure of managed service (cloud service) providers. Hackers gained access to the cloud provider's underlying infrastructure, from where they stole data from customer accounts, or used the access to this cloud service to pivot inside companies' IT networks.
This latter operation has been thoroughly documented in a 2017 report authored by PwC and BAE Systems, named Operation Cloud Hopper.
The DOJ also said the two suspects and fellow APT10 hackers also breached the NASA Goddard Space Center and Jet Propulsion Laboratory, the US Department of Energy's Lawrence Berkeley National Laboratory, and the US Navy. From the latter, officials said, the hackers stole the personal details of over 100,000 Navy personnel.
US formally accuses China of hacking
Through its indictment today, US authorities formally accused the Chinese government, through its Ministry of State Security (MSS), of orchestrating APT10 hacks. The indictment claims the two suspects charged today took their marching orders from MSS officials.
Officials also accused China of breaking its non-hacking pact that the country signed with the US in 2015. US authorities said the APT10 hacks were carried out to steal proprietary information from US companies to help the Chinese economy and its local companies.
Australia, Canada, Germany, Japan, and the UK are also expected to make formal accusations and supporting statements.
This is also not the first time that the US has charged Chinese hackers on accusations of hacking on orders from the Beijing government. The US had done so the first time in 2014 when it charged five officers in Unit 61398 of the Third Department of the Chinese People's Liberation Army (PLA).
The second time was in 2017 when it charged three Chinese nationals, who, it said, were part of another hacking group known as APT3. The US said the three suspects were members of Boyusec, a cyber-security firm that the MSS hired to carry out hacks on command.
The DOJ charges today come after an anonymous group known as Intrusion Truth had doxxed three Chinese nationals in August as being part of APT10, and of taking their orders from the MSS. Intrusion Truth also doxxed APT3 members months before they were formally charged by the US in 2017.
The names of the two Chinese nationals accused of being part of APT10 are Zhu Hua (朱华), aka Afwar, aka CVNX, aka Alayos, aka Godkiller; and Zhang Shilong (张士龙), aka Baobeilong, aka Zhang Jianguo, aka Atreexp. They are now wanted by the FBI. The latter is also one of the three individuals named in the Intrusion Truth report.
More cybersecurity coverage:
- Two Android apps used in combat by US troops contained severe vulnerabilities
- US ballistic missile systems have very poor cyber-security
- Nokia denies leaking internal credentials in server snafu
- DOD doesn't keep track of duplicate or obsolete software
- Shamoon malware destroys data at Italian oil and gas company
- New attack intercepts keystrokes via graphics libraries
- How to enable spam call filtering on your Android phone TechRepublic
- New antiphishing features come to Google G Suite CNET