[BreachExchange] Chinese hackers charged with stealing data from NASA, IBM, and others

[Destry Winant]

https://www.theverge.com/2018/12/20/18150275/chinese-hackers-stealing-data-nasa-ibm-charged

The Department of Justice (DOJ) has charged two Chinese nationals with
being part of a decade-long, government-sponsored global hacking
campaign that included the alleged theft of information from 45 US
tech companies and government agencies, including NASA’s Jet
Propulsion Laboratory and Goddard Space Flight Center.

The charges, announced after the US government unsealed an indictment
against the two individuals on Thursday, come at a time of high
tension between the US and China. In the middle of a detente in the
trade war between the two countries, the US recently coordinated with
Canada to arrest the CFO of Huawei, one of China’s biggest companies.
The Chinese government has detained three Canadian citizens in
response while demanding the executive’s release. The indictment is
also just the latest in a long line of accusations that the Chinese
government has sponsored or sought the theft of American technology.

“As evidenced by this investigation, the threats we face have never
been more severe, or more pervasive, or more potentially damaging to
our national security, and no country poses a broader, more severe
long-term threat to our nation’s economy and cyber infrastructure than
China,” FBI Director Christopher Wray said during a press conference
Thursday. “China’s goal, simply put, is to replace the US as the
world’s leading superpower, and they’re using illegal methods to get
there.”

Zhu Hua and Zhang Shilong were part of a Chinese hacking group known
in the cyber security community as Advanced Persistent Threat 10, or
APT10, according to the indictment. The alleged hackers went by a
number of different aliases, including “Godkiller,” and the hacking
operation was sometimes known as different names like “Red Apollo,”
“Stone Panda,” and “POTASSIUM,” according to the charging document.

Starting around 2006 and running through this year, APT10 used an
evolving set of techniques to break down network defenses, select
victims, and access sensitive information, according to the DOJ. The
group relied heavily on spear phishing attacks to place malware on
victims’ computers. They masked themselves with seemingly legitimate
email addresses, sent messages with attached documents loaded with
malicious code, but named the documents in a way that made them look
relevant to the company. (The DOJ describes one scenario where
employees of an unnamed victim company involved in helicopter
manufacturing were sent an email with the subject line “C17 Antenna
problems,” and a malicious Microsoft Word document named “12-204 Side
Load Testing.doc.”)

The malware gave the hackers remote access to the infected computers,
and also allowed them to log employees’ keystrokes, offering up
usernames and passwords. Over the course of the hacking campaign, the
group accessed at least 90 computers and stole hundreds of gigabytes
of data, according to the charging document. This included computers
from seven companies involved in aviation, space, and satellite
technology, three communications companies, a US Department of Energy
National Laboratory, as well as NASA’s Goddard Space Flight Center and
its Jet Propulsion Laboratory. The DOJ did not describe the specific
nature of the documents that were stolen, and it’s unclear if the
indictment is related to the internal memo that circulated earlier
this week at NASA about a potential hack involving “Personally
Identifiable Information.”

Starting around 2014, APT10 also targeted “managed service providers,”
which Deputy Attorney General Rod Rosenstein described in a press
conference as “firms that are trusted to store, process and protect
commercial data, including intellectual property, and other
confidential business information.” This separate slice of the hacking
campaign gave the group access to the computers and networks in at
least 12 different countries, including those of a number of unnamed
consulting companies, health care and biotechnology companies, and a
“global financial institution.” Two of the compromised managed service
providers were Hewlett Packard Enterprise and IBM, according to
Reuters.

Rosenstein specifically mentioned that the industries targeted in the
hacking campaign line up with the ones core to the Chinese
government’s “Made in China 2025” plan, which is meant to extend the
country’s economic influence throughout the world.

The DOJ says the hacking group operated in a number of locations
throughout China, but the agency specifically names the city of
Tianjin as a hub for APT10. They’re accused of working with the
Tianjin bureau of China’s Ministry of State Security, the government’s
intelligence agency. Zhu and Zhang have also been charged with wire
fraud and identity theft.

The US has long accused China of so-called economic espionage, or
performing government-backed hacking for the purpose of stealing trade
secrets and other confidential business information in order to
benefit the country’s booming — but in many cases, still developing —
industries. (Perhaps most famously, China used information gathered
from hackers to copy the C-17 aircraft that was developed by Boeing
and used by the US military.)

The two countries reached an agreement in 2015 that was supposed to
curb state-sponsored cyber attacks on both sides. And for a while it
looked like both sides were adhering to it, with China arresting a
handful of nationals for economic espionage shortly after the truce
was signed, and the G20 officially endorsing the deal. But that
agreement has apparently not stopped China from continuing such
attacks, Rosenstein said Thursday.

“It is unacceptable that we continue to uncover cyber crime committed
by China against America and other nations,” he said. “In 2015, China
promised to stop stealing trade secrets and other confidential
business information through computer hacking with the intent of
providing competitive advantage to companies in the commercial sector.
But the activity alleged in this indictment violates the commitment
that China made” to the United States, the G20, and the international
community, he said.

The two Chinese nationals named in the indictment still live in China,
and so there’s very little chance that they will ever be prosecuted in
the US. “We hope the day will come when those defendants face justice
under the rule of law in an American courtroom,” Rosenstein said
Thursday. “Until then, they and other hackers who steal from our
companies for the apparent benefit of Chinese industry should
remember: there is no free pass to violate American laws merely
because they do so under the protection of the foreign state.”