Connect with us

Hi, what are you looking for?



‘Five Eyes’ Nations Blame China for APT10 Attacks

The United States, United Kingdom, Canada, Australia and New Zealand officially blamed China on Thursday for the cyberattacks launched by a threat group known as APT10 against organizations around the world.

The United States, United Kingdom, Canada, Australia and New Zealand officially blamed China on Thursday for the cyberattacks launched by a threat group known as APT10 against organizations around the world.

The US Department of Justice charged Chinese nationals Zhu Hua and Zhang Shilong with conspiracy to commit computer intrusions, conspiracy to commit wire fraud, and aggravated identity theft. The charges are related to their involvement in APT10 and the attacks launched by the group in the past decade against organizations in a wide range of sectors.

According to US authorities, the suspects work for a Chinese company called Huaying Haitai Science and Technology Development Company in the city of Tianjin, and they are associated with the Chinese Ministry of State Security’s Tianjin State Security Bureau.

The APT10 group has been active since at least 2006 and it has hacked a significant number of organizations in an effort to obtain intellectual property and business and technological information. The threat actor has also been tracked as Stone Panda, MenuPass, POTASSIUM, CVNX and Red Apollo.

The charges are related to APT10’s attacks against managed services providers (MSPs) around the world, and tens of tech companies and government agencies in more than a dozen US states.

APT10 targeted MSPs due to the fact that these types of companies typically have remote access to their customers’ infrastructure. As part of attacks on MSPs, known in the cybersecurity industry as Operation Cloud Hopper, the hackers used malware to steal credentials that would give them access to the systems of MSP customers.

According to authorities, the victims of this operation included a global financial institution, three companies involved in commercial or industrial manufacturing, three telecommunications and consumer electronics firms, a healthcare company, an automotive supplier, a drilling company, a biotechnology company and two consulting companies. While the Justice Department has not named any of the victims, Reuters reported that the list includes HPE and IBM.

Advertisement. Scroll to continue reading.

As for APT10’s other operations, authorities say the hackers targeted more than 45 tech companies and government agencies in at least 12 states, stealing hundreds of gigabytes of sensitive information. It also appears that the breach disclosed by the U.S. Navy in 2016, which involved HPE and resulted in the details of over 100,000 individuals getting compromised, may have been the work of APT10.Zhu Hua wanted by FBI

The charged individuals, Zhu and Zhang, among other things, are said to have registered malicious domains and infrastructure for APT10. Zhang also developed and tested malware for the group, and Zhu, who works as a penetration tester, engaged in hacking operations and recruited new members.

Zhang Shilong wanted by FBI

China officially blamed for APT10 attacks by Five Eyes

The United States, United Kingdom, Australia, Canada, the United Kingdom and New Zealand have all issued statements condemning China, and specifically its Ministry of State Security (MSS), for sponsoring the APT10 attacks.

The Japanese government has also issued a statement, but its statement is more cautious. In the past years, cybersecurity firms detailed several APT10 campaigns targeting Japan.

While the US has previously pointed the finger at China for cyberattacks, this is the first time the UK has done so. It did, along with its allies, attribute WannaCry to North Korea, attacks on universities to Iran, and the NotPetya, WADA and Bad Rabbit attacks to Russia.

“This campaign shows that elements of the Chinese government are not upholding the commitments China made directly to the UK in a 2015 bilateral agreement. It is also inconsistent with G20 commitments that no country should conduct or support ICT enabled theft of intellectual property, including trade secrets or other confidential business information,” the UK said.

Australia, whose Cyber Security Center issued advice for MSPs and their customers on how to limit exposure and protect information, also pointed to G20 commitments and called on China to uphold them. Australia and China reaffirmed these commitments bilaterally in 2017.

“When it is in our interests to do so, Australia publicly attributes cyber incidents, especially those with the potential to undermine global economic growth, national security and international stability,” Australia’s Minister for Home Affairs for Minister for Foreign Affairs said in a joint statement.

Canada’s Communications Security Establishment (CES) says it “assesses that it is almost certain that actors likely associated with the People’s Republic of China (PRC) Ministry of State Security (MSS) are responsible for the compromise of several Managed Service Providers (MSP), beginning as early as 2016.”

New Zealand became aware of the APT10 campaign in early 2017. The country’s Government Communications Security Bureau (GCSB) says it has found links between the Chinese MSS and
APT10, and called on China to uphold the agreement it made with other APEC economies in November 2016.

“Around a third of the serious incidents recorded by the NCSC can be linked to state-sponsored actors. This ongoing activity reinforces the importance of organisations having strong cyber security measures across their supply chain,” said Andrew Hampton, Director-General of the GCSB.

The Chinese MSS has been linked to several high-profile attacks and threat groups, including the recently disclosed Marriott hack and the actor tracked as APT3.

Five Eyes nations recently banned products from Chinese-owned telecommunications giant Huawei, citing security concerns, but the company has denied any wrongdoing and highlighted the lack of evidence.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.