According to a newly unsealed indictment, two Chinese nationals working with the Chinese ministry of state security have been charged with hacking a number of U.S. government agencies and corporations. The court filing indicates that Zhu Hua and Zhang Jianguo, members of Advanced Persistent Threat 10 (APT10), used phishing techniques in order to steal intellectual property, confidential business data, and technological information between 2006 and 2018.
The APT10 Group was able to access more than 40 computers to steal confidential data from the U.S. Department of the Navy, including the personally identifiable information of more than 100,000 Navy personnel. The NASA Goddard Space Center and the space agency’s Jet Propulsion Lab were also named in the filing, according to a report in TechCrunch.
Tailored and Convincing Spearphishing Gave APT10 Unfettered Access
Rather than taking a spray-and-pray approach to their attack, APT10 carefully selected their targets and created tailored email campaigns to trick the recipient into opening malicious Word document attachments and files. The emails appeared to originate from a trusted sender, the filenames and types legitimate, and pertained to something relevant to the victim. An example included in the indictment involved a helicopter manufacturer that received an email with the subject line, “C17 Antenna problems” that included a malicious Microsoft Word attachment named “12-204 Side Load testing.doc.”
This methodology created an air of safety and allowed the email recipients to open the emails and attachments without suspicion or question. The indictment indicates that the malware used in the campaigns typically included customized variants of a remote access Trojan (RAT), including one called Poison Ivy, and keystroke loggers used to steal usernames and passwords as users typed in their credentials.
The “Technology Theft Campaign”
Over the course of this campaign, members of APT10 – including Hua and Jianguo – gained access to approximately 90 computers belonging to commercial and defense technology companies, as well as U.S. Government agencies in at least 12 states. They stole hundreds of gigabytes of sensitive data and targeted the computers of companies across dozens of industries and technologies, including aviation, space and satellite, manufacturing, pharmaceutical, oil and gas exploration and production, communications, computer processing, and maritime.
The “MSP Theft Campaign”
In 2014, the defendants and co-conspirators in APT10 hacked into the computers and networks for managed service providers (MSP) for businesses and governments around the world. Because MSPs are responsible for remotely managing their clients’ information technology infrastructure – like servers, storage, networking, consulting and support services – the attackers were able to steal intellectual property and confidential business data on a global scale. The indictment states that through one particular MSP, which supports operations for the Southern District of New York, the group was able to access data of clients from 12 different countries across dozens of industries, including banking and finance, healthcare, and biotechnology. The malware used in this campaign was programmed to communicate with domains hosted by DNS service providers that were assigned IP addresses of computers APT10 controlled. In total, the group registered roughly 1,300 unique malicious domains.
Stronger Security Hygiene Is Necessary to Avoid Digital Theft
Although prosecutions are unlikely, the details of the indictment clearly indicate that if a tech company is vulnerable, its valuable intellectual property and personal data can be taken.
“Tech companies aren’t ramping up their security to protect their IP and data commensurate with the value attackers put on the data,” said Veracode CTO Chris Wysopal. “Compromising endpoints with vulnerable Word Documents means there isn’t good endpoint hygiene. Microsoft has recently released Windows Sandbox for Windows Pro and Enterprise users. It would be a good idea to open externally sourced Word Documents with Word running in Windows Sandbox.”