Today Deputy Attorney General Rod J. Rosenstein and other high-level U.S. officials announced the unsealing of an indictment charging Zhu Hua (朱华), aka Afwar, aka CVNX, aka Alayos, aka Godkiller; and Zhang Shilong (张士龙), aka Baobeilong, aka Zhang Jianguo, aka Atreexp, both nationals of the People’s Republic of China (China), with conspiracy to commit computer intrusions, conspiracy to commit wire fraud, and aggravated identity theft.
Zhu and Zhang allegedly belong to a hacking group operating in China known within the cyber security community as Advanced Persistent Threat 10 (the APT10 Group). The defendants worked for a company in China called Huaying Haitai Science and Technology Development Company (Huaying Haitai) and acted in association with the Chinese Ministry of State Security’s Tianjin State Security Bureau.
From at least in or about 2006 up to and including in or about 2018, members of the APT10 Group, including Zhu and Zhang, conducted extensive campaigns of intrusions into computer systems around the world. The APT10 Group used some of the same online facilities to initiate, facilitate and execute its campaigns during the conspiracy.
Starting at least in or about 2014, members of the APT10 Group, including Zhu and Zhang, obtained unauthorized access to the computers and computer networks of Managed Service Providers (MSPs0 for businesses and governments around the world (the MSP Theft Campaign). MSPs are firms that other companies trust to store, process, and protect commercial data, including intellectual property and other confidential business information. When hackers gain access to MSPs, they can steal sensitive business information that gives competitors an unfair advantage.
The APT10 Group targeted MSPs in order to leverage the MSPs’ networks to gain unauthorized access to the computers and computer networks of the MSPs’ clients and to steal, among other data, intellectual property and confidential business data on a global scale. For example, through the MSP Theft Campaign, the APT10 Group obtained unauthorized access to the computers of an MSP that had offices in the Southern District of New York and compromised the data of that MSP and certain of its clients involved in banking and finance, telecommunications and consumer electronics, medical equipment, packaging, manufacturing, consulting, healthcare, biotechnology, automotive, oil and gas exploration, and mining.
Earlier, starting in or about 2006, members of the APT10 Group, including Zhu and Zhang, engaged in an intrusion campaign to obtain unauthorized access to the computers and computer networks of more than 45 technology companies and U.S. government agencies, in order to steal information and data concerning a number of technologies (the Technology Theft Campaign). Through the Technology Theft Campaign, the APT10 Group stole hundreds of gigabytes of sensitive data and targeted the computers of victim companies involved in aviation, space and satellite technology, manufacturing technology, pharmaceutical technology, oil and gas exploration and production technology, communications technology, computer processor technology, and maritime technology.
In furtherance of the APT10 Group’s intrusion campaigns, Zhu and Zhang, among other things, registered malicious domains and infrastructure. In addition, Zhu, a penetration tester, engaged in hacking operations on behalf of the APT10 Group and recruited other individuals to the APT10 Group, and Zhang developed and tested malware for the APT10 Group.
The MSP Theft Campaign
Zhu, Zhang, and their co-conspirators in the APT10 Group engaged in the following criminal conduct:
First, after the APT10 Group gained unauthorized access into the computers of an MSP, the APT10 Group installed multiple variants of malware on MSP computers around the world. To avoid antivirus detection, the malware was installed using malicious files that masqueraded as legitimate files associated with the victim computer’s operating system. Such malware enabled members of the APT10 Group to monitor victims’ computers remotely and steal user credentials.
Second, after stealing administrative credentials from computers of an MSP, the APT10 Group employed those stolen credentials to connect to other systems within an MSP and its clients’ networks. The APT10 Group then moved laterally through an MSP’s network and its clients’ networks and to compromise victim computers that were not yet infected with malware.
Third, after identifying data of interest on a compromised computer and packaging it for exfiltration using encrypted archives, the APT10 Group employed stolen credentials to move the data of an MSP client to one or more other compromised computers of the MSP or its other clients’ networks before exfiltrating the data to other computers controlled by the APT10 Group.
During the MSP Theft Campaign, Zhu, Zhang, and their co-conspirators in the APT10 Group successfully obtained unauthorized access to computers providing services to or belonging to victim companies located in at least 12 countries, including Brazil, Canada, Finland, France, Germany, India, Japan, Sweden, Switzerland, the UAE, the UK, and the US. The victim companies included at least the following: a global financial institution, three telecommunications and/or consumer electronics companies; three companies involved in commercial or industrial manufacturing; two consulting companies; a healthcare company; a biotechnology company; a mining company; an automotive supplier company; and a drilling company.
The Technology Theft Campaign
During the course of the Technology Theft Campaign, which started in or about 2006, Zhu, Zhang, and their coconspirators in the APT10 Group successfully obtained unauthorized access to the computers of more than 45 technology companies and U.S. Government agencies based in at least 12 states, including Arizona, California, Connecticut, Florida, Maryland, New York, Ohio, Pennsylvania, Texas, Utah, Virginia and Wisconsin. The APT10 Group stole hundreds of gigabytes of sensitive data and information from the victims’ computer systems, including from at least the following victims: seven companies involved in aviation, space and/or satellite technology; three companies involved in communications technology; three companies involved in manufacturing advanced electronic systems and/or laboratory analytical instruments; a company involved in maritime technology; a company involved in oil and gas drilling, production, and processing; and the NASA Goddard Space Center and Jet Propulsion Laboratory. In addition to those victims who had information stolen, Zhu, Zhang, and their co-conspirators successfully obtained unauthorized access to computers belonging to more than 25 other technology-related companies involved in, among other things, industrial factory automation, radar technology, oil exploration, information technology services, pharmaceutical manufacturing, and computer processor technology, as well as the U.S. Department of Energy’s Lawrence Berkeley National Laboratory.
Zhu and Zhang are each charged with one count of conspiracy to commit computer intrusions, which carries a maximum sentence of five years in prison; one count of conspiracy to commit wire fraud, which carries a maximum sentence of 20 years in prison; and one count of aggravated identity theft, which carries a mandatory sentence of two years in prison.
Finally, the APT10 Group compromised more than 40 computers in order to steal sensitive data belonging to the Navy, including the names, Social Security numbers, and dates of birth, salary information, personal phone numbers, and email addresses of more than 100,000 Navy personnel.
According to Deputy A.G. Rosenstein, “(t)oday’s charges mark an important step in revealing to the world China’s continued practice of stealing commercial data. Responding to that conduct requires a strategic approach to the threats that China poses. That is why the Department of Justice recently announced an initiative to address the full range of threats. One tactic is to increase our enforcement efforts. Another is to conduct foreign investment reviews to protect against China improperly acquiring sensitive information. A third is to find ways to better protect our telecommunications networks.”