Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12/21/2018
07:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

APT10 Indictments Show Expansion of MSP Targeting, Cloud Hopper Campaign

US brings more indictments against the APT10 cyber espionage group operating in China for its Operation Cloud Hopper campaign against managed service providers, but what will those indictments accomplish?

The US government has indicted two Chinese hackers for their roles in a state-sponsored cyber esponiage campaign that included attacks on managed service providers (MSPs) and, subsequently, the MSPs' clients. Security experts wonder, however, what impact the indictments will really make.

In an indictment unsealed in Manhattan federal court, the Justice Department described Zhu Hua and Zhang Shilong as members of APT10, a cyber espionage group working for the Chinese Ministry of State Security's Tianjin State Security Bureau. 

Security researchers have long identified China as one of the biggest sources of hacking activity targeted against US companies, critical infrastructure, and government. APT10 has been previously linked to attacks on construction companies, aerospace firms, telecoms, and government organizations for years. In 2017, the group was found to be targeting MSPs, in an attack campaign dubbed Operation Cloud Hopper.

"APT10 has been tracked by FireEye for years and is one of the most prolific cyber espionage groups," said Ben Read, senior manager of cyber espionage analysis at FireEye, in a statement. "Their move towards compromising managed service providers (MSPs) showcases the danger of supply chain compromises and reflects their continuously evolving tactics." 

Through their involvement with APT10, Zhu and Zhang are alleged to have broken into computers and networks belonging to numerous MSPs around the world in order to then gain access to systems belonging to the MSPs' clients. Over the course of the MSP theft campaign, which began in 2014, Zhu and Zhang allegedly gained access to and stole data from computers belonging to organizations in various sectors, including banking, finance, manufacturing, consumer electronics, medical equipment, biotech, and automotive.

Long-Standing Issue
In announcing the charges, US officials accused the Chinese government of actively supporting the hacking activities to further its own long-term economic and security goals.

"It is galling that American companies and government agencies spent years of research and countless dollars to develop their intellectual property, while the defendants simply stole it and got it for free," said Geoffrey Berman, US Attorney for the Southern District of New York. "As a nation, we cannot, and will not, allow such brazen thievery to go unchecked."

FBI director Christopher Wray described China's cyber campaigns and the alleged motives behind them as hurting American businesses, jobs, and consumers. "No country should be able to flout the rule of law – so we're going to keep calling out this behavior for what it is: illegal, unethical, and unfair," he said.

The allegations are not new but are almost certain to put further pressure on the already strained relationship between the US and China. The Washington Post last week, in fact, had described the then forthcoming indictments as part of an intensifying US campaign to confront China over the economic espionage activities.

Planned actions include sanctions against individuals responsible for the activities and declassification of information related to the breaches.

How far such measures will go to deter China remains an open question. Though China famously signed an agreement with the US in 2015 promising not to engage in cyber activities for economic espionage, there's no evidence that hacking activity out of the country has even abated, far less stopped.

Dave Weinstein, vice president of threat research at Claroty, sees the latest actions as yet another example of the effort law enforcement is putting into investigating and holding accountable those responsible for such attacks. "At the same time, we've seen this play out before, dating back to 2014 when several [People's Liberation Army] officers were indicted on hacking charges," Weinstein says. "It's not clear to me that the legal process is the best way of stopping what has been China's persistent behavior for over a decade."  

Indictments like these highlight the challenge the private industry faces in defending against well-funded, state-sponsored actors with little concern about reprisals, says Pravin Kothari, CEO of CipherCloud. "The US government needs to defend our Internet infrastructure to protect commerce and communications," he says.

It needs to be done within the rule of the law and by making all evidence available for public view, too. "In the meantime, we also need to engage in constructive discussions with the Chinese government to try to reach an end to this activity," Kothari says.

The Charges
The victim organizations of the MSP campaign were scattered across 12 countries, including the US, UK, Germany, France, Switzerland, Sweden, and India.

Separately, Zhu, a penetration tester, and Zhang, a malware developer, also broke into computers and networks belonging to 45 technology companies and US government agencies in 12 states. The technology theft campaign began in 2006 and resulted in Zhu and Zhang stealing hundreds of gigabytes of sensitive data. Among the victims were seven organizations in the aviation and space sectors, three communications companies, three manufacturers of advanced electronic components, NASA, and the Jet Propulsion Laboratory.

The APT10 intrusions include one that compromised more than 40 computers belonging to the Navy and resulted in the theft of personally identifiable information belonging to some 100,000 Navy personnel.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I told you we should worry abit more about vendor lock-in.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7068
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7069
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7070
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7071
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7072
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .