The U.S. Department of Justice unsealed the indictment of two Chinese citizens Thursday on charges they engaged in computer hacks on technology companies and government agencies globally for more than a decade in the latest in a series of such DOJ indictments.
A grand jury in the U.S. District Court for the Southern District of New York indicted Zhu Hua and Zhang Shilong, charging them with conspiracy to commit computer intrusions, wire fraud and aggravated identity theft. Both defendants also were indicted under several aliases, according to the document signed by U.S. Attorney Geoffrey Berman.
Deputy Attorney General Rod Rosenstein said in a statement Thursday that the indictment “alleges that the defendants were part of a group that hacked computers in at least a dozen countries and gave China’s intelligence service access to sensitive business information. ”
He said, “the activity alleged in this indictment violates the commitment that China made to members of the international community” in a 2015 bilateral agreement with the United States.
Even as the U.S. was unsealing its indictment, the United Kingdom brought similar charges against the same APT10 group for carrying out similar cyber espionage activities in the UK, Asia and the U.S. according to the Washington Post.
Robert Silvers, a partner in the litigation department at Paul Hastings in Washington, D.C., said Thursday the Justice Department’s action serves as a stark reminder for companies to not only check their own cybersecurity but also the security of their third-party vendors. Many of the companies were compromised by attacks on their managed service providers, who manage, process and store data.
“Even if you were thinking about your own organization’s cybersecurity program, you might not be thinking big enough,” Silver said. “Hacks on third-party vendors can be just as devastating as hacks on the companies themselves.”
Silvers, who served as the assistant secretary for cyber policy in the Department of Homeland Security during the Obama administration, also said that China’s violating the 2015 bilateral agreement should be of concern for companies. The agreement was supposed to mean that neither government would support the cyber espionage of corporations.
“That agreement was meant to protect companies,” Silvers explained. “This literally puts tens of billions of dollars of intellectual property at risk.
China generally has denied the accusations.
The 23-page indictment claims Zhu and Zhang belonged to a hacking organization based in China known to the cybersecurity community as Advanced Persistent Threat 10, or APT10 group, and by other names. They allegedly worked for a company called Huaying Haitai Science and Technology Development Company and in association with the Chinese Ministry of State Security’s Tianjin State Security Bureau, an intelligence organization.
The indictment claims that starting in 2006 or earlier, the defendants stole sensitive defense technology and trade secrets, among other information, from the managed service providers—other companies used to store and process commercial data—of more than 45 companies in the United States as well as from U.S. government agencies including NASA and the Jet Propulsion Laboratories. None of the companies were named in the indictment.
A wide range of industries and business were compromised, including aviation, factory automation, financial services and banking, telecommunications, biotechnology, health care, pharmaceutical manufacturing, energy exploration and production and many more. The Justice Department said Zhu and Zhang “registered IT infrastructure that the APT10 Group used for its intrusions and engaged in illegal hacking operations.”
The attacks included spear-phishing attacks on a helicopter manufacturer that originated from an IP address in Tianjin, China under the control of the APT10 group. The emails, when opened, installed keystroke-logging malware on the computers that was used to steal usernames and passwords that in turn were used to help exfiltrate files and information in encrypted archives, the indictment said.
The hacking group also allegedly broke into more than 40 computers and obtained sensitive personal data from more than 100,000 U.S. Navy personnel, including Social Security numbers, email addresses and phone numbers, according to the indictment.
The APT10 organization also gained access to computers in a least 12 countries, the indictment claims, including Brazil, Canada, Finland, France, Germany, India, Japan, Sweden, Switzerland, the United Arab Emirates, the United Kingdom and as the United States.
Zhu and Zhang, who are unlikely to ever face trial in the United States, are each charged with one count of conspiracy to commit computer intrusions, which carries a maximum sentence of five years in prison; a single count of conspiracy to commit wire fraud, which carries a maximum sentence of 20 years; and one count of aggravated identity theft, which carries a mandatory sentence of two years in prison.
The indictment comes as the DOJ steps up efforts to crack down on alleged economic espionage. “In the last few months of this year, our Department has announced charges in three cases alleging crimes committed at the behest of a branch of the Chinese Ministry of State Security,” Rosenstein said in a statement. He said 90 percent of its economic espionage cases in the last seven years have involved China.
Assistant U.S. Attorney Sagar K. Ravi of the Southern District of New York’s cybercrime unit is in charge of the prosecution. Trial attorney Matthew Chang of the National Security Division’s counterintelligence and export control section is assisting, according to a news release.