DOJ Readies More Cyber-Spying Charges Against Government-Linked Chinese Hackers

Less than a week after President Trump's Saturday meeting with Chinese President Xi Jinping, which offered a brief glimmer of hope that the trade war between the world's two biggest economies might be headed for a deescalation, the arrest and expected extradition of Huawei CFO Wanzhou Meng has raised questions about retaliation and cast doubt on whether the promised trade truce will hold. And adding to those pressures, the Wall Street Journal reported on Friday that the DOJ is planning yet another in a series of indictments against Chines intelligence agents or suspected government-linked hackers.


Though details were vague, WSJ said the DOJ is preparing to indict a team of government-linked hackers who allegedly carried out a multiyear scheme to break into the systems of US technology service providers, which WSJ described as "one of the most sophisticated and audacious" to date. 

The target of the indictments is a mythical Chinese hacking group that private security contractors have nicknamed "ATP 10" and "cloudhopper" - ATP stands for Advanced Persistent Threat."

US officials have described the hacking campaign as one of the most audacious and damaging orchestrated by China to date, intended to steal intellectual property and support Beijing’s espionage goals. The hacks have allowed intruders potential access to scores of American companies and government agencies that rely on the service providers for a wide range of digital tasks, such as the remote management of technology infrastructure or cloud storage.

The charges have been expected for several weeks and are intended as the latest in a flurry of recent actions taken by the Justice Department to publicly admonish China for its cyber-enabled economic espionage on American companies. Private-sector cybersecurity researchers previously have identified those attacks as the work of a hacking enterprise known as "APT 10" or "cloudhopper," which they link to Beijing. APT stands for "advanced persistent threat."

The indictments would follow actions against 10 Chinese intelligence officers for trying to steal trade secrets from US aviation companies, as well as an action against a Chinese firm for allegedly stealing trade secrets from US chipmaker Micron Technologies. According to WSJ, the DOJ held up the indictments over concerns that they could interfere with the US trade talks in Argentina.

The timing of the release of the charges was held up due to concerns among some U.S. officials and allied countries that they could disrupt proceedings at last week’s Group of 20 summit in Argentina, according to a U.S. official. At the G20 gathering, President Trump and Chinese President Xi Jinping agreed to a trade truce that would include negotiations on “cyber intrusions and cyber theft,” according to a statement from the White House.

Though both the US and some of the companies reportedly affected criticized the report as false shortly after publication, the MO described by the Wall Street Journal sounds curiously similar to that described by Bloomberg earlier this year when it reported on a massive Chinese cyberinfiltration - one of the most extensive ever uncovered. According to BBG, Chinese hardware hackers managed to infiltrate a popular server manufacturer and place tiny microchips inside its devices. Those servers have been used by Apple, Amazon and other giant tech companies. Some even made it to systems used by the Department of Defense.

Here's WSJ's description:

In public and private, senior U.S. officials have described the hacking campaign targeting technology service providers as perhaps the most serious of any of Beijing’s cyber theft operations, potentially impacting hundreds or thousands of companies in total. In October, the Department of Homeland Security warned of an active hacking campaign targeting technology service providers in the energy, health-care, communications and manufacturing industries for the purposes of espionage and intellectual property theft.

The service providers often are not the initial victim; instead, hackers sometimes breach a client company in order to jump into the provider’s systems, from where they can then leapfrog into other client networks.

"We view it as the platform the Chinese are using for whatever they need," Rob Joyce, a senior official at the National Security Agency, said in an interview in October. That could include additional espionage, theft of intellectual property and, potentially, groundwork for disruptive operations, Mr. Joyce said.

"If they get into a managed service provider, then they can go to any of the customers of those providers," Mr. Joyce said. "So we are really concerned. And that’s why you are seeing the government saying, we’ve got to deal with it, push them out, make sure they don’t have that toehold."

Despite China's commitment to look into curtailing its cyber-espionage practices under pressure from President Trump, it's worth keeping in mind that China has made similar promises before. Back in 2015, the Chinese government pledged that it would stop sanctioning hacks into US companies and government entities so that the Obama Administration would back down. Of course, that has already been exposed as a deliberate lie. 

Last month, US Trade Rep. Robert Lighthizer warned that the US hadn't seen any notable changes in Chinese behavior regarding its cyber espionage activities. With this in mind, we imagine this won't be the last indictment of its kind.