John P. Carlin, David A. Newman, and Amy S. Josselyn
Global Risk + Crisis Management and Privacy + Data Security
In a new stunning example of the scale and sophistication of online cybercrime, just before the holidays, DOJ charged two hackers with stealing hundreds of gigabytes of data—including sensitive intellectual property, confidential business data, and personal information from companies and government agencies around the world—as part of a multi-year cyber-espionage campaign that targeted managed service providers (MSPs) directly, bypassing the protections of client systems. This indictment is the latest example of the U.S. government’s use of the criminal justice system to crack down on state-sponsored economic espionage.
As alleged in the indictment, the hackers belong to what is believed to be an elite, Chinese government-sponsored group known within the cyber-security community as Advanced Persistent Threat 10 (APT10). The targets of the hacking campaign included companies in the aerospace, health care, biotechnology, finance, manufacturing, and oil and gas industries, as well as U.S. government agencies, such as NASA and the U.S. Department of Energy.
Key takeaways from the indictment include:
MSP Theft Campaign
The indictment alleges that APT10’s MSP Theft Campaign began in 2014 and involved three stages. First, the hackers gained unauthorized access into the MSPs’ computers and installed malware allowing APT10 to remotely monitor the computers and steal login credentials. The group then used these stolen credentials to move laterally into each MSP’s network and the networks of their clients, further spreading the malware infection. APT10 identified data of interest on these compromised computers and created packages for exfiltration using encrypted archives, allowing the hackers to move the data from one system to another before ultimately transferring it to APT10’s computers.
By targeting MSPs, APT10 was able to gain access to a much larger network of companies in various industries than would have been possible by targeting individual companies. For example, the indictment noted that by compromising the network of one MSP in New York, APT10 was able to gain unauthorized access to clients in the banking and finance, telecommunications and consumer electronics, medical equipment, packaging, manufacturing, consulting, healthcare, biotechnology, automotive, oil and gas exploration, and mining industries. Overall, the compromised MSPs and their clients spanned at least 12 different countries, including Brazil, Canada, Finland, France, Germany, India, Japan, Sweden, Switzerland, the United Arab Emirates, the United Kingdom, and the United States.
Technology Theft Campaign
APT10’s Technology Theft Campaign targeted more than 45 U.S. commercial and defense technology companies operating in the aviation, space and satellite technology, manufacturing technology, pharmaceutical technology, oil and gas exploration and production technology, communications technology, computer processor technology, and maritime technology industries. APT10 also stole sensitive data from the NASA Goddard Space Center and Jet Propulsion Laboratory, gained access to computers belonging to the U.S. Department of Energy’s Lawrence Berkeley National Laboratory, and compromised Navy computers to steal the names, Social Security numbers, dates of birth, salary information, personal phone numbers, and email addresses of more than 100,000 Navy personnel.
During the Technology Theft Campaign, APT10 used spear phishing techniques to send customized emails with legitimate-looking attachments, which would download malware onto the targets’ computers. The malware then secretly recorded the users’ keystrokes, which enabled the hackers to obtain login credentials. APT10 used these credentials to search victims’ computers and identify data of interest, which was later exfiltrated in encrypted archives.
DOJ’s Expanding Focus on Deterring and Disrupting State-Sponsored Cyber Espionage
This indictment is a key step in DOJ’s increased focus on state-sponsored economic espionage. In announcing the charges, Deputy Attorney General Rod Rosenstein highlighted “the threat that these actions pose to the prosperity and security of the United States and other nations that respect the rule of law” and explained that the “criminal justice system is a valuable tool” in the effort to combat state-sponsored cybercrime. The charges came just weeks after DOJ launched a new “China Initiative” to identify priority Chinese trade theft cases and dedicate additional resources to their speedy resolution. The Department of Homeland Security has set up a website with guidance for IT services providers and links to tools to help detect network intrusions and identify compromised systems.
©1996-2019 Morrison & Foerster LLP. All rights reserved.