WASHINGTON—Two Chinese hackers associated with the Ministry of State Security in China were charged by the United States with an extensive global computer-intrusion campaign carried out over more than a decade.
Deputy Attorney General Rod Rosenstein announced the charges at the Department of Justice (DOJ) on Dec. 20, together with FBI Director Christopher Wray and other officials.
According to the indictment, two Chinese citizens, acting on behalf of the Chinese regime’s main intelligence agency, carried out an extensive hacking campaign to steal hundreds of gigabytes of data from military service members, government agencies, and private companies in the United States and at least a dozen other countries.
The indictment makes clear that the United States is in a cyber war with China, which is one of the greatest security challenges facing the U.S. government and its citizens, and the United States must have a strategic response, experts said.
The two are accused of breaching computer networks in a broad swath of industries, including “aviation, satellite and maritime technology, industrial factory automation, automotive supplies, laboratory instruments, banking and finance, telecommunications and consumer electronics, computer processor technology, information technology services, packaging, consulting, medical equipment, healthcare, biotechnology, pharmaceutical manufacturing, mining, and oil and gas exploration and production,” the DOJ said in an release.
Prosecutors say they also stole personal information of more than 100,000 U.S. Navy personnel, including names, Social Security numbers, dates of birth, salary information, personal phone numbers, and email addresses.
The two hackers, Zhu Hua and Zhang Shilong, as members of the APT10 Group (Advanced Persistent Threat 10), engaged in an intrusion campaign beginning in or about 2006 up to and including in or about 2018, the indictment reveals. One of the methods they allegedly used was to obtain unauthorized access to the computers and computer networks of managed service providers (MSPs) for businesses and governments around the world.
After they gained access to MSPs, they could “gain unauthorized access to the computers and computer networks of the MSPs’ clients and to steal, among other data, intellectual property and confidential business data on a global scale,” the release says.
“One way to think of what is alleged in this indictment, is that you’ve all heard about situations where you see someone essentially, the cyber-equivalent, of breaking into a house,” said Wray.
“This is more like breaking into and getting the keys from the maintenance supervisor who has the keys to hundreds and hundreds of apartments and all the residents in those apartments. That’s why this is so significant.”
Over the course of the MSP Theft Campaign, the APT10 Group successfully obtained unauthorized access to computers located in at least 12 countries, including Brazil, Canada, Finland, France, Germany, India, Japan, Sweden, Switzerland, the United Arab Emirates, the United Kingdom, and the United States.
Rosenstein said this isn’t the first time the DOJ has accused Chinese state actors and associates of stealing commercial information.
“More than 90 percent of the department’s cases alleging economic espionage over the past seven years involve China,” Rosenstein said. “More than two-thirds of the department’s cases involving thefts of trade secrets are connected to China.”
Rosenstein said the illegal cyber activities aimed to help the Chinese regime to achieve its overall goal.
“For example, the Chinese industrial policy, known as ‘Made in China 2025,’ lists 10 strategic advanced manufacturing industries that the nation has targeted for promotion and development. Many of the companies allegedly targeted recently by Chinese defendants operate in sectors identified by that official policy,” Rosenstein said.
“Whether through computer hackers operating from China, or Chinese nationals recruited to steal trade secrets from companies in other countries, the goal is the same: to dominate production in strategically important industries by stealing ideas from other nations,” he said.
Wray told reporters that “no country poses a broader, more severe, long-term threat to our nation’s economy than China.”
“China’s state-sponsored actors are the most active perpetrators of economic espionage. While we welcome fair competition, we cannot and will not tolerate illegal hacking, stealing, or cheating,” Wray said.
Gary Miliefsky, a cybersecurity expert who is CEO of Cyber Defense Media Group and publisher of Cyber Defense Magazine, said: “Today marks the beginning of the FBI bringing to the forefront the reality that we are in fact in a cyber war with China.
“There is currently no cyber Geneva Convention, so China has proven an incredible ability to advance a multi-year plan to know everything about everyone they can in the USA and, of course, grab as much IP from our businesses as possible.
“They do this through some of the most powerful cyber warfare weapons available, including brilliant hacking, innovative malware, in-built exploitable vulnerabilities in computer and network supply chain, as well as espionage technologies purposefully developed into smartphones. This is one of the greatest security challenges to the U.S. government and its citizens that its ever faced since the Cold War.”
Casey Fleming, CEO of BlackOps Partners and an expert on cybersecurity, said the indictment of the two Chinese hackers is a start, but not good enough.
“The U.S. government needs to understand the Chinese Communist Party [CCP]’s overall strategy, which is to have command and control of the U.S. and its Western allies,” Fleming said. “When you understand the overall strategy, then you can understand the hacking. Right now, the hacking looks like it’s random. But it’s not. It’s part of a mass strategy by the CCP.”
Fleming said the U.S. government should raise the awareness level with all organizations to the CCP’s grand strategy, which has been underway since 1986.
“We have to look at how we protect our data differently. Right now, we, as a country, look at protecting data tactically, as an IT function. And that’s insufficient. It must be strategic,” said Fleming.
“And when you do that, you protect your data differently. You protect your data, your innovation, your intellectual property, sensitive data and trade secrets. You must protect that, and control who has access to it. The most sensitive data and intellectual property should not be collected on the internet.”