U.S. Justice Department Indicts Chinese Hackers For Targeting MSPs

The U.S. Department of Justice has indicted two hackers associated with the Chinese government for targeting and compromising managed service providers to steal their clients' intellectual property.

"The [China-based] APT10 Group targeted MSPs in order to leverage the MSPs' networks to gain unauthorized access to the computers and computer networks of the MSPs' clients and steal, among other data, intellectual property and confidential business data on a global scale," the U.S. Justice Department wrote in a 22-page indictment unsealed Thursday.

Through the MSP theft campaign, which began in 2014, APT10 in one example broke into the computers of an MSP that had offices in New York state and compromised the data of both that MSP as well as some of its clients according to the indictment. China didn't immediately comment on Thursday's indictment, but has long denied accusations of cyberespionage. The names of the targeted MSPs are not identified in the indictment.

[Related: FireEye CEO Kevin Mandia's 5 Boldest Statements On Nation-State Threats]

The compromised clients operated out of at least 12 countries, including Brazil, Canada, Finland, France, Germany, India, Japan, Sweden, Switzerland, the United Arab Emirates, the United Kingdom, and the United States. They operated in a multitude of industries such as banking and finance, telecommunication and consumer electronics, and medical equipment, the indictment indicated.

As part of the indictment, Chinese nationals Zhu Hua and Zhang Shilong were each charged with three counts of computer hacking, conspiracy to commit wire fraud and aggravated identity theft. The defendants committed these crimes in associated with a Chinese intelligence services known as the Ministry of State Security, according to the U.S. Justice Department.

"We hope the day will come when the defendants face justice under the rule of law in a federal courtroom," Rod Rosenstein, U.S. deputy attorney general, said in a statement.

After APT10 broke into the computers of an MSP, the U.S. Justice Department said the attackers installed multiple different customized variants of malware. The malware was installed using malicious files that masqueraded as legitimate files to help avoid antivirus detection, according to the indictment.

The malware ultimately enabled members of APT10 to remotely monitor computers of MSP clients located around the world and steal user credentials using various credential theft tools, the Justice Department said. APT10 registered some 1,300 unique malicious domains in connection with the MSP theft campaign dating all the way back to 2010.

Once APT10 had stolen administrative credentials from an MSP's computer, the group used remote desktop protocol to initiate connections to other systems within an MSP and its clients' networks. This enabled APT10 to move laterally through the interconnected network and ultimately compromise an MSP and its clients' computers, even if no malware had previously been installed, the indictment said.

From there, the group used stolen credentials to move the data of an MSP client to one or more other compromised computers before ultimately exfiltrating the data to an IP address under the control of APT10. The group usually deleted stolen files from compromised computers in an effort to avoid detection and prevent the identification of the specific files that were stolen, the indictment said.

In April 2017, a private cybersecurity firm issued a public report identifying the malicious domains used by APT10. In response, the group began using new malware variants and new domains to commit intrusions, according to the indictment. These variants were less likely to be detected to victim companies and antivirus software.

The U.S. Justice Department said clients hit via an MSP during the APT10 campaign included: three telecom or consumer electronics firms; three commercial or industrial manufacturing firms; two consulting companies; a global financial institution; a healthcare company; a biotechnology company; a mining company; an automotive supplier company; and a drilling company.

CrowdStrike Co-Founder and CTO Dmitri Alperovitch said it was unprecedented and encouraging to see the U.S. government take a decisive stance against Chinese state-sponsored economic espionage.

"While this action alone will not likely solve the issue and companies in US, Canada, Europe, Australia and Japan will continue to be targeted … it is an important element in raising the cost and isolating them [China's Ministry of State Security] internationally,” Alperovitch said in a statement.