Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12/21/2018
07:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

APT10 Indictments Show Expansion of MSP Targeting, Cloud Hopper Campaign

US brings more indictments against the APT10 cyber espionage group operating in China for its Operation Cloud Hopper campaign against managed service providers, but what will those indictments accomplish?

The US government has indicted two Chinese hackers for their roles in a state-sponsored cyber esponiage campaign that included attacks on managed service providers (MSPs) and, subsequently, the MSPs' clients. Security experts wonder, however, what impact the indictments will really make.

In an indictment unsealed in Manhattan federal court, the Justice Department described Zhu Hua and Zhang Shilong as members of APT10, a cyber espionage group working for the Chinese Ministry of State Security's Tianjin State Security Bureau. 

Security researchers have long identified China as one of the biggest sources of hacking activity targeted against US companies, critical infrastructure, and government. APT10 has been previously linked to attacks on construction companies, aerospace firms, telecoms, and government organizations for years. In 2017, the group was found to be targeting MSPs, in an attack campaign dubbed Operation Cloud Hopper.

"APT10 has been tracked by FireEye for years and is one of the most prolific cyber espionage groups," said Ben Read, senior manager of cyber espionage analysis at FireEye, in a statement. "Their move towards compromising managed service providers (MSPs) showcases the danger of supply chain compromises and reflects their continuously evolving tactics." 

Through their involvement with APT10, Zhu and Zhang are alleged to have broken into computers and networks belonging to numerous MSPs around the world in order to then gain access to systems belonging to the MSPs' clients. Over the course of the MSP theft campaign, which began in 2014, Zhu and Zhang allegedly gained access to and stole data from computers belonging to organizations in various sectors, including banking, finance, manufacturing, consumer electronics, medical equipment, biotech, and automotive.

Long-Standing Issue
In announcing the charges, US officials accused the Chinese government of actively supporting the hacking activities to further its own long-term economic and security goals.

"It is galling that American companies and government agencies spent years of research and countless dollars to develop their intellectual property, while the defendants simply stole it and got it for free," said Geoffrey Berman, US Attorney for the Southern District of New York. "As a nation, we cannot, and will not, allow such brazen thievery to go unchecked."

FBI director Christopher Wray described China's cyber campaigns and the alleged motives behind them as hurting American businesses, jobs, and consumers. "No country should be able to flout the rule of law – so we're going to keep calling out this behavior for what it is: illegal, unethical, and unfair," he said.

The allegations are not new but are almost certain to put further pressure on the already strained relationship between the US and China. The Washington Post last week, in fact, had described the then forthcoming indictments as part of an intensifying US campaign to confront China over the economic espionage activities.

Planned actions include sanctions against individuals responsible for the activities and declassification of information related to the breaches.

How far such measures will go to deter China remains an open question. Though China famously signed an agreement with the US in 2015 promising not to engage in cyber activities for economic espionage, there's no evidence that hacking activity out of the country has even abated, far less stopped.

Dave Weinstein, vice president of threat research at Claroty, sees the latest actions as yet another example of the effort law enforcement is putting into investigating and holding accountable those responsible for such attacks. "At the same time, we've seen this play out before, dating back to 2014 when several [People's Liberation Army] officers were indicted on hacking charges," Weinstein says. "It's not clear to me that the legal process is the best way of stopping what has been China's persistent behavior for over a decade."  

Indictments like these highlight the challenge the private industry faces in defending against well-funded, state-sponsored actors with little concern about reprisals, says Pravin Kothari, CEO of CipherCloud. "The US government needs to defend our Internet infrastructure to protect commerce and communications," he says.

It needs to be done within the rule of the law and by making all evidence available for public view, too. "In the meantime, we also need to engage in constructive discussions with the Chinese government to try to reach an end to this activity," Kothari says.

The Charges
The victim organizations of the MSP campaign were scattered across 12 countries, including the US, UK, Germany, France, Switzerland, Sweden, and India.

Separately, Zhu, a penetration tester, and Zhang, a malware developer, also broke into computers and networks belonging to 45 technology companies and US government agencies in 12 states. The technology theft campaign began in 2006 and resulted in Zhu and Zhang stealing hundreds of gigabytes of sensitive data. Among the victims were seven organizations in the aviation and space sectors, three communications companies, three manufacturers of advanced electronic components, NASA, and the Jet Propulsion Laboratory.

The APT10 intrusions include one that compromised more than 40 computers belonging to the Navy and resulted in the theft of personally identifiable information belonging to some 100,000 Navy personnel.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20399
PUBLISHED: 2020-01-23
A timing vulnerability in the Scalar::check_overflow function in Parity libsecp256k1-rs before 0.3.1 potentially allows an attacker to leak information via a side-channel attack.
CVE-2020-7915
PUBLISHED: 2020-01-22
An issue was discovered on Eaton 5P 850 devices. The Ubicacion SAI field allows XSS attacks by an administrator.
CVE-2019-20391
PUBLISHED: 2020-01-22
An invalid memory access flaw is present in libyang before v1.0-r3 in the function resolve_feature_value() when an if-feature statement is used inside a bit. Applications that use libyang to parse untrusted input yang files may crash.
CVE-2019-20392
PUBLISHED: 2020-01-22
An invalid memory access flaw is present in libyang before v1.0-r1 in the function resolve_feature_value() when an if-feature statement is used inside a list key node, and the feature used is not defined. Applications that use libyang to parse untrusted input yang files may crash.
CVE-2019-20393
PUBLISHED: 2020-01-22
A double-free is present in libyang before v1.0-r1 in the function yyparse() when an empty description is used. Applications that use libyang to parse untrusted input yang files may be vulnerable to this flaw, which would cause a crash or potentially code execution.