Uncle Sam fingers two Chinese men for hacking tech, aerospace, defense biz on behalf of Beijing

Pair on cyber-espionage rap, HPE, IBM and their clients said to be among those hit

Two men, linked to the Chinese government, stand accused of hacking cloud giants, aerospace and defense companies, chip designers, US government agencies – including the Navy – and other organizations globally.

The duo's goal, according to American prosecutors: stealing blueprints and other secrets from dozens of corporations, departments, and other outfits on Beijing's orders. It is understood the allegations were unsealed and made public this week by the Trump administration to pile further pressure on China amid an ongoing trade war.

The two Chinese citizens, Zhu Hua (朱华) – whose online identities are said to include Afwar, CVNX, Alayos, and Godkiller – and Zhang Shilong (张士龙) – whose aliases are said to include Baobeilong, Zhang Jianguo, and Atreexp – are alleged to be part of a hacker gang referred to as APT10, among other names. They're charged with conspiracy to commit computer intrusions, wire fraud, and aggravated identity theft.

APT stands for Advanced Persistent Threat, a trendy term for malware and exploit code that requires some skill to create. As is usual in the mildly cartoonish world of cybersecurity, APT10 has been referred to as Stone Panda, MenuPass and Red Apollo.

"This case is significant because the defendants are accused of targeting and compromising managed service providers, or MSPs," said Deputy Attorney General Rod Rosenstein in a statement today. "MSPs are firms that other companies trust to store, process, and protect commercial data, including intellectual property and other confidential business information. When hackers gain access to MSPs, they can steal sensitive business information that gives competitors an unfair advantage."

According to Rosenstein, over 90 per cent of US Justice Dept cases alleging economic espionage over the past seven years involve China.

Though no victims are named by the prosecution... HPE and IBM are said to be among those infiltrated by the Chinese hacker gang. The miscreants' campaign to break into the tech giants was dubbed Cloudhopper because it allegedly involved slipping into HPE and IBM's cloud services to then creep through to their clients' networks. Big Blue said it had no evidence of corporate secrets being accessed. An HPE spokesperson said: "The security of HPE customer data is our top priority. We are unable to comment on the specific details described in the indictment, but HPE's managed services provider business moved to DXC Technology in connection with HPE's divestiture of its Enterprise Services business in 2017."

'Trade secrets and economies'

The UK government publicly echoed the US charges. "This campaign is one of the most significant and widespread cyber intrusions against the UK and allies uncovered to date, targeting trade secrets and economies around the world," said UK Foreign Secretary Jeremy Hunt.

The UK's Government Communications Headquarters (GCHQ), through its public-facing National Cyber Security Centre (NCSC) offshoot, said APT10 had “targeted healthcare, defense, aerospace, government, heavy industry/mining, Managed Service Providers (MSPs) and IT industries, among many other sectors.”

The NCSC also warned that APT10’s intellectual property theft is "current," having been "facilitated by the group’s targeting of MSPs" – and added that "in some cases basic cyber security measures are still not being taken, and this is not acceptable."

The US Energy Department also chimed in to scold the Chinese government and APT10. "Malicious actors are conducting sophisticated attacks to threaten our nation's critical infrastructure," said Secretary of Energy Rick Perry in a statement.

And the FBI put the defendants on a wanted poster.


The US indictment claims the two men worked for a company called Huaying Haitai in Tianjin, China, and acted in coordination with the Chinese Ministry of State Security's Tianjin State Security Bureau.

From 2006 through 2018, a criminal indictment states, members of the APT10 group, including the defendants, broke into the computer systems of commercial and defense tech companies, and US government agencies. They allegedly penetrated more than 45 such organizations in at least 12 states. They're said to have stolen gigabytes of data from organizations involved in aerospace, satellites, manufacturing, pharmaceuticals, oil and gas exploration and production, communications, and computer processors.

Starting in 2014, the group is said to have focused on MSPs. The indictment says APT10 and the defendants compromised a service provider with offices in New York and clients in at least 12 countries including Brazil, Canada, Finland, France, Germany, India, Japan, Sweden, Switzerland, the United Arab Emirates, the United Kingdom and the United States.

The international uniform of hackers, the hoodie

Guess who's back, back again? China's back, hacking your friends: Beijing targets American biz amid tech tariff tiff


APT10 is also blamed for breaking into US Navy computer systems and stealing confidential data, including personal information for 100,000 Naval personnel. NASA was among other American government agencies affected.

In 2013, APT10, as MenuPass, was targeting defense contractors, while accounts ‘n’ audits firm PricewaterhouseCoopers (PWC) and BAE Systems jointly called out APT10's Chinese links almost 18 months ago.

The indictment outlines APT10's attack strategy, which included individually targeted phishing emails (spear phishing) with attachments that, when opened, installed and ran spyware and other data-stealing software nasties.

The group often used the QuasarRAT remote admin malware. Once inside a network, the hackers would extract documents – not only intellectual property and valuable commercial files but also personal data of staff, contractors and business contacts, usually by zipping them into a .rar file.

GCHQ’s summary (PDF, 6 pages) of APT10’s tactics said: "Industry partners have reported that data exfiltrated often relates to human resources information, suggesting an interest in the targeted company specifically, as well as potentially developing access to customers and suppliers."

It also listed IP addresses that the NCSC had definitely linked to the advanced persistent threat crew’s command and control servers, ready for alert IT bods to block:


The Justice Department's name-and-shame strategy echoes its 2014 indictment of five members of the Chinese military for cyber attacks. Those five have yet to be apprehended.

While the FBI said Zhu Hua and Zhang Shilong can be arrested if they travel outside China, Rosenstein made clear in his remarks that America doesn't expect the two to appear before a US judge any time soon. China has no extradition agreement with the US, and ongoing trade conflict between the two countries, exacerbated by the recent arrest of a Huawei executive in Canada at the behest of the US, makes any sort of accord look unlikely.

"We hope the day will come when the defendants face justice under the rule of law in a federal courtroom," said Rosenstein. "Until then, they and other hackers who steal from our companies for the apparent benefit of Chinese industries should remember: There is no free pass to violate American laws merely because they do so under the protection of a foreign state."

There's no real penalty either. ®

Similar topics

Other stories you might like

  • Product release cycles are killing the environment, techies tell British Computer Society

    Running Linux on a vintage box is one answer, but someone has to hold big tech's feet to fire

    Bringing an end to the relentless nature of annual product release cycles is something that should be top of the agenda for the soon-to-run 2021 United Nations Climate Change Conference, also known as COP26.

    Or so says the BCS, formerly known as the British Computer Society, which reckons cutting electronic waste is the most pressing concern for 30 per cent of the 1,100 plus members it surveyed recently.

    Alex Bardell, chair of the BCS Green IT Specialist Group, said reducing e-waste was already on the radar thanks to the chip shortage.

    Continue reading
  • UK science suffers as lawmakers continue to dither over Brexit negotiations

    Horizons Europe carrot dangled amid protocol wrangling

    A report from the UK House of Commons' European Scrutiny Committee has blamed delays in Brussels for choking off revenue streams to British institutions and businesses.

    The UK departed the European Union following a 2016 referendum. One of the results was that UK businesses were no longer able to tender for lucrative contracts within the bloc.

    The Brexit Divorce Bill uncomfortably laid out the facts back in 2018. The satellite navigation system Galileo was one victim despite substantial involvement from the UK in its development. Another was the Copernicus Earth monitoring programme; the UK was infamously snubbed when the European Space Agency (ESA) handed out six juicy contracts to institutions from the Continent.

    Continue reading
  • Warehouse belonging to Chinese payment terminal manufacturer raided by FBI

    PAX Technology devices allegedly infected with malware

    US feds were spotted raiding a warehouse belonging to Chinese payment terminal manufacturer PAX Technology in Jacksonville, Florida, on Tuesday, with speculation abounding that the machines contained preinstalled malware.

    PAX Technology is headquartered in Shenzhen, China, and is one of the largest electronic payment providers in the world. It operates around 60 million point-of-sale (PoS) payment terminals in more than 120 countries.

    Local Jacksonville news anchor Courtney Cole tweeted photos of the scene.

    Continue reading
  • Everything you wanted to know about modern network congestion control but were perhaps too afraid to ask

    In which a little unfairness can be quite beneficial

    Systems Approach It’s hard not to be amazed by the amount of active research on congestion control over the past 30-plus years. From theory to practice, and with more than its fair share of flame wars, the question of how to manage congestion in the network is a technical challenge that resists an optimal solution while offering countless options for incremental improvement.

    This seems like a good time to take stock of where we are, and ask ourselves what might happen next.

    Congestion control is fundamentally an issue of resource allocation — trying to meet the competing demands that applications have for resources (in a network, these are primarily link bandwidth and router buffers), which ultimately reduces to deciding when to say no and to whom. The best framing of the problem I know traces back to a paper [PDF] by Frank Kelly in 1997, when he characterized congestion control as “a distributed algorithm to share network resources among competing sources, where the goal is to choose source rate so as to maximize aggregate source utility subject to capacity constraints.”

    Continue reading
  • How business makes streaming faster and cheaper with CDN and HESP support

    Ensure a high video streaming transmission rate

    Advertorial Here is everything about how the HESP integration helps CDN and the streaming platform by G-Core Labs ensure a high video streaming transmission rate for e-sports and gaming, efficient scalability for e-learning and telemedicine and high quality and minimum latencies for online streams, media and TV broadcasters.

    HESP (High Efficiency Stream Protocol) is a brand new adaptive video streaming protocol. It allows delivery of content with latencies of up to 2 seconds without compromising video quality and broadcasting stability. Unlike comparable solutions, this protocol requires less bandwidth for streaming, which allows businesses to save a lot of money on delivery of content to a large audience.

    Since HESP is based on HTTP, it is suitable for video transmission over CDNs. G-Core Labs was among the world’s first companies to have embedded this protocol in its CDN. With 120 points of presence across 5 continents and over 6,000 peer-to-peer partners, this allows a service provider to deliver videos to millions of viewers, to any devices, anywhere in the world without compromising even 8K video quality. And all this comes at a minimum streaming cost.

    Continue reading
  • Cisco deprecates Microsoft management integrations for UCS servers

    Working on Azure integration – but not there yet

    Cisco has deprecated support for some third-party management integrations for its UCS servers, and emerged unable to play nice with Microsoft's most recent offerings.

    Late last week the server contender slipped out an end-of-life notice [PDF] for integrations with Microsoft System Center's Configuration Manager, Operations Manager, and Virtual Machine Manager. Support for plugins to VMware vCenter Orchestrator and vRealize Orchestrator have also been taken out behind an empty rack with a shotgun.

    The Register inquired about the deprecations, and has good news and bad news.

    Continue reading
  • Protonmail celebrates Swiss court victory exempting it from telco data retention laws

    Doesn't stop local courts' surveillance orders, though

    Encrypted email provider Protonmail has hailed a recent Swiss legal ruling as a "victory for privacy," after winning a lawsuit that sees it exempted from data retention laws in the mountainous realm.

    Referring to a previous ruling that exempted instant messaging services from data capture and storage laws, the Protonmail team said this week: "Together, these two rulings are a victory for privacy in Switzerland as many Swiss companies are now exempted from handing over certain user information in response to Swiss legal orders."

    Switzerland's Federal Administrative Court ruled on October 22 that email providers in Switzerland are not considered telecommunications providers under Swiss law, thereby removing them from the scope of data retention requirements imposed on telcos.

    Continue reading
  • Japan picks AWS and Google for first gov cloud push

    Local players passed over for Digital Agency’s first project

    Japan's Digital Agency has picked Amazon Web Services and Google Cloud for its first big reform push.

    The Agency started operations in September 2021, years after efforts like the UK's Government Digital Service (GDS) or Australia's Digital Transformation Agency (DTA). The body was a signature reform initiated by Prime Minister Yoshihide Suga, who spent his year-long stint in the top job trying to curb Japan's reliance on paper documents, manual processes, and faxes. Japan's many government agencies also operated their websites independently of each other, most with their own design and interface.

    The new Agency therefore has a remit to "cut across all ministries" and "provide services that are driven not toward ministries, agency, laws, or systems, but toward users and to improve user-experience".

    Continue reading

Biting the hand that feeds IT © 1998–2021