US blasts China for vast hacking campaign, indicts two allegedly China-linked hackers

Two Chinese nationals have been charged by the US government over sustained hacking campaigns on technology companies and governments around the world.
Two Chinese nationals have been charged by the US government over sustained hacking campaigns on technology companies and governments around the world.PHOTO: AFP

WASHINGTON - The United States government has charged two Chinese nationals over sustained hacking campaigns against technology companies and governments around the world, linking Beijing to the theft of confidential business data and intellectual property.

The claims were swiftly backed by US allies around the world, including Japan, Canada and Britain - three of the 12 affected countries - but resolutely denied by China.

China’s Foreign Ministry on Friday (Dec 21) denied the cyber-espionage charges and urged Washington and its allies to withdraw the accusations.

The ministry also said that the US should withdraw the charges against the two Chinese citizens, according to Reuters. The ministry also stressed that China had never participated in or supported any stealing of commercial secrets, and added that it had lodged “stern representations” with Washington.

“We urge the US side to immediately correct its erroneous actions and cease its slanderous smears relating to Internet security,” it said, adding that it would take necessary measures to safeguard its own cyber security and interests.

The charges were unsealed on Thursday (Dec 20) and announced by US Deputy Attorney-General Rod Rosenstein, who said the two men were part of a group whose cyber attacks gave China's intelligence service access to sensitive business information and China an unfair advantage in the global economy.

The two men, Zhu Hua and Zhang Shi Long, operated under several handles, with Zhu known as Afwar, CVNX, Alayos, Godkiller, while Zhang was known as Baobeilong and Atreexp.

They were accused of being members of a hacking group called Advanced Persistent Threat 10 (APT10), also known as Stone Panda and Red Apollo, which acted in association with the Chinese Ministry of State Security's Tianjin State Security Bureau.


Their latest campaign began around 2014 and targeted companies which remotely managed the information technology infrastructure of businesses and governments around the world.

Through these service providers, the group gained unauthorised access to a wide range of companies in Brazil, Canada, Finland, France, Germany, India, Japan, Sweden, Switzerland, the United Arab Emirates, Britain, and the US, installing malware that allowed them to steal user credentials and data.

In a statement on Friday, Japanese foreign ministry spokesman Takeshi Osuga said that Japan had identified APT10’s continuous attacks on various domestic targets including private companies and academic institutions.

Canada also pointed the finger at China, with its Communications Security Establishment agency stating that it was almost certain that actors associated with the Chinese government were behind the attacks on the service providers beginning as early as 2016.

Britain, Australia and New Zealand also slammed China over what they called a global campaign of cyber-enabled commercial intellectual property theft, according to Reuters.

The campaign is “one of the most serious, strategically significant, persistent and potentially damaging set of cyber intrusions against the UK and our allies that we have seen", a British security official said.

Australia's foreign affairs and home affairs departments said in a statement that APT 10 was engaged in “sustained cyber intrusions” on large managed service providers, or information technology contractors globally.

In New Zealand, the Government Communications Security Bureau said that alongside national security partners it had “established links” between the Chinese Ministry of State Security and a global campaign of cyber-enabled commercial intellectual property theft, which it become aware of in 2017.

The compromised companies included a global financial institution and other firms in a wide range of sectors, including telecommunications and consumer electronics, medical equipment, packaging, manufacturing, consulting, healthcare, biotechnology, oil and gas exploration and mining. These included Hewlett Packard Enterprise and IBM, reported Reuters.

US Attorney for the Southern District of New York Geoffrey S. Berman, who made the announcement along with Mr Rosenstein, said: "It is galling that American companies and government agencies spent years of research and countless dollars to develop their intellectual property, while the defendants simply stole it and got it for free. As a nation, we cannot, and will not, allow such brazen thievery to go unchecked."

APT10 also stole Navy data including the names, Social Security numbers, dates of birth, salary information, phone numbers and e-mail addresses of more than 100,000 Navy personnel.

These computer intrusions continued in 2018, said prosecutors. This would have been a violation of a 2015 agreement between Chinese President Xi Jinping and then-President Barack Obama to stop cyber espionage between their two countries.

APT10 also hacked the computer systems of commercial and defence technology companies and US agencies in a separate campaign that began in 2006, stealing hundreds of gigabytes of data from at least 45 companies and government bodies across a dozen US states.

Mr Robert Williams, the executive director of Yale Law School’s Paul Tsai China Centre, said that the allegations added considerably to a growing body of evidence that China had not dialled back its commercial cyber espionage the way US officials had hoped it would after the 2015 Obama-Xi agreement.

But, he added: “If one goal of today’s indictment is to underline how serious the US government is about addressing Chinese state-sponsored commercial cyber theft, that objective is strengthened considerably by US allies’ remarkably unified statements condemning China’s behaviour.”