The U.S. Justice Department today charged two Chinese-state-sponsored hackers that it says infiltrated managed service provider (MSP) networks and stole companies’ intellectual property and sensitive data. While the U.S. government didn’t name any of the companies whose networks were compromised, Reuters reports that Hewlett Packard Enterprise and IBM are two of them.
The two hackers, Zhu Hua and Zhang Shilong, both Chinese nationals, were members of a state-sponsored group called Advanced Persistent Threat 10 or APT 10. They stole information from at least a dozen countries including more than 45 U.S. companies. And according to the indictment, they were working in association with a Chinese intelligence service called the Ministry of State Security.
The hackers used malware to gain access to the computer networks and steal data between 2006 and 2018. They targeted a range of industries including banking and finance, telecommunications and consumer electronics, medical equipment, packaging, manufacturing, consulting, healthcare, biotechnology, automotive, oil and gas exploration, and mining.
The U.S. government first warned about nation-states using MSP networks to launch attacks in October. At the time it didn’t specifically link the threat to Chinese state-sponsored hackers, although security researchers did.
Using an MSP creates a larger attack surface for nation-states and criminals. Once they gain access to MSP networks, they can move between an MSP and its customers’ shared networks. Bidirectional movement between networks allows hackers to more easily avoid detection and maintain their network presence.
Rising U.S.-China Tensions
The charges come at a time of rising tensions between the U.S. and China. The U.S. has said Chinese companies like Huawei and ZTE — and their networking equipment — pose a national security threat. And earlier this month Huawei’s chief financial officer, who is also the daughter of the founder of Huawei, was arrested in Canada at the request of the United States.
“This indictment has effectively scrubbed the bilateral agreement between the United States and China in 2015 that called for a truce against hostile cyberattacks and espionage,” said Jonathan Bensen, interim CISO and director of product management at Balbix, in an email. “Regardless of these indictments, we will likely see more nation-state backed cyberattacks come to light in 2019 around the globe. Every organization’s security teams must be absolutely clear about the relative value of each its IT assets and sets of information, and with that context prioritize its cybersecurity actions to proactively address the vulnerabilities that would put them at most risk. And do that before they become entry points for attackers.”