The US government has indicted two Chinese hackers for their roles in a state-sponsored cyber esponiage campaign that included attacks on managed service providers (MSPs) and, subsequently, the MSPs' clients. Security experts wonder, however, what impact the indictments will really make.
In an indictment unsealed in Manhattan federal court, the Justice Department described Zhu Hua and Zhang Shilong as members of APT10, a cyber espionage group working for the Chinese Ministry of State Security's Tianjin State Security Bureau.
Security researchers have long identified China as one of the biggest sources of hacking activity targeted against US companies, critical infrastructure, and government. APT10 has been previously linked to attacks on construction companies, aerospace firms, telecoms, and government organizations for years. In 2017, the group was found to be targeting MSPs, in an attack campaign dubbed Operation Cloud Hopper.
"APT10 has been tracked by FireEye for years and is one of the most prolific cyber espionage groups," said Ben Read, senior manager of cyber espionage analysis at FireEye, in a statement. "Their move towards compromising managed service providers (MSPs) showcases the danger of supply chain compromises and reflects their continuously evolving tactics."
Through their involvement with APT10, Zhu and Zhang are alleged to have broken into computers and networks belonging to numerous MSPs around the world in order to then gain access to systems belonging to the MSPs' clients. Over the course of the MSP theft campaign, which began in 2014, Zhu and Zhang allegedly gained access to and stole data from computers belonging to organizations in various sectors, including banking, finance, manufacturing, consumer electronics, medical equipment, biotech, and automotive.
In announcing the charges, US officials accused the Chinese government of actively supporting the hacking activities to further its own long-term economic and security goals.
"It is galling that American companies and government agencies spent years of research and countless dollars to develop their intellectual property, while the defendants simply stole it and got it for free," said Geoffrey Berman, US Attorney for the Southern District of New York. "As a nation, we cannot, and will not, allow such brazen thievery to go unchecked."
FBI director Christopher Wray described China's cyber campaigns and the alleged motives behind them as hurting American businesses, jobs, and consumers. "No country should be able to flout the rule of law – so we're going to keep calling out this behavior for what it is: illegal, unethical, and unfair," he said.
The allegations are not new but are almost certain to put further pressure on the already strained relationship between the US and China. The Washington Post last week, in fact, had described the then forthcoming indictments as part of an intensifying US campaign to confront China over the economic espionage activities.
Planned actions include sanctions against individuals responsible for the activities and declassification of information related to the breaches.
How far such measures will go to deter China remains an open question. Though China famously signed an agreement with the US in 2015 promising not to engage in cyber activities for economic espionage, there's no evidence that hacking activity out of the country has even abated, far less stopped.
Dave Weinstein, vice president of threat research at Claroty, sees the latest actions as yet another example of the effort law enforcement is putting into investigating and holding accountable those responsible for such attacks. "At the same time, we've seen this play out before, dating back to 2014 when several [People's Liberation Army] officers were indicted on hacking charges," Weinstein says. "It's not clear to me that the legal process is the best way of stopping what has been China's persistent behavior for over a decade."
Indictments like these highlight the challenge the private industry faces in defending against well-funded, state-sponsored actors with little concern about reprisals, says Pravin Kothari, CEO of CipherCloud. "The US government needs to defend our Internet infrastructure to protect commerce and communications," he says.
It needs to be done within the rule of the law and by making all evidence available for public view, too. "In the meantime, we also need to engage in constructive discussions with the Chinese government to try to reach an end to this activity," Kothari says.
The victim organizations of the MSP campaign were scattered across 12 countries, including the US, UK, Germany, France, Switzerland, Sweden, and India.
Separately, Zhu, a penetration tester, and Zhang, a malware developer, also broke into computers and networks belonging to 45 technology companies and US government agencies in 12 states. The technology theft campaign began in 2006 and resulted in Zhu and Zhang stealing hundreds of gigabytes of sensitive data. Among the victims were seven organizations in the aviation and space sectors, three communications companies, three manufacturers of advanced electronic components, NASA, and the Jet Propulsion Laboratory.
The APT10 intrusions include one that compromised more than 40 computers belonging to the Navy and resulted in the theft of personally identifiable information belonging to some 100,000 Navy personnel.