The Department of Justice charged two Chinese hackers Thursday for allegedly engaging in a global cyber espionage campaign on behalf of the Chinese government, and while the suspects remain at-large in their home countries, the secretaries of State and Homeland Security are concerned the allegations violate U.S.-China cyber commitments signed by China’s President Xi Jinping in 2015.
The data stolen includes the personally identifiable information of 100,000 U.S. Navy personnel, sensitive data from the National Aeronautics and Space Administration and dozens of tech companies around the world.
“These actions by Chinese actors to target intellectual property and sensitive business information present a very real threat to the economic competitiveness of companies in the United States and around the globe,” Secretary of State Mike Pompeo and DHS Secretary Kirstjen Nielsen said in a joint statement. “We will continue to hold malicious actors accountable for their behavior, and today the United States is taking several actions to demonstrate our resolve. We strongly urge China to abide by its commitment to act responsibly in cyberspace and reiterate that the United States will take appropriate measures to defend our interests.”
The alleged hackers, Zhu Hua and Zhang Shilong, are accused of working in a cybersecurity community officially designated as the Advanced Persistent Threat Group 10 (APT10), and which is alternatively known as “Red Apollo,” “CVNX,” “Stone Panda,” “MenuPass,” and “POTASSIUM.” The pair worked for Chinese firm Huaying Haitai Science and Technology Development Company, and in association with the Chinese Ministry of State Security’s Tianjin State Security Bureau.
Deputy Attorney General Rod J. Rosenstein said that more than 90 percent of the department’s cases alleging economic espionage over the past seven years involve China, and said that this case is significant because the defendants are accused of targeting and compromising Managed Service Providers ( MSPs) in at least a dozen countries.
“The victims included companies in banking and finance, telecommunications and consumer electronics, medical equipment, packaging, manufacturing, consulting, healthcare, biotechnology, automotive, oil and gas exploration and mining. The defendants allegedly committed these crimes in association with a Chinese intelligence service known as the Ministry of State Security,” Rosenstein said. “We want China to cease illegal cyber activities and honor its commitment to the international community, but the evidence suggests that China may not intend to live up to its promises.”
The APT10 Group is accused of:
- Stealing hundreds of gigabytes of sensitive data and information from seven companies involved in aviation, space and/or satellite technology; three companies involved in communications technology; three companies involved in manufacturing advanced electronic systems and/or laboratory analytical instruments; a company involved in maritime technology; a company involved in oil and gas drilling, production, and processing and the NASA Goddard Space Center and Jet Propulsion Laboratory.
- Gaining unauthorized access to the computers of more than 45 technology companies and U.S. government agencies in a dozen states, including Arizona, California, Connecticut, Florida, Maryland, New York, Ohio, Pennsylvania, Texas, Utah, Virginia and Wisconsin.
- Gaining unauthorized access to computers belonging to more than 25 other technology-related companies involved in, among other things, industrial factory automation, radar technology, oil exploration, information technology services, pharmaceutical manufacturing and computer processor technology and the U.S. Department of Energy’s Lawrence Berkeley National Laboratory.
- Compromising more than 40 computers to steal sensitive data belonging to the Navy, including the names, Social Security numbers, dates of birth, salary information, personal phone numbers and email addresses of more than 100,000 Navy personnel.
- Gaining unauthorized access to computers providing services to or belonging to victim companies located in at least 12 countries, including Brazil, Canada, Finland, France, Germany, India, Japan, Sweden, Switzerland, the United Arab Emirates, the United Kingdom and the United States. The victim companies included at least the following: a global financial institution, three telecommunications and/or consumer electronics companies; three companies involved in commercial or industrial manufacturing; two consulting companies; a healthcare company; a biotechnology company; a mining company; an automotive supplier company and a drilling company.