Breach, Content

Justice Department: Chinese Hackers Hit MSPs

Video link

Two Chinese hackers have been charged with breaking into U.S.-based MSPs (managed services providers) to hit end-customer networks around the world, according to the United States Department of Justice.

Clues about today's indictments emerged in October 2018, when the U.S. Department of Homeland Security warned MSPs and cloud services providers (CSPs) that cyber gangsters where targeting their systems and RMM software to penetrate end-customer networks.

The Legal Case: Who Hacked MSPs?

The charges unveiled today include conspiracy to commit computer intrusions, conspiracy to commit wire fraud, and aggravated identity theft, according to U.S. Deputy Attorney General Rod Jay Rosenstein.

The victims, among many firms, included major MSP arms of IBM and HP Enterprise, according to third-party media reports. IBM says there's no evidence that sensitive data was taken by hackers, according to Bloomberg. HPE says it has since sold off the associated MSP business, according to multiple reports.

The alleged attacks, according to the Department of Justice, involved:

  • Two alleged hackers: named Zhu Hua and Zhang Shilong. both nationals of the People’s Republic of China.
  • An alleged cyber hacker group: Called Advanced Persistent Threat 10 (the APT10 Group).
  • Alleged connections to China's government: Including the Chinese Ministry of State Security’s Tianjin State Security Bureau.

How China Hackers Allegedly Targeted U.S. MSPs

The MSP-centric targeting included these steps, according to the Department of Justice:

  • An MSP Theft Campaign: APT10 Group engaged in an intrusion campaign to obtain unauthorized access to the computers and computer networks of MSPs for businesses and governments around the world, the DOJ claims.
  • MSP Networks Targeted: The APT10 Group targeted MSPs in order to leverage the MSPs’ networks to gain unauthorized access to the computers and computer networks of the MSPs’ clients and to steal, among other data, intellectual property and confidential business data on a global scale, the DOJ claims.
  • New York MSP Hacked: The the APT10 Group obtained unauthorized access to the computers of an MSP that had offices in the Southern District of New York and compromised the data of that MSP and certain of its clients involved in banking and finance, telecommunications and consumer electronics, medical equipment, packaging, manufacturing, consulting, healthcare, biotechnology, automotive, oil and gas exploration, and mining.
  • How Many Companies Were Attacked: From 2006 through 2018, the attacks hit MSPs and more than 45 technology companies in at least a dozen U.S. states, and U.S. government agencies.

How China Hackers Allegedly Compromised U.S. MSPs

The three-step compromise of MSPs involved these efforts, the U.S. Department of Justice claims:

  • First, after the APT10 Group gained unauthorized access into the computers of an MSP, the APT10 Group installed multiple variants of malware on MSP computers around the world. To avoid antivirus detection, the malware was installed using malicious files that masqueraded as legitimate files associated with the victim computer’s operating system.  Such malware enabled members of the APT10 Group to monitor victims’ computers remotely and steal user credentials, the DOJ says.
  • Second, after stealing administrative credentials from computers of an MSP, the APT10 Group used those stolen credentials to connect to other systems within an MSP and its clients’ networks. This enabled the APT10 Group to move laterally through an MSP’s network and its clients’ networks and to compromise victim computers that were not yet infected with malware, the DOJ alleges.
  • Third, after identifying data of interest on a compromised computer and packaging it for exfiltration using encrypted archives, the APT10 Group used stolen credentials to move the data of an MSP client to one or more other compromised computers of the MSP or its other clients’ networks before exfiltrating the data to other computers controlled by the APT10 Group, the DOJ says.

According to Deputy Attorney General Rosenstein:

“The indictment alleges that the defendants were part of a group that hacked computers in at least a dozen countries and gave China’s intelligence service access to sensitive business information. This is outright cheating and theft, and it gives China an unfair advantage at the expense of law-abiding businesses and countries that follow the international rules in return for the privilege of participating in the global economic system.”

What's Next?

MSSP Alert has reached out to U.S. officials to see what the next steps are in the legal case against Zhu Hua and Zhang Shilong.

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.