Imagine you’re a burglar. You’ve decided to tackle a high-end luxury apartment, the kind of building with multiple Picassos in the penthouse. You could spend weeks or months casing the place, studying every resident’s schedule, analyzing the locks on all the doors. You could dig through trash for hints about which units have alarms, run through every permutation of what the codes might be. Or you could also just steal the super’s keys.
According to a Justice Department indictment Thursday, that is effectively what China has done to the rest of the world since 2014. That’s when the country’s elite APT10—short for “advanced persistent threat”—hacking group decided to target not just individual companies in its long-standing efforts to steal intellectual property, but instead focus on so-called managed service providers. They’re the businesses that provide IT infrastructure like data storage or password management. Compromise MSPs, and you have a much easier path into all these clients. They're the super.
“MSPs are incredibly valuable targets. They are people that you pay to have privileged access to your network,” says Benjamin Read, senior manager for cyberespionage analysis at FireEye. “It’s a potential foothold into hundreds of organizations.”
"More than two-thirds of the Justice Department’s cases involving thefts of trade secrets are connected to China."
Deputy attorney general Rod Rosenstein
For an even greater sense of scale: The indictment alleges, among other things, that by hacking into a single New York-based MSP, APT10 was able to compromise data from companies in a dozen countries, from Brazil to the United Arab Emirates. With a single initial intrusion, Chinese spies could leapfrog to industries as varied as banking and finance, biotech, consumer electronics, health care, manufacturing, oil and gas, telecommunications, and more. (The full indictment is at the bottom of this story.)
The DOJ's indictment also outlines alleged APT10 activity that focused on government agencies and defense contractors, dating back to 2006, that took a more conventional approach. But the MSP hacks don't just show China’s hacking sophistication; they demonstrate its ruthless efficiency and determination.
“More than 90 percent of the department’s cases alleging economic espionage over the past seven years involve China,” said deputy attorney general Rod Rosenstein at a press conference detailing the indictment. “More than two-thirds of the department’s cases involving thefts of trade secrets are connected to China.”
Down With MSP
An APT10 hack of MSPs starts like so many others in recent years: with a carefully crafted email. “C17 Antenna problems,” read the subject line of one APT10 message that hit the inbox of a helicopter manufacturer, part of the 2006 campaign. The body copy was a simple request to open the attached file, a Microsoft Word doc called “12-204 Side Load Testing.” The email appeared to come from a communications technology company. It all seemed very legit.
But of course it’s not. The Word attachments in these spear-phishing attempts were malicious, loaded with customized remote access trojans—which let hackers gain access to and control the computer—and keystroke loggers for stealing usernames and passwords.
Once installed, the malware would report back to APT10-controlled domains. The group used dynamic Domain Name System service providers to host those domains, which helped them avoid detection by letting them switch up IP address on the fly. If a security filter got wise and tried to block a known malicious domain, for instance, APT10 could simply change the associated IP address and continue on its merry way.
The federal indictment mostly offers a high-level look from there, but China’s hackers followed a fairly standard playbook. Once they had established themselves on a computer, they would download still more malware to escalate their privileges, until they found what they were looking for: data.
In the case of the MSP intrusions, that malware appears to have mostly made up of customized variants of PlugX, RedLeaves—which have previously been linked to Chinese actors—and QuasarRAT, an open source remote access trojan. The malware posed as legitimate on a victim’s computer to avoid antivirus detection, and communicated with any of the 1,300 unique domains APT10 registered for the campaign.
In short, APT hackers put themselves in a position where they not only had access to MSP systems, but could move through them as an administrator might. Using those privileges, they would initiate what’s known as Remote Desktop Protocol connections with other MSP computers and client networks. Think of any time an IT staffer has taken over your computer to troubleshoot, install Photoshop, whatever. It’s like that, except instead of a friendly coworker it’s Chinese hackers hunting for secrets.
And when they found those secrets? The hackers would encrypt the data and use stolen credentials to move it to a different MSP or client system before jettisoning it back to an APT10 IP address. They’d also delete the stolen files from the compromised computers, all in an effort to avoid detection. Anytime a private security company would identify APT10 domains, the group would quickly abandon them and move on to others. The quieter they were, the longer they could stay stowed away inside an MSP.
“They are sophisticated,” says Read. “They take as much of their success from the ‘persistent’ part of ‘advanced persistent threat’ as the ‘advanced.’”
The hackers ultimately made off with hundreds of gigabytes of data from dozens of companies, the indictment alleges. While the Justice Department didn’t name any specific victims, the Department of Homeland Security has set up a page providing guidance for any company that thinks it might have been affected, including links to intrusion-detecting tools. Which should be helpful, given that the indictment of two Chinese hackers seems unlikely to slow the country’s ambitions.
Can’t Handle the Truce
All of this might seem surprising, given that the United States and China three years ago came to a ballyhooed agreement that they wouldn’t hack each other’s private sector interests.
In fairness, the APT10 activity detailed in the indictment started before that détente. But it also didn’t stop after the agreement went into effect: The DOJ alleges that the two Chinese nationals charged in the indictment, Zhu Hua and Zhang Shilong, have been active up through 2018. And other prominent, likely Chinese hacks that date back to around the same time, like that of the Starwood Preferred Guest system, remained active for years.
"This area is going to continue to be an area of tension and contention between the US and China for the foreseeable future."
J. Michael Daniel, former White House cybersecurity coordinator
China has also spent the past few years actively testing the boundaries of the truce, targeting defense contractors, law firms, and other entities that blur the lines between public and private, between intellectual property and more generalized confidential information. It has actively, and successfully, recruited spies in the US.
“No country poses a broader, more severe long-term threat to our nation’s economy and cyber infrastructure than China. China’s goal, simply put, is to replace the US as the world’s leading superpower, and they’re using illegal methods to get there,” FBI director Christopher Wray said at Thursday’s press conference. “While we welcome fair competition, we cannot and will not tolerate illegal hacking, stealing, or cheating.”
One reason China persists: It may not see anything wrong with it. “From my perspective this area is going to continue to be an area of tension and contention between the US and China for the foreseeable future,” says J. Michael Daniel, who served as cybersecurity coordinator in the Obama administration. “And so the question is just how do you manage this area of friction in a way that is productive for us.”
An increasingly popular method appears to be naming and shaming, not just of Chinese hackers but those from Russia and North Korea as well. And while it certainly sends a signal—and will upend any travel plans Zhu and Zhang may have had—it alone likely won’t put much of a dent in China’s plans.
“What these groups are compromising is based on much bigger strategic imperatives than whether two people can go to California on vacation,” says FireEye’s Read.
Besides, current tensions between China and America extend far beyond hacking. There’s a trade war afoot, with a Huawei executive awaiting potential extradition. All of these interests intermingle, with aggression on different fronts ramping up and fading like some sort of geopolitical mixing board.
Meanwhile, China’s hackers will continue to rob the world blind at every opportunity. At least, though, they may now be a little less anonymous when they do.
Additional reporting by Lily Hay Newman.