APT10: What do we know about the alleged Chinese hacking group?

The United States has charged two Chinese men with orchestrating cyber hacking attacks against scores of companies and government agencies in the US and around the world for more than a decade.

According to the US Department of Justice, Zhu Hua and Zhang Shilong acted on behalf of the Chinese Ministry of State Security in coordinating espionage activity through a hacking group known as APT10, to steal trade secrets and technologies from at least 12 countries.

Beijing responded to the charges by accusing Washington of cyber hacking, but what do we actually know about the case?

US’ cyber hacking claims fabricated, says Beijing as Chinese duo face charges

Who are the alleged hackers?

APT10 – or Advanced Persistent Threat 10 – is the name given to a group of Chinese hackers first identified by US cybersecurity firm FireEye.

Widely known within the cybersecurity community, the group is one of several that share the “APT” tag, indicating their willingness to pursue targets over long periods of time. APT10 also goes by the names “Red Apollo” and “Stone Panda”.

According to FBI director Christopher Wray, Zhu and Zhang acted on behalf of China’s state security bureau from a base in Tianjin, a major port city about 130km (80 miles) southeast of the capital Beijing.

The indictment said the pair worked for Huaying Haitai Science and Technology Development Co, a company described by an online Chinese business directory as being involved in the development of e-commerce websites and network operations.

The FBI said Zhu and Zhang are believed to be in China but it will seek their arrest if they ever leave the country.

What is APT10 accused of doing?

The group is said to have engaged in multiple hacking campaigns into computer systems around the world since at least as early as 2006, two of which were specifically referred to in the indictment.

The first, known as the “Technology Theft Campaign”, began in or about 2006 and involved the group gaining access to the computer networks of more than 45 technology companies and US government agencies, in order to steal information about various technologies.

China accused by US and allies of ‘massive hacking campaign to steal trade secrets and technologies’

The group is said to have taken “gigabytes of sensitive data” from firms involved in the fields of aviation, space and satellite, manufacturing, pharmaceuticals, oil and gas exploration, communications, computer processor and maritime, it said.

Among the government targets of the hacking campaign were the NASA Goddard Space Centre and Jet Propulsion Laboratory and the US Department of Energy’s Lawrence Berkeley National Laboratory, the indictment said.

The group also compromised more than 40 computers belonging to the US navy, and stole the personal information of more than 100,000 personnel.

More recently, beginning in or about 2014, APT10 engaged in an intrusion campaign to obtain unauthorised access to the computer networks of managed service providers (MSPs) for businesses and governments around the world.

Over the course of the “MSP Theft Campaign” the group accessed computers providing services to or belonging to victim companies in at least 12 countries, namely Brazil, Britain, Canada, Finland, France, Germany, India, Japan, Sweden, Switzerland, the United Arab Emirates, and the United States.

Japan condemns China-based cyberattacks, urges Beijing to take ‘responsible’ action

According to the indictment, the victim companies were involved in the fields of global finance, telecommunications, consumer electronics, manufacturing, healthcare, biotechnology, mining, automotive supplies and drilling.

While the document did not identify specific companies, a Reuters report cited multiple sources as saying the hackers breached the networks of Hewlett Packard Enterprise and IBM, then used the access to hack into their clients’ computers and steal data.

“The list of victim companies reads like a who’s who of the global economy,” Wray said.

So who knew about APT10?

Cybersecurity analysts have been following the activities of the alleged hackers for many years, but the first public reference to APT10 was made by FireEye in a 2013 report.

Titled “Poison Ivy”, the report identified APT10 as an affiliate domain name to “menuPass”, a group that was known to have been targeting US and other defence contractors since at least 2009.

In 2017, PwC’s cybersecurity practice and British multinational defence company BAE Systems published a report, in cooperation with Britain’s National Cyber Security Centre, that claimed to have uncovered a hacking campaign – “Operation Cloud Hopper” – led by APT10.

The report said members of the group targeted MSPs so they could gain access to the intellectual property and sensitive data of their clients around the world.

According to the US indictment, Zhu and Zhang have been charged with conspiracy to commit computer intrusions, conspiracy to commit wire fraud, and aggravated identity theft.