U.S. Charges China
Intelligence Officers Over Hacking Companies and Agencies
By Dustin Volz , Kate O’Keeffe and Bob Davis
(Wall Street Journal)
Updated Dec. 20, 2018 10:13 p.m. ET
U.S. officials also
accused China of violating a 2015 pact under which both nations vowed to not
engage in state-sponsored hacking for economic gain
WASHINGTON—The Trump administration exerted further pressure
Thursday on Beijing, unsealing criminal charges against two Chinese citizens
allegedly tied to a state-sponsored campaign to steal sensitive information
from businesses and several U.S. government agencies, including the Navy.
The charges come amid a broader push by the U.S. to deter
cyberattacks and technology theft, and to reset trade relations with the world’s
second largest economy on more favorable terms, through tariffs, sanctions,
indictments and investment restrictions.
However, concerned about unsettling ongoing trade talks, the
administration held off on an earlier plan to sanction Chinese entities that
benefited from the hacks. That prompted criticism from officials who privately
complained the indictments will do little on their own.
The indictments, senior Justice Department and other
administration officials said, provide additional evidence that China violated
a 2015 pact with the Obama administration under which both countries vowed to
not engage in state-sponsored hacking for economic gain.
“No country should be able to flout the rule of law—so we’re
going to keep calling out this behavior for what it is: illegal, unethical and
unfair,” Federal Bureau of Investigation Director Christopher Wray said at a
news conference announcing the charges, which were unsealed in federal court in
Manhattan. “No country poses a broader, more severe long-term threat.”
U.S. officials say China’s alleged cyberattacks have
metastasized into a pre-eminent national and economic security threat. In
Thursday’s indictments, prosecutors drew direct links between the alleged
hackers and China’s Ministry of State Security. The indictments also allege
that Chinese authorities approved of and directed the campaign.
“It is unacceptable
that we continue to uncover cyber crime committed by
China against other nations,” Deputy Attorney General Rod Rosenstein said at
the news conference. He said added that more than 90% of Justice Department
cases alleging economic espionage over the past seven years involved China, as
did over two-thirds of those involving theft of trade secrets.
Companies in at least a dozen countries were victimized by
the cyber campaign described Thursday. Waged by a known hacking group called APT 10, or cloudhopper,
its victims include businesses in the banking, finance, telecommunications,
health care, energy and automotive industries, Mr. Rosenstein said.
Officials declined to identify the victims, but two people
familiar with the matter said International Business Machines Corp. and Hewlett
Packard Enterprise Co. [HPE] are among companies whose computer-services
operations allegedly were breached by hackers, who then used that access to
burrow into their clients. Reuters first reported that those companies were
among the victims.
In a statement, an HPE spokeswoman said the company couldn’t
comment on the details alleged in the indictment. She said HPE sold its
managed-service-provider business in 2017.
An IBM spokesman said the company was aware of the reported
attacks and had already taken “extensive countermeasures world-wide” to protect
itself and its clients. He added that IBM had no evidence sensitive IBM company
or client data had been compromised.
In a statement backing the U.S. indictments, U.K. Foreign
Secretary Jeremy Hunt said that Britain and its allies believe the Chinese
government has been conducting an extensive campaign to steal commercial
secrets from companies in Europe, Asia and the U.S. Other allied countries also
applauded the moves in their own statements.
A central plank of the hacking campaign was to target
technology-services providers that support businesses with a range of digital
chores, such as cloud storage, and then leverage that access to infiltrate
their networks of clients. Service providers have grown more prominent in
recent years as companies have sought to reduce their in-house information
technology costs.
“You’ve all heard about situations where you see somebody
essentially the cyber equivalent of breaking into a house,” the FBI’s Mr. Wray
said. “This is more like breaking in and getting the keys of the maintenance
supervisor who has keys to hundreds and hundreds of apartments and all the
residents in those apartments.”
The defendants, Zhu Hua and Zhang Shilong,
are also accused of participating in hacking campaigns that targeted several
U.S. government agencies, including the Energy Department, laboratories at NASA
and the U.S. Navy, whose contractors have continued to suffer debilitating
breaches from suspected Chinese state actors.
The Chinese hacking group implicated in Thursday’s charges
stole personal information, including Social Security numbers and dates of
birth, from over 100,000 Navy personnel, officials said.
China’s Ministry of Foreign Affairs called the allegations
in the indictment groundless and characterized the prosecution as “a serious
violation of the basic norms of international relations.” Ministry spokeswoman
Hua Chunying demanded the U.S. withdraw the
indictment and stop its vilification of China on cybersecurity to avoid causing
serious harm to the countries’ relations. The defendants weren’t immediately
available for comment.
Additional Chinese nationals had been under consideration
for U.S. prosecution, and the administration had also considered levying
sanctions against people involved in the hack and against the entities that
benefited from the stolen information, according to current and former U.S.
officials and others familiar with the matter. Some expressed disappointment at
what they considered a relatively tame effort to punish China for its alleged
misdeeds.
The Justice Department actions come at the same time the
Trump administration is trying to negotiate a deal with China by March 1 to
ease trade tensions. The Treasury Department, which is playing a major role in
the talks, also has the ability to sanction foreign
companies beyond the reach of U.S. courts.
The Treasury didn’t invoke its sanctions authority in part
because it wanted to preserve its role in the negotiations, said people
familiar with the negotiations. A delegation of senior Chinese officials is
expected to continue trade negotiations in Washington in mid-January.
“There is some hesitance to smack around Chinese
institutions, because it would interfere with the trade discussions,” said
Christian Whiton, a former State Department official in the Trump
administration.
Thursday’s moves mark the latest in a flurry of actions
taken by the Justice Department and other agencies to publicly shame and punish
China for what officials have described as years of cyberattacks against U.S.
companies that cost the American economy as much as hundreds of billions of
dollars annually, according to some government estimates.
In October, federal prosecutors unsealed charges against 10
Chinese intelligence officers with a different regional bureau of the Ministry
of State Security, accusing them of hacking U.S. aviation companies. The
Justice Department followed days later with more charges against a Chinese
state-owned company and its Taiwan partner for allegedly stealing trade secrets
from the U.S. memory-chip maker Micron Technology Inc.
Taken collectively, the charges over the past three months
represent the most significant effort to date by U.S. law-enforcement officials
to publicize and condemn Beijing’s intrusions into American businesses. They
also arrive as federal investigators have grown increasingly confident that the
data breach recently disclosed by Marriott International Inc. was China’s
handiwork. China denied any role in the Marriott breach.
—Josh Chin in Beijing
and Jason Douglas in London contributed to this article.
Write to Dustin Volz
at dustin.volz@wsj.com, Kate O’Keeffe at kathryn.okeeffe@wsj.com and Bob Davis
at bob.davis@wsj.com
Appeared in the
December 21, 2018, print edition as 'U.S. Steps Up Effort To
Fight Hacking.'
How China Allegedly
Hacked America and Its Allies
By Dustin Volz (Wall Street Journal)
Dec. 20, 2018 4:36 p.m. ET
U.S. says ‘Godkiller’ and ‘Atreexp’ honed
their techniques over a decade, breaking into government and company computers
world-wide
WASHINGTON—Federal charges unsealed Thursday against two
Chinese nationals lay out how hackers allegedly working for an arm of China’s
main intelligence service spent the last 12 years victimizing businesses and
government agencies in the U.S. and around the world.
The two alleged hackers, Zhu Hua and Zhang Shilong, are accused of working for a company called Huaying Haitai located in the
Chinese port city of Tianjin in direct coordination with the Ministry of State
Security’s local bureau.
Using monikers including “Godkiller”
and “Atreexp,” the pair allegedly spent over a decade
breaking into computer networks. The indictment says they honed their
techniques to steal advanced technologies and other valuable information as
part of a “continuous and unrelenting effort” waged by a Chinese hacking
enterprise variously known as APT 10, for Advanced Persistent Threat, or cloudhopper.
The defendants couldn’t immediately be reached for comment
and the Chinese Embassy in Washington didn’t return a request for comment.
Chinese Foreign Ministry officials have consistently said that Beijing doesn’t
condone computer hacking in any form.
The charging papers accuse APT 10 of using a common
technique known as “spearphishing” to trick targets
into opening emails laced with malware and unknowingly reveal their passwords
to the hackers.
This allowed them to breach computers of more than 45
commercial and defense technology companies and U.S. agencies in at least 12
states, including Arizona, California, Florida, Texas and Virginia, as part of
a conspiracy dating back to at least 2006 and continuing through this year.
Prosecutors said the intrusions allowed the hackers to steal
hundreds of gigabytes of sensitive data from a wide array of industries,
including aviation, space and satellite, manufacturing and maritime technology.
But possibly the most severe aspect of the hacking campaign
began in 2014, as Messrs. Zhu and Zhang and their co-conspirators allegedly
focused on technology-service providers that work for businesses and
governments around the world.
By attacking service providers, the Chinese were able to
infiltrate computer networks to steal reams of confidential data on a global
scale, prosecutors said, compromising victims in at least a dozen countries,
including Brazil, Canada, France, Germany, India, Japan, the United Arab
Emirates, the U.K. and the U.S.
Current and former U.S. officials have described the assault
on technology-service providers as one of the most audacious and potentially
damaging of all the campaigns waged by Chinese hackers in recent years against
American interests, one intended to steal intellectual property and support
Beijing’s espionage goals.
Private-sector cybersecurity researchers previously
identified those attacks as the work APT 10 and linked them to Beijing. The
hacks allowed intruders potential access to scores of U.S. companies and
government agencies that rely on the service providers for jobs including the
remote management of computers and cloud storage.
Write to Dustin Volz
at dustin.volz@wsj.com
RELATED READING
House Passes Bill to Create National Quantum Computing
Program (Dec. 19)
Chinese Hackers Breach U.S. Navy Contractors (Dec. 14)
FBI Says Chinese Espionage Poses ‘Most Severe’ Threat to
American Security (Dec. 12)