Uncle Sam fingers two Chinese men for hacking tech, aerospace, defense biz on behalf of Beijing

Pair on cyber-espionage rap, HPE, IBM and their clients said to be among those hit

Two men, linked to the Chinese government, stand accused of hacking cloud giants, aerospace and defense companies, chip designers, US government agencies – including the Navy – and other organizations globally.

The duo's goal, according to American prosecutors: stealing blueprints and other secrets from dozens of corporations, departments, and other outfits on Beijing's orders. It is understood the allegations were unsealed and made public this week by the Trump administration to pile further pressure on China amid an ongoing trade war.

The two Chinese citizens, Zhu Hua (朱华) – whose online identities are said to include Afwar, CVNX, Alayos, and Godkiller – and Zhang Shilong (张士龙) – whose aliases are said to include Baobeilong, Zhang Jianguo, and Atreexp – are alleged to be part of a hacker gang referred to as APT10, among other names. They're charged with conspiracy to commit computer intrusions, wire fraud, and aggravated identity theft.

APT stands for Advanced Persistent Threat, a trendy term for malware and exploit code that requires some skill to create. As is usual in the mildly cartoonish world of cybersecurity, APT10 has been referred to as Stone Panda, MenuPass and Red Apollo.

"This case is significant because the defendants are accused of targeting and compromising managed service providers, or MSPs," said Deputy Attorney General Rod Rosenstein in a statement today. "MSPs are firms that other companies trust to store, process, and protect commercial data, including intellectual property and other confidential business information. When hackers gain access to MSPs, they can steal sensitive business information that gives competitors an unfair advantage."

According to Rosenstein, over 90 per cent of US Justice Dept cases alleging economic espionage over the past seven years involve China.

Though no victims are named by the prosecution... HPE and IBM are said to be among those infiltrated by the Chinese hacker gang. The miscreants' campaign to break into the tech giants was dubbed Cloudhopper because it allegedly involved slipping into HPE and IBM's cloud services to then creep through to their clients' networks. Big Blue said it had no evidence of corporate secrets being accessed. An HPE spokesperson said: "The security of HPE customer data is our top priority. We are unable to comment on the specific details described in the indictment, but HPE's managed services provider business moved to DXC Technology in connection with HPE's divestiture of its Enterprise Services business in 2017."

'Trade secrets and economies'

The UK government publicly echoed the US charges. "This campaign is one of the most significant and widespread cyber intrusions against the UK and allies uncovered to date, targeting trade secrets and economies around the world," said UK Foreign Secretary Jeremy Hunt.

The UK's Government Communications Headquarters (GCHQ), through its public-facing National Cyber Security Centre (NCSC) offshoot, said APT10 had “targeted healthcare, defense, aerospace, government, heavy industry/mining, Managed Service Providers (MSPs) and IT industries, among many other sectors.”

The NCSC also warned that APT10’s intellectual property theft is "current," having been "facilitated by the group’s targeting of MSPs" – and added that "in some cases basic cyber security measures are still not being taken, and this is not acceptable."

The US Energy Department also chimed in to scold the Chinese government and APT10. "Malicious actors are conducting sophisticated attacks to threaten our nation's critical infrastructure," said Secretary of Energy Rick Perry in a statement.

And the FBI put the defendants on a wanted poster.


The US indictment claims the two men worked for a company called Huaying Haitai in Tianjin, China, and acted in coordination with the Chinese Ministry of State Security's Tianjin State Security Bureau.

From 2006 through 2018, a criminal indictment states, members of the APT10 group, including the defendants, broke into the computer systems of commercial and defense tech companies, and US government agencies. They allegedly penetrated more than 45 such organizations in at least 12 states. They're said to have stolen gigabytes of data from organizations involved in aerospace, satellites, manufacturing, pharmaceuticals, oil and gas exploration and production, communications, and computer processors.

Starting in 2014, the group is said to have focused on MSPs. The indictment says APT10 and the defendants compromised a service provider with offices in New York and clients in at least 12 countries including Brazil, Canada, Finland, France, Germany, India, Japan, Sweden, Switzerland, the United Arab Emirates, the United Kingdom and the United States.

The international uniform of hackers, the hoodie

Guess who's back, back again? China's back, hacking your friends: Beijing targets American biz amid tech tariff tiff


APT10 is also blamed for breaking into US Navy computer systems and stealing confidential data, including personal information for 100,000 Naval personnel. NASA was among other American government agencies affected.

In 2013, APT10, as MenuPass, was targeting defense contractors, while accounts ‘n’ audits firm PricewaterhouseCoopers (PWC) and BAE Systems jointly called out APT10's Chinese links almost 18 months ago.

The indictment outlines APT10's attack strategy, which included individually targeted phishing emails (spear phishing) with attachments that, when opened, installed and ran spyware and other data-stealing software nasties.

The group often used the QuasarRAT remote admin malware. Once inside a network, the hackers would extract documents – not only intellectual property and valuable commercial files but also personal data of staff, contractors and business contacts, usually by zipping them into a .rar file.

GCHQ’s summary (PDF, 6 pages) of APT10’s tactics said: "Industry partners have reported that data exfiltrated often relates to human resources information, suggesting an interest in the targeted company specifically, as well as potentially developing access to customers and suppliers."

It also listed IP addresses that the NCSC had definitely linked to the advanced persistent threat crew’s command and control servers, ready for alert IT bods to block:


The Justice Department's name-and-shame strategy echoes its 2014 indictment of five members of the Chinese military for cyber attacks. Those five have yet to be apprehended.

While the FBI said Zhu Hua and Zhang Shilong can be arrested if they travel outside China, Rosenstein made clear in his remarks that America doesn't expect the two to appear before a US judge any time soon. China has no extradition agreement with the US, and ongoing trade conflict between the two countries, exacerbated by the recent arrest of a Huawei executive in Canada at the behest of the US, makes any sort of accord look unlikely.

"We hope the day will come when the defendants face justice under the rule of law in a federal courtroom," said Rosenstein. "Until then, they and other hackers who steal from our companies for the apparent benefit of Chinese industries should remember: There is no free pass to violate American laws merely because they do so under the protection of a foreign state."

There's no real penalty either. ®

Broader topics

Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Inverse Finance stung for $1.2 million via flash loan attack
    Just cryptocurrency things

    A decentralized autonomous organization (DAO) called Inverse Finance has been robbed of cryptocurrency somehow exchangeable for $1.2 million, just two months after being taken for $15.6 million.

    "Inverse Finance’s Frontier money market was subject to an oracle price manipulation incident that resulted in a net loss of $5.83 million in DOLA with the attacker earning a total of $1.2 million," the organization said on Thursday in a post attributed to its Head of Growth "Patb."

    And Inverse Finance would like its funds back. Enumerating the steps the DAO intends to take in response to the incident, Patb said, "First, we encourage the person(s) behind this incident to return the funds to the Inverse Finance DAO in return for a generous bounty."

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • Governments opt for XaaS, dump datacenters in droves
    Outsource all the things! To whom? The lowest bidder of course, says Gartner

    The world's governments are eager to let someone else handle their IT headaches, according to a recent Gartner report, which found a healthy appetite for "anything-as-a-service" (XaaS) platforms to cut the costs of bureaucracy.

    These trends will push government IT spending to $565 billion in 2022, up 5 percent from last year, the analyst house claims. Gartner believes the majority of new government IT investments will be on service platforms by 2026.

    "The pandemic sped up public-sector adoption of cloud solutions and the XaaS model for accelerated legacy modernization and new service implementations," Gartner analyst Daniel Snyder said in a release. "Fifty-four percent of government CIOs responding to the 2022 Gartner CIO survey indicated that they expect to allocate additional funding to cloud platforms in 2022, while 35 percent will decrease investments in legacy infrastructure and datacenter technologies."

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading

Biting the hand that feeds IT © 1998–2022