On the same day that several countries formally accused the Chinese government of malicious cyber behavior, the U.S. Department of Justice made public its indictment of four Chinese hackers who are part of the hacker group, APT40.* Deng Xiaoyang, Chen Qingmin, and Zhu Yunmin are associated with the Hainan providential arm of China’s Ministry of State Security, and Wu Shurong is a private contractor in Hainan. They are charged with Conspiracy to Damage Protected Computers, Conspiracy to Commit Economic Espionage, and Criminal Forfeiture. The unsealed grand jury indictment outlines cybercrimes dating back to July 2009 and continuing through September 2018.
From the indictment:
The object of the conspiracy was to install malware and hacking tools on protected computers and to leverage such malware and tools to commit unauthorized computer intrusions, all with the goal of stealing information of value from foreign governments, universities, and companies on behalf of the PRC and its instrumentalities, including state-owned enterprises in the railway and shipbuilding industries, and PRC state-sponsored and private sector biopharmaceutical and other companies.United States Department of Justice, “Four Chinese Nationals Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Confidential Business Information, Including Infectious Disease Research”
Additionally, on Monday, the NSA, the CISA, and the FBI released a cybersecurity advisory of Chinese State-Sponsored Cyber Operations. The advisory outlines fifty tactics, techniques, and procedures that APT40 and other Chinese state-backed hacking groups tend to use for economic espionage, exploitation, and proprietary theft.
This isn’t the first time the U.S. has accused state-backed hackers of stealing proprietary data and engaging in criminal activities. The Center for Strategic and International Studies has a list of Chinese-linked instances of economic cyberespionage that dates back to 2000. Other high-profile cases include the Mandiant report on APT1, and the U.S. Department of Justice indictment of another Chinese “elite” state-backed hacking group, APT10. In July 2020, the U.S. Department of Justice indicted two state-backed Chinese hackers who engaged in repeated attempts to steal information on COVID-19 research beginning as early as January 2020.
The CCP Continued to Engage in Economic Cyberespionage Even After 2015
The timeframe of APT40’s activities in the indictment overlaps with the 2015 accord between the U.S. and China in which the CCP agreed not to conduct or support economic cyber espionage and intellectual property theft for commercial gain. Prior to the 2015 agreement, the U.S. had indicted five Chinese hackers associated with the PLA for stealing information from six companies in energy, metals, and manufacturing. Although the overall number of hacking incidents decreased for a short time after the 2015 agreement, the Chinese government merely changed their tactics.
Deng, Chen, and Zhu work for the Hainan State Security Department, a providential department that answers to the national Ministry of State Security (MSS). The MSS is one of the most secretive departments in the Chinese Communist Party and took over the work of cyberespionage from the People’s Liberation Army (PLA) in 2015. APT40 operated through a front company called Hainan Xiandun Technology Development Co., Ltd. using a university library as an address so that cyberactivity could not be traced directly to the government.
How the Hackers Operated
The indictment outlines over one hundred instances of hacking, some just to get credentials, others to download information. The reason why the NSA, CISA, and the FBI released their list of 50 tactics, techniques, and protocols is so organizations can make efforts to curb cyber infiltration.
FireEye has a user-friendly graphic and explanations of APT40’s cyberattack methods, that can be viewed here.
To summarize: APT40 begins with an “initial compromise” of the system, using things like phishing schemes or exploiting vulnerabilities in a web server. They use web shells, code that makes it easy for hackers to keep coming back to the same location, as a backdoor into the system The hackers then “establish a foothold” using malware or obtaining VPN credentials. Credentials allow the hackers to “escalate privileges” so that they can engage in “internal reconnaissance.” They then move through the system (“lateral movement”) installing malware and web shells along the way as well as stealing data. They “maintain presence” using web shells and other methods to continue to re-enter and control the system, and eventually “complete mission,” by downloading valuable files.
What Did APT40 Steal and What Does It Tell Us?
APT40 worked in the Chinese province, Hainan. Hainan is an island off the coast of Southern China and the location of an important military base for China’s military ambitions in the South China Sea. There were several instances of hacking into universities and organizations to steal research and proprietary data on hydroacoustic and marine technologies, particularly in 2017 and 2018. According to the indictment, on or around January 10, 2018, the hackers sent stolen trade secrets of propriety hydroacoustic data to a GitHub account using steganographs of a koala bear and President Donald Trump.
According to FireEye, the bigger pattern of APT40’s behavior shows that they targeted countries involved in China’s Belt and Road Initiative, a trillion-dollar project to connect several countries to China through maritime and overland trade, and countries that have a vested interest in the South China Sea. Among the groups that APT40 hacked were ASEAN countries Cambodia, Philippines, and Malaysia (and Hong Kong), as well as Belgium, Germany, Norway, Saudi Arabia, Switzerland, South Africa, the U.S. and the U.K.
Among the list of hacks of ASEAN countries was Cambodia’s Ministry of Foreign Affairs. One hack occurred on the same day that Cambodia hosted the Lancang-Mekong Cooperation Leaders Summit. The Mekong River, called Lancang in China, is a 2,700-mile river that connects the South China Sea with several countries in Southeast Asia, making it a key trade and distribution channel. The river empties into the South China Sea near Ho Chi Minh City in Vietnam and extends through Cambodia, Laos, Thailand, Myanmar, and China.
APT40 also stole information on biosecurity, genetics, and vaccine research, including hacking into the U.S. National Institutes of Health and the U.S. Department of State’s biosecurity division. Around July 25, 2014, the hackers installed malware on a system in a research facility that was working on Ebola vaccines and therapeutics, which the indictment points out would be of interest to several Chinese biopharma companies that were doing similar research. Notably, the date corresponds with the massive Ebola outbreak in Western Africa. Additionally, during the first half of 2015, the group tried to obtain information on tularemia, Marburg vaccine, and Ebola as well as U.S. national health security and HIV/AIDS strategies. Then in 2016, APT40 stole about 900 files from a Swiss company on specialty chemical formulas.
State-Sanctioned Hacking and University Involvement
One thing this indictment makes clear is the intermingling of China’s universities with the state. In 2013 and 2016, the MSS apparently held a hacking competition at “PRC University 1” with cash prizes to recruit students to work as hackers for the MSS. Jordan A. Brunner, who has a background in law and has studied cybersecurity and cyber warfare, said the indictment is likely referring to Hainan University and Professor Gu Jian, who is profiled in a May 2021 report from the Center for Security and Emerging Technology at Georgetown University.
This does not mean the U.S. and other Western countries do not engage in cyberespionage themselves, although American laws make a distinction between traditional espionage, theft of trade secrets, illegal exports, and state-sanctioned covert actions. It also does not reflect the goals and values of many Chinese citizens, who are distinct from the Chinese government and many of whom would genuinely like to collaborate with global research institutions for mutual benefit.
But as former Party insider Cai Xia points out in her essay published in June by the Hoover Institute, the CCP for many years “took advantage of opportunities for economic and cultural exchanges to sneakily acquire economic, commercial, technological, political, and military intelligence.” Cybertheft and cyberwarfare are another iteration of the CCP’s long game to “hide our capacity to bide time.”
* “APT” means Advanced Persistent Threat and refers to probable state-backed hacker groups. See FireEye for a list of active APT groups.
You may also wish to read:
U.S. and Allies Formally Accuse China of Exchange Server Hack. This isn’t the first time the Chinese-backed hacker group has infiltrated organizations. All countries keep an eye on each other in the name of national security through cyberespionage, but cyber spying has its own set of ethical issues. (Heather Zeiger)