Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12/21/2018
07:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

APT10 Indictments Show Expansion of MSP Targeting, Cloud Hopper Campaign

US brings more indictments against the APT10 cyber espionage group operating in China for its Operation Cloud Hopper campaign against managed service providers, but what will those indictments accomplish?

The US government has indicted two Chinese hackers for their roles in a state-sponsored cyber esponiage campaign that included attacks on managed service providers (MSPs) and, subsequently, the MSPs' clients. Security experts wonder, however, what impact the indictments will really make.

In an indictment unsealed in Manhattan federal court, the Justice Department described Zhu Hua and Zhang Shilong as members of APT10, a cyber espionage group working for the Chinese Ministry of State Security's Tianjin State Security Bureau. 

Security researchers have long identified China as one of the biggest sources of hacking activity targeted against US companies, critical infrastructure, and government. APT10 has been previously linked to attacks on construction companies, aerospace firms, telecoms, and government organizations for years. In 2017, the group was found to be targeting MSPs, in an attack campaign dubbed Operation Cloud Hopper.

"APT10 has been tracked by FireEye for years and is one of the most prolific cyber espionage groups," said Ben Read, senior manager of cyber espionage analysis at FireEye, in a statement. "Their move towards compromising managed service providers (MSPs) showcases the danger of supply chain compromises and reflects their continuously evolving tactics." 

Through their involvement with APT10, Zhu and Zhang are alleged to have broken into computers and networks belonging to numerous MSPs around the world in order to then gain access to systems belonging to the MSPs' clients. Over the course of the MSP theft campaign, which began in 2014, Zhu and Zhang allegedly gained access to and stole data from computers belonging to organizations in various sectors, including banking, finance, manufacturing, consumer electronics, medical equipment, biotech, and automotive.

Long-Standing Issue
In announcing the charges, US officials accused the Chinese government of actively supporting the hacking activities to further its own long-term economic and security goals.

"It is galling that American companies and government agencies spent years of research and countless dollars to develop their intellectual property, while the defendants simply stole it and got it for free," said Geoffrey Berman, US Attorney for the Southern District of New York. "As a nation, we cannot, and will not, allow such brazen thievery to go unchecked."

FBI director Christopher Wray described China's cyber campaigns and the alleged motives behind them as hurting American businesses, jobs, and consumers. "No country should be able to flout the rule of law – so we're going to keep calling out this behavior for what it is: illegal, unethical, and unfair," he said.

The allegations are not new but are almost certain to put further pressure on the already strained relationship between the US and China. The Washington Post last week, in fact, had described the then forthcoming indictments as part of an intensifying US campaign to confront China over the economic espionage activities.

Planned actions include sanctions against individuals responsible for the activities and declassification of information related to the breaches.

How far such measures will go to deter China remains an open question. Though China famously signed an agreement with the US in 2015 promising not to engage in cyber activities for economic espionage, there's no evidence that hacking activity out of the country has even abated, far less stopped.

Dave Weinstein, vice president of threat research at Claroty, sees the latest actions as yet another example of the effort law enforcement is putting into investigating and holding accountable those responsible for such attacks. "At the same time, we've seen this play out before, dating back to 2014 when several [People's Liberation Army] officers were indicted on hacking charges," Weinstein says. "It's not clear to me that the legal process is the best way of stopping what has been China's persistent behavior for over a decade."  

Indictments like these highlight the challenge the private industry faces in defending against well-funded, state-sponsored actors with little concern about reprisals, says Pravin Kothari, CEO of CipherCloud. "The US government needs to defend our Internet infrastructure to protect commerce and communications," he says.

It needs to be done within the rule of the law and by making all evidence available for public view, too. "In the meantime, we also need to engage in constructive discussions with the Chinese government to try to reach an end to this activity," Kothari says.

The Charges
The victim organizations of the MSP campaign were scattered across 12 countries, including the US, UK, Germany, France, Switzerland, Sweden, and India.

Separately, Zhu, a penetration tester, and Zhang, a malware developer, also broke into computers and networks belonging to 45 technology companies and US government agencies in 12 states. The technology theft campaign began in 2006 and resulted in Zhu and Zhang stealing hundreds of gigabytes of sensitive data. Among the victims were seven organizations in the aviation and space sectors, three communications companies, three manufacturers of advanced electronic components, NASA, and the Jet Propulsion Laboratory.

The APT10 intrusions include one that compromised more than 40 computers belonging to the Navy and resulted in the theft of personally identifiable information belonging to some 100,000 Navy personnel.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17123
PUBLISHED: 2019-12-13
The eGain Web Email API 11+ allows spoofed messages because the fromName and message fields (to /system/ws/v11/ss/email) are mishandled, as demonstrated by fromName header injection with a %0a or %0d character. (Also, the message parameter can have initial HTML comment characters.)
CVE-2019-19774
PUBLISHED: 2019-12-13
An issue was discovered in Zoho ManageEngine EventLog Analyzer 10.0 SP1 before Build 12110. By running "select hostdetails from hostdetails" at the /event/runquery.do endpoint, it is possible to bypass the security restrictions that prevent even administrative users from viewing credential...
CVE-2019-19790
PUBLISHED: 2019-12-13
Path traversal in RadChart in Telerik UI for ASP.NET AJAX allows a remote attacker to read and delete an image with extension .BMP, .EXIF, .GIF, .ICON, .JPEG, .PNG, .TIFF, or .WMF on the server through a specially crafted request. NOTE: RadChart was discontinued in 2014 in favor of RadHtmlChart. All...
CVE-2019-19793
PUBLISHED: 2019-12-13
In Cyxtera AppGate SDP Client 4.1.x through 4.3.x before 4.3.2 on Windows, a local or remote user from the same domain can gain privileges.
CVE-2019-19722
PUBLISHED: 2019-12-13
In Dovecot before 2.3.9.2, an attacker can crash a push-notification driver with a crafted email when push notifications are used, because of a NULL Pointer Dereference. The email must use a group address as either the sender or the recipient.