US charges two Chinese nationals for massive data thefts from NASA and others

The US Department of Justice (DoJ) has charged two Chinese nationals who are alleged members of notorious hacking group APT10 and accused stealing technology secrets from dozens of US organizations, including NASA.   

DoJ officials today unsealed computer intrusion and wire fraud charges against Zhu Hua and Zhang Shilong, employees of the private firm Huaying Haitai Science and Technology Development Company, based in Tianjin, China. 

The pair are said to be members of Chinese state-sponsored hacking group APT10, and are accused of acting “in association” with the Chinese Ministry of State Security to steal hundreds of gigabytes of intellectual property and trade secrets from organizations in the US and elsewhere between 2006 and 2018. 

The DoJ’s charges are part of its “naming and shaming” effort focused on the blurred distinctions between some the military and intelligence hackers of some countries and the private contractors they hire, who may have ulterior commercial ambitions. 

In October 2017, the DoJ charged several Chinese nationals who worked for a private firm “Buyosec” that didn’t include allegations against the Chinese state. A DoJ official in October described those charges as part of a US domestic effort to monitor compliance with a 2015 China’s promise not to steal trade secrets to gain a competitive commercial advantage.   

The DOJ’s charges sheet against Zhu and Zhang says that APT 10 hacked 45 US organizations to steal “hundreds of gigabytes” of information about technology in aviation, space and satellite, manufacturing, pharmaceuticals, oil and gas exploration, communications, CPUs, and maritime. 

The charges don’t name private companies affected but note that APT10 stole data from NASA and the NASA Jet Propulsion Laboratory, and gained unauthorized access to data from the US Department of Energy’s Lawrence Berkeley National Laboratory. 

APT10 is alleged to have compromised 40 computers to steal personally identifiable information on more than 100,000 Navy personnel in a breach discovered in 2016. 

“No country poses a broader, more severe, & long-term threat to our nation’s economy & cyber infrastructure than China,” said FBI director Christopher Wray.

“China’s goal, simply put, is to replace the U.S. as the world’s leading superpower – and they’re using illegal methods to get there.” 

Zhu and Zhang are accused of intruding networks of managed IT service providers (MSP) that provided IT infrastructure for storing and processing data of affected targets. 

Zhang was one of the three people referenced in a post this August by anonymous analysts behind the blog Intrusion Truth, a group focussed on identifying Chinese state-sponsored contractors that began publishing information in April 2017. 

The blog outlined connections between Zhang’s employer Huaying Haitai and APT10. A recent report by the group left open the question of whether the company was hacking on behalf of the Chinese government.  

The group began posting information about APT10 and another hacking group, APT3, after cybersecurity agencies in the UK and Australia posted alerts about ATP10 attacks on MSPs and cloud providers.

The National Cyber Security Centre, a part of UK spy agency GCHQ, today published an update to the earlier alert stating that APT10 was still targeting UK organizations.

“The NCSC is aware of current malicious activity affecting UK organisations across a broad range of sectors, likely conducted by APT10. This activity will almost certainly have been facilitated by the group’s targeting of MSPs, as well as other outsourcing providers,” NCSC said.  

The indictment highlights an attack on a New York-based MSP compromised data of clients in 12 countries, including Brazil, Canada, Finland, France, Germany, India, Japan, Sweden, Switzerland, the United Arab Emirates, the UK, and the US. 

At one compromised MSP, the APT10 group installed customized version of the malware PlugX, also know as RedLeaves and QuasarRAT. The attackers also used stolen credentials from an MSP to create Remote Desktop Protocol connections to its and its clients systems. 

The charges come amid a trade war between US and China and the arrest earlier this month of Huawei chief financial officer Meng Wanzhou. US authorities requested her arrest for allegedly lying to banks about its business with Iran and causing them to violate US sanctions against Iran.

Tags breachChinaAPT attacksNASAdojDepartment of Justice (DOJ)National Cyber Security CentreAPT10wire fraudZhu HuaZhang Shilong

Show Comments