OTTAWA: Companies in Canada were among the targets of two Chinese citizens charged with waging an extensive hacking campaign to steal valuable data over many years, U.S. authorities say.
In an indictment unsealed Thursday, prosecutors say Zhu Hua and Zhang Shilong were acting on behalf of China’s main intelligence agency to pilfer information from several countries.
Beginning about four years ago, Zhu and Zhang waged an intrusion campaign to gain access to computers and networks of “managed service providers” for businesses and governments around the world, the indictment says.
Such providers are private firms that manage clients’ information by furnishing servers, storage, networking, consulting and information-technology support. Breaking into one such computer system can provide a route into multiple customers’ data; the hackers breached the computers of enterprises involved in activities ranging from banking and telecommunications to mining and health care, say the papers filed in U.S. District Court.
The indictment says Zhu and Zhang are members of a group operating in China known as Advanced Persistent Threat 10. They purportedly broke into computers belonging to _ or providing services to _ companies in at least 12 countries, including Canada.
How? According to the indictment, they used forged emails to get unwitting recipients to open files impregnated with security-breaching malware, a technique called “spear-phishing.”
The two suspects, who worked for Huaying Haital Science and Technology Development Co. in Tianjin, are accused of acting in association with the Chinese Ministry of State Security’s Tianjin State Security Bureau.
Canada’s Communications Security Establishment issued a statement supporting the U.S. allegations a few hours after the American announcement.
“Today, many of Canada’s allies and partners have made statements concerning the compromise of several Managed Service Providers. CSE also assesses that it is almost certain that actors likely associated with the People’s Republic of China (PRC) Ministry of State Security (MSS) are responsible for the compromise of several Managed Service Providers (MSP), beginning as early as 2016,” it said.
The statement said Canadian authorities detected the threat at the time and warned businesses in general terms about good security habits in dealing with these providers.
The CSE sent out a more detailed bulletin after Thursday’s indictments, advocating practices such as “multi-factor authentication,” which requires people to sign into computers in more than one way, and running background monitoring software that sends up an alert when an apparently legitimate user starts doing unusual things on a company network.
The alleged hackers provided Chinese intelligence officials with sensitive business information, said U.S. deputy attorney general Rod Rosenstein.
“This is outright cheating and theft, and it gives China an unfair advantage at the expense of law-abiding businesses and countries that follow the international rules in return for the privilege of participating in the global economic system,” Rosenstein said.
In one case, the indictment says, the APT10 Group obtained unauthorized access to the computers of an unnamed service provider that had offices in New York state and then compromised the data of the provider and clients in Canada, the United States, Britain, Brazil, Finland, France, Germany, India, Japan, Sweden, Switzerland and the United Arab Emirates.
The victims included a global financial institution, three telecommunications or consumer electronics companies, three manufacturing firms, two consulting companies, and businesses involved in healthcare, biotechnology, mining, automotive supply and drilling, authorities say. None of them is specified by name in the indictment.
The RCMP and Global Affairs Canada had no immediate comment on the U.S. charges.
In another campaign that began as early as 2006, the APT10 Group, including Zhu and Zhang, allegedly attacked the computers and networks of more than 45 technology companies and U.S. government agencies to steal valuable information and data about various technologies.
The group made off with hundreds of gigabytes of sensitive data by targeting the computers of companies involved in aviation, space and satellite technology, manufacturing, pharmaceuticals, and oil and gas exploration, among others, the indictment says. It also broke into computers that held data belonging to NASA and the U.S. navy and took private identify information of more than 100,000 navy personnel, the indictment says.