The Department of Justice (DOJ) has charged two Chinese nationals with being part of a decade-long, government-sponsored global hacking campaign that included the alleged theft of information from 45 US tech companies and government agencies, including NASA’s Jet Propulsion Laboratory and Goddard Space Flight Center.
The charges, announced after the US government unsealed an indictment against the two individuals on Thursday, come at a time of high tension between the US and China. In the middle of a detente in the trade war between the two countries, the US recently coordinated with Canada to arrest the CFO of Huawei, one of China’s biggest companies. The Chinese government has detained three Canadian citizens in response while demanding the executive’s release. The indictment is also just the latest in a long line of accusations that the Chinese government has sponsored or sought the theft of American technology.
“As evidenced by this investigation, the threats we face have never been more severe, or more pervasive, or more potentially damaging to our national security, and no country poses a broader, more severe long-term threat to our nation’s economy and cyber infrastructure than China,” FBI Director Christopher Wray said during a press conference Thursday. “China’s goal, simply put, is to replace the US as the world’s leading superpower, and they’re using illegal methods to get there.”
Zhu Hua and Zhang Shilong were part of a Chinese hacking group known in the cyber security community as Advanced Persistent Threat 10, or APT10, according to the indictment. The alleged hackers went by a number of different aliases, including “Godkiller,” and the hacking operation was sometimes known as different names like “Red Apollo,” “Stone Panda,” and “POTASSIUM,” according to the charging document.
Starting around 2006 and running through this year, APT10 used an evolving set of techniques to break down network defenses, select victims, and access sensitive information, according to the DOJ. The group relied heavily on spear phishing attacks to place malware on victims’ computers. They masked themselves with seemingly legitimate email addresses, sent messages with attached documents loaded with malicious code, but named the documents in a way that made them look relevant to the company. (The DOJ describes one scenario where employees of an unnamed victim company involved in helicopter manufacturing were sent an email with the subject line “C17 Antenna problems,” and a malicious Microsoft Word document named “12-204 Side Load Testing.doc.”)
The malware gave the hackers remote access to the infected computers, and also allowed them to log employees’ keystrokes, offering up usernames and passwords. Over the course of the hacking campaign, the group accessed at least 90 computers and stole hundreds of gigabytes of data, according to the charging document. This included computers from seven companies involved in aviation, space, and satellite technology, three communications companies, a US Department of Energy National Laboratory, as well as NASA’s Goddard Space Flight Center and its Jet Propulsion Laboratory. The DOJ did not describe the specific nature of the documents that were stolen, and it’s unclear if the indictment is related to the internal memo that circulated earlier this week at NASA about a potential hack involving “Personally Identifiable Information.”
Starting around 2014, APT10 also targeted “managed service providers,” which Deputy Attorney General Rod Rosenstein described in a press conference as “firms that are trusted to store, process and protect commercial data, including intellectual property, and other confidential business information.” This separate slice of the hacking campaign gave the group access to the computers and networks in at least 12 different countries, including those of a number of unnamed consulting companies, health care and biotechnology companies, and a “global financial institution.” Two of the compromised managed service providers were Hewlett Packard Enterprise and IBM, according to Reuters.
Rosenstein specifically mentioned that the industries targeted in the hacking campaign line up with the ones core to the Chinese government’s “Made in China 2025” plan, which is meant to extend the country’s economic influence throughout the world.
The DOJ says the hacking group operated in a number of locations throughout China, but the agency specifically names the city of Tianjin as a hub for APT10. They’re accused of working with the Tianjin bureau of China’s Ministry of State Security, the government’s intelligence agency. Zhu and Zhang have also been charged with wire fraud and identity theft.
The US has long accused China of so-called economic espionage, or performing government-backed hacking for the purpose of stealing trade secrets and other confidential business information in order to benefit the country’s booming — but in many cases, still developing — industries. (Perhaps most famously, China used information gathered from hackers to copy the C-17 aircraft that was developed by Boeing and used by the US military.)
The two countries reached an agreement in 2015 that was supposed to curb state-sponsored cyber attacks on both sides. And for a while it looked like both sides were adhering to it, with China arresting a handful of nationals for economic espionage shortly after the truce was signed, and the G20 officially endorsing the deal. But that agreement has apparently not stopped China from continuing such attacks, Rosenstein said Thursday.
“It is unacceptable that we continue to uncover cyber crime committed by China against America and other nations,” he said. “In 2015, China promised to stop stealing trade secrets and other confidential business information through computer hacking with the intent of providing competitive advantage to companies in the commercial sector. But the activity alleged in this indictment violates the commitment that China made” to the United States, the G20, and the international community, he said.
The two Chinese nationals named in the indictment still live in China, and so there’s very little chance that they will ever be prosecuted in the US. “We hope the day will come when those defendants face justice under the rule of law in an American courtroom,” Rosenstein said Thursday. “Until then, they and other hackers who steal from our companies for the apparent benefit of Chinese industry should remember: there is no free pass to violate American laws merely because they do so under the protection of the foreign state.”