In a new stunning example of the scale and sophistication of online cybercrime, just before the holidays, DOJ charged two hackers with stealing hundreds of gigabytes of data—including sensitive intellectual property, confidential business data, and personal information from companies and government agencies around the world—as part of a multi-year cyber-espionage campaign that targeted managed service providers (MSPs) directly, bypassing the protections of client systems. This indictment is the latest example of the U.S. government’s use of the criminal justice system to crack down on state-sponsored economic espionage.
As alleged in the indictment, the hackers belong to what is believed to be an elite, Chinese government-sponsored group known within the cyber-security community as Advanced Persistent Threat 10 (APT10). The targets of the hacking campaign included companies in the aerospace, health care, biotechnology, finance, manufacturing, and oil and gas industries, as well as U.S. government agencies, such as NASA and the U.S. Department of Energy.
Key takeaways from the indictment include:
- The tradecraft of targeting of MSPs: The most recent phase of APT10’s hacking campaign (the MSP Theft Campaign) is alleged to have targeted MSPs—IT companies that remotely manage clients’ servers and networks. By targeting MSPs’ networks, the hackers were able to leapfrog into the MSPs’ clients’ systems, thereby increasing exponentially the potential for data exfiltration. The charges underscore that it is important for MSPs and their clients to review their agreements to determine how data security risks are allocated.
- A sophisticated scheme to target technology companies and government information for more than a decade: APT10 also engaged in a technology theft campaign between 2006 and 2018, through which the group compromised the computer networks of more than 45 technology companies and U.S. government agencies based in at least 12 states. Beyond the breadth of information taken, the charges speak to the extent to which leading‑edge technology is increasingly the focus of sophisticated, state‑sponsored attacks.
- The latest example of the criminal justice system being used to deter and disrupt state-sponsored cybercrime and a likelihood of more charges to come: In announcing the charges, Deputy Attorney General Rod Rosenstein emphasized that “there is no free pass [for hackers] to violate American laws merely because they do so under the protection of a foreign state.” While the indictment did not identify specific victims of the intrusions, additional details—possibly including more indictments—may be released in the coming months that shed light on how the scheme was accomplished and what victims were targeted.
MSP Theft Campaign
The indictment alleges that APT10’s MSP Theft Campaign began in 2014 and involved three stages. First, the hackers gained unauthorized access into the MSPs’ computers and installed malware allowing APT10 to remotely monitor the computers and steal login credentials. The group then used these stolen credentials to move laterally into each MSP’s network and the networks of their clients, further spreading the malware infection. APT10 identified data of interest on these compromised computers and created packages for exfiltration using encrypted archives, allowing the hackers to move the data from one system to another before ultimately transferring it to APT10’s computers.
By targeting MSPs, APT10 was able to gain access to a much larger network of companies in various industries than would have been possible by targeting individual companies. For example, the indictment noted that by compromising the network of one MSP in New York, APT10 was able to gain unauthorized access to clients in the banking and finance, telecommunications and consumer electronics, medical equipment, packaging, manufacturing, consulting, healthcare, biotechnology, automotive, oil and gas exploration, and mining industries. Overall, the compromised MSPs and their clients spanned at least 12 different countries, including Brazil, Canada, Finland, France, Germany, India, Japan, Sweden, Switzerland, the United Arab Emirates, the United Kingdom, and the United States.
Technology Theft Campaign
APT10’s Technology Theft Campaign targeted more than 45 U.S. commercial and defense technology companies operating in the aviation, space and satellite technology, manufacturing technology, pharmaceutical technology, oil and gas exploration and production technology, communications technology, computer processor technology, and maritime technology industries. APT10 also stole sensitive data from the NASA Goddard Space Center and Jet Propulsion Laboratory, gained access to computers belonging to the U.S. Department of Energy’s Lawrence Berkeley National Laboratory, and compromised Navy computers to steal the names, Social Security numbers, dates of birth, salary information, personal phone numbers, and email addresses of more than 100,000 Navy personnel.
During the Technology Theft Campaign, APT10 used spear phishing techniques to send customized emails with legitimate-looking attachments, which would download malware onto the targets’ computers. The malware then secretly recorded the users’ keystrokes, which enabled the hackers to obtain login credentials. APT10 used these credentials to search victims’ computers and identify data of interest, which was later exfiltrated in encrypted archives.
DOJ’s Expanding Focus on Deterring and Disrupting State-Sponsored Cyber Espionage
This indictment is a key step in DOJ’s increased focus on state-sponsored economic espionage. In announcing the charges, Deputy Attorney General Rod Rosenstein highlighted “the threat that these actions pose to the prosperity and security of the United States and other nations that respect the rule of law” and explained that the “criminal justice system is a valuable tool” in the effort to combat state-sponsored cybercrime. The charges came just weeks after DOJ launched a new “China Initiative” to identify priority Chinese trade theft cases and dedicate additional resources to their speedy resolution. The Department of Homeland Security has set up a website with guidance for IT services providers and links to tools to help detect network intrusions and identify compromised systems.