The US Department of Justice (DOJ) has charged two Chinese nationals, accusing them of being part of a team that conducted a 12-year, government-sponsored global hacking campaign that stole data from 45 US tech companies and government agencies.

The intrusions focused on breaking into the networks of managed service providers (MSPs), allegedly enabling the hackers to spy on the US businesses for months at a time, in an operation known as 'Cloudhopper.'

The DOJ did not reveal the MSPs that were hacked, but Reuters reports that they include IBM and HPE. In 2017, HPE spun off its MSP business, which became DXC Technologies.

The US vs the Godkiller

US vs Godkiller
– DoJ

“As evidenced by this investigation, the threats we face have never been more severe, or more pervasive, or more potentially damaging to our national security, and no country poses a broader, more severe long-term threat to our nation’s economy and cyber infrastructure than China,” FBI Director Christopher Wray said in a press conference announcing the charges.

“China’s goal, simply put, is to replace the US as the world’s leading superpower, and they’re using illegal methods to get there.”

The indictment claims Zhu Hua and Zhang Shilong were part of a Chinese hacking group known as Advanced Persistent Threat 10, or APT10. The hackers went by various aliases, including Godkiller, Afwar and CVNX. The two Chinese nationals still live in China, so it is unlikely that they will ever be prosecuted in the US.

“We hope the day will come when those defendants face justice under the rule of law in an American courtroom,” Deputy Attorney General Rod Rosenstein said. “Until then, they and other hackers who steal from our companies for the apparent benefit of Chinese industry should remember: there is no free pass to violate American laws merely because they do so under the protection of the foreign state.”

HPE hackers
Hackers at an HPE conference – Sebastian Moss

Managed Surveillance Providers

The indictment details alleged breaches of companies and government agencies, including a campaign to "obtain unauthorized access to the computers and computer networks of managed service providers for businesses and governments around the world. MSPs are companies that remotely manage their clients' information technology infrastructure, including by providing computer servers, storage, networking, consulting and information technology support."

Victim companies were located in at least 12 countries, the indictment claims, including Brazil, Canada, Finland, France, Germany, India, Japan, Sweden, Switzerland, the United Arab Emirates, the United Kingdom, and the United States. It adds: "The victim companies included at least the following: a global financial institution, three telecommunications and/or consumer electronics companies; three companies involved in commercial or industrial manufacturing; two consulting companies; a healthcare company; a biotechnology company; a mining company; an automotive supplier company; and a drilling company."

IBM, which Reuters claims was one of the affected MSPs, as confirmed by five sources familiar with the matter, said in a statement: “IBM has been aware of the reported attacks and already has taken extensive counter-measures worldwide as part of our continuous efforts to protect the company and our clients against constantly evolving threats. We take responsible stewardship of client data very seriously, and have no evidence that sensitive IBM or client data has been compromised by this threat.”

HPE called the security of customer data its top priority, adding: “We are unable to comment on the specific details described in the indictment, but HPE’s managed services provider business moved to DXC Technology in connection with HPE’s divestiture of its Enterprise Services business in 2017.”

The attacks were persistent and changing, making them hard to counter, a source told Reuters. IBM investigated an attack of this type this summer, while HPE conducted a large breach investigation in early 2017, sources claimed.

Copied in China 2025

A separate campaign, known simply as 'The Technology Theft Campaign,' began around 2006 with the goal of stealing intellectual property and product data from myriad businesses.

Shenzhen, China
– Sebastian Moss

The indictment alleges that the APT10 Group successfully obtained unauthorized access to the computers "of more than 45 technology companies and US Government agencies," stealing "hundreds of gigabytes of sensitive data and information from the victims’ computer systems, including from at least the following victims: seven companies involved in aviation, space and/or satellite technology; three companies involved in communications technology; three companies involved in manufacturing advanced electronic systems and/or laboratory analytical instruments; a company involved in maritime technology; a company involved in oil and gas drilling, production, and processing; and the NASA Goddard Space Center and Jet Propulsion Laboratory.

"In addition to those victims who had information stolen, Zhu, Zhang, and their co-conspirators successfully obtained unauthorized access to computers belonging to more than 25 other technology-related companies involved in, among other things, industrial factory automation, radar technology, oil exploration, information technology services, pharmaceutical manufacturing, and computer processor technology, as well as the U.S. Department of Energy’s Lawrence Berkeley National Laboratory."

Rosenstein said that that the industries targeted in the hacking campaign were aligned with the core sectors involved in the Chinese government’s “Made in China 2025” plan, an ambitious initiative to increase the nation's high-tech industry, making it less reliant on foreign companies.

The broader picture

Changing Huawei
– Sebastian Moss

Allegations of Chinese state-sponsored hackers carrying out attacks for economic gain are not new. In 2015, after years of rising levels of economically-motivated cyber attacks on US businesses, President Obama and President Xi Jinping agreed to a cessation of such activity.

"We've agreed that neither the US or the Chinese government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage," Obama said at the time.

"In addition, we'll work together, and with other nations, to promote international rules of the road for appropriate conduct in cyberspace."

Indeed, while hacking is believed to have continued, cybersecurity company FireEye reported in June 2016 that the number of network compromises by the China-based hacking groups it tracked dropped from 60 in February 2013 to less than 10 by May 2016 (although it admitted that some attacks may have become more sophisticated, and evaded tracking).

Under the new US administration, which has a more confrontational approach towards China, hacking levels are believed to have risen again.

The governments of the United Kingdom, Australia, Canada and New Zealand joined the US in condemning China for violating its 2015 accord. But it is unclear what action, beyond leveling charges against two individuals who are unlikely to be prosecuted, nations are willing to take.

The Washington Post reports that discussions over financial sanctions were blocked by Treasury Secretary Steven Mnuchin over fears that it would interfere with US-China trade talks, with an escalating trade war currently stabilized by an uneasy truce.

At the same time, US officials are pushing forward with charges against the CFO of Chinese tech giant Huawei, over claims of violating economic sanctions, sparking a separate diplomatic crisis.

With Meng Wanzhou having been arrested in Canada, the country has also been dragged into the conflict. In what many perceive as intentional retribution, three Canadians have now been detained in China, and trade talks between the two nations are believed to have been derailed.