Australia charges China with backing IP theft, MSP hacking campaign

Foreign affairs minister Marise Payne and home affairs minister Peter Dutton have issued a statement “expressing serious concern” over intellectual property theft by the hacking group dubbed APT10, which the Australian government has charged has been acting on behalf of the Chinese Ministry of State Security.

APT10 is associated with ‘Operation Cloud Hopper’: A sustained effort to compromise the security of major managed service providers (MSPs) to access the IP and data of both the MSPs themselves and their customers.

The Australian Cyber Security Centre in April 2017 warned Australian enterprises that they could be exposed through their relationships with MSPs.

Overnight the FBI and the US Justice Department charged two Chinese men, Zhu Hua and Zhang Shilong, over their alleged role in APT10.  An indictment alleges that over a 12-year period APT10 “conducted extensive campaigns of global intrusions into computer systems."

The pair worked for Huaying Haitai Science and Technology Development Company in Tianjin and “acted in association with the Chinese Ministry of State Security's Tianjin State Security Bureau.”

The group's operations evolved over time “demonstrating advances in overcoming network defenses, victim selection and tradecraft”

The two men are each charged with one count of conspiracy to commit computer intrusions, one count of conspiracy to commit wire fraud, and one count of aggravated identity theft.

Beginning in 2006, the group allegedly engaged in a “technology theft” campaign, targeting the networks of commercial and defence technology companies and US government agencies. APT10 successfully obtained unauthorised access to systems of more than 45 organisations in at least 12 US states, the indictment says, stealing “hundreds of gigabytes of sensitive data”.

The campaign targeting MSPs came later — beginning “at least in or about 2014”.

Among APT10's haul was the personally identifiable information of more than 100,000 US Navy personnel, according to the indictment.

“The sustained cyber intrusions by APT10 were significant and focussed on large scale Managed Service Providers (MSPs) – specialist companies that manage IT services and infrastructure for many medium to large businesses and organisations, both in Australia and globally,” said the statement released by Payne and Dutton.

The statement said that Australia called “on all countries – including China – to uphold commitments to refrain from cyber-enabled theft of intellectual property, trade secrets and confidential business information with the intent of obtaining a competitive advantage”.

“These commitments were agreed by G20 Leaders in 2015,” the statement adds. “Australia and China reaffirmed them bilaterally in 2017.”

“This is a catalytic event for Australia and an opportunity for all parts of our economy to lift the levels of cyber protection for all Australians, to make Australia the safest place to live, work and play online,” said Alastair MacGibbon, the head of the Australian Cyber Security Centre and the government’s National Cyber Security Advise.

“What we’ve exposed is an audacious global campaign to steal commercial secrets, and that translates to stealing food from the tables of Australian families.

“Businesses need to understand the inherent risks in cyber-enabled technology and to have the appropriate strategies in place to manage those risks.”

“Cyber security is about risk management,” MacGibbon said. “You can’t eliminate risk, but you can strengthen your defences to reduce the likelihood of the risk being realised, and the harm caused when it is.”

The ACSC has released security guidance for MSPs and MSP customers. The centre said it is also working with Australian MSPs on a new partner program focused on security.