Security Experts:

Industry Reactions to U.S. Charging APT10 Hackers: Feedback Friday

The United States, United Kingdom, Canada, Australia, New Zealand and Japan have pointed the finger at China for sophisticated cyberattacks launched by a threat group known as APT10 against organizations around the world. The U.S. has also indicted two alleged hackers believed to be part of APT10.

The charges are related to APT10’s attacks against managed services providers (MSPs) in various countries, and tens of tech companies and government agencies in more than a dozen U.S. states.

Feedback Friday on APT10 hacker charges

Industry professionals commented on the story, including its political implications and how organizations can defend their systems against attacks such as the ones launched by APT10.

And the feedback begins...

Priscilla Moriuchi, director of strategic threat development, Recorded Future:

“In a larger context, these indictments are furthering three specific messages to Beijing. First, they continue to draw a clear line for China regarding what type of behavior is and is not acceptable for states to conduct in cyberspace. In particular, that leveraging government and military resources to conduct cyber operations in order to steal intellectual property from private companies is unacceptable.

 

Second, that attacking and undermining critical internet backbone infrastructure to gain access to sensitive data and enable secondary intrusions is also unacceptable.

 

Third, that the US government continues to take the theft of personally identifiable information (PII) of US citizens very seriously. The FBI emphasized the theft of PII from 100,000 US service members. This is especially timely, as Secretary of State Pompeo has attributed the SPG/Marriott PII theft to China.

 

These indictments do not imply that all cyber operations or hacking is unacceptable, but continue to draw a clear line for China regarding what type of behavior is and is not acceptable for states to conduct in cyberspace.

 

The international cooperation involved in these indictments is significant as well, as the international consensus seems to be building to confront China over what the West views as unfair and illegal business practices.”

Ben Read, Senior Manager, Cyber Espionage Analysis, FireEye:

“APT10 has been tracked by FireEye for years and is one of the most prolific cyber espionage groups. They have compromised dozens of public and private organizations worldwide, stealing valuable intellectual property and confidential information. The tactics described in the indictment and verticals targeted are consistent with what FireEye has seen from this group. APT10 has historically targeted organizations with long research and development cycles, including construction and engineering, aerospace and military, telecommunications, high technology sectors, as well as government entities. Their move towards compromising managed service providers (MSPs) showcases the danger of supply chain compromises and reflects their continuously evolving tactics. APT10 is a well-resourced and a global threat.”

Sam Curry, chief security officer, Cybereason:

“Cyber has come of age and is sitting at the table along with trade, terrorism, the military and Human rights in the Game of Nations. The great Game of Nations continues, from domestic politics to international diplomacy the US and China face off, and this time it’s not just economics and military but is also cyber. The status quo of the last US administration appeared to be one of détente on the cyber front and a Chamberlain-like agreement to mutual non-aggression. However, with an escalation in tension around trade and concerns about IP, the erstwhile new superpower is running into that long time superpower and there is now a cyber-dimension.

 

The bigger diplomatic and political landscape can not be lost when looking at the recent indictments of APT10 in the US for hacking. It appears the Chinese agreed to cyber non-aggression, but operations dating back to 2006 merely changed targets and kept going on a reduced but no-less-harmful scale.The charges against Zhu Hua and Zhang Shilong may or may never see them in a US court, but that doesn’t matter. What matters is the perception of legality and the snipes used back-and-forth in the Game of Nations.

 

On one level, there is a diplomatic fight between nations playing out; and on the other there is the due process of law in place. The latter should concern us the most because it establishes precedent and touches on the notion of domestic laws as opposed to the enforce-ability of that law across jurisdictions, interestingly paralleling the recent arrest of Huawei CFO in Canada in a non-cyber sense but part of the same, broad drama.What matters here for where this is going is the point and counterpoint of the diplomatic fight.”

Carl Wright, CCO, AttackIQ:

“The United States Justice Department’s indictments in China are a step in the right direction as the blatant theft of IP and other sensitive data is unacceptable. Despite these indictments, prosecutions are unlikely given that the hackers are Chinese residents and extraditions are a rarity. These charges will restrict the international travels of those named in the filing and will send a warning to those who have not been named, potentially deterring motivation for future attacks against the United States.

 

This hacking campaign from China is one of the most significant and widespread cyber intrusions against the United States and its allies to date—that is, that we know about. Seemingly random cyberattacks against companies and agencies in the U.S. and abroad could very well be connected to nation-state backed hackers. In 2019, politically-motivated cyber threats and how to defend against them will be a major point of debate.”

Jonathan Bensen, interim CISO and director of product management, Balbix:

“This indictment has effectively scrubbed the bilateral agreement between the United States and China in 2015 that called for a truce against hostile cyberattacks and espionage. We have seen Chinese hackers target aviation, space and satellite, manufacturing, pharmaceutical, oil and gas, communications, computer processor, and maritime technology companies in the United States. These hacks have even breached names, dates of birth, email addresses, salary information and Social Security numbers of more than 100,000 United States Navy personnel this year. Regardless of these indictments, we will likely see more nation-state backed cyberattacks come to light in 2019 around the globe.

 

This history of cyberattacks shows that entities as highly regulated as our nation’s tech and industry giants and our federal government are not immune to the dangers posed by the plethora of attacks that come from nation-state hackers. Every organization’s security teams must be absolutely clear about the relative value of each its IT assets and sets of information, and with that context prioritize its cybersecurity actions to proactively address the vulnerabilities that would put them at most risk. And do that before they become entry points for attackers.”

Malcolm Taylor, Director of Cyber Advisory, ITC Secure:

“In many ways this isn’t news. In truth the second oldest profession has moved from street corners and traditional SIGINT into the world of cyber; countries now conduct espionage through cyber attacks. There are, though, some very important caveats to that.

 

Firstly, it’s clear that the UK and US believe that China are using state intelligence capability to target western companies. All companies have incredibly valuable things to protect – but far from all of them protect their secrets as they should. This is yet another reminder that companies of all sizes across different sectors should take all the necessary steps to protect themselves.

 

Secondly, it’s a fascinating diplomatic move to go public now. It comes after the Huawei affair, the apparently reactive arrests in China of Canadian business people, and the trade war, and it looks like an extension of those by other means. The US and the UK have gone public with Russia recently, over the botched GRU activity in the Netherlands. It is slightly surprising to see a similar approach being used for China, and may show the West’s concern at the growing power of China. The Chinese have been very clever; through global investment regimes and soft power and the rapid growth of, and technical ability of, Huawei, they now have a critical presence inside the internet backbone. Has that worried the west, such that now they are responding?”

Terry Ray, CTO, Imperva:

“There has been a lot of speculation that the recent large breaches are connected to China. But China isn’t the only country using cyber as their weapon of choice. That's why cybersecurity is so critical; organizations need to be aware that in addition to monetary gain, somebody might be stealing your data for political gain too. Protecting that data is just as critical, regardless of who's taking it.

 

The trickledown effect of nation-state hacking is particularly concerning, as sophisticated methods used by various governments eventually fall into the hands of resourceful cybercriminals, typically interested in attacking businesses and individuals.

 

Security professionals should consider that their highest priority data may not be the most valuable target for nation-state attackers. An e-commerce company might consider credit cards as their most critical asset, but a nation-state might consider the purchase history of customers and contact information more valuable. Security professionals must take a step back from their organization and realize they need to secure more than just regulated data.”

Andrew Tsonchev, director of technology, Darktrace Industrial:

“This act of publicly “naming and shaming” a nation state follows similar attributions made against Russia earlier this year, and the ongoing warnings from Western governments over the use of Huawei equipment. The new willingness of intelligence agencies to publicly share this information shows the seriousness and scale of the perceived cyber-threat.

 

Through the compromise of these third parties, APT10 has been able to infiltrate a vast range of targets. This tactic exploits the interconnectedness of the global supply chain. With companies increasingly reliant on a wide range of third parties for the provision of their critical services, it is now extremely difficult for individual organizations to defend their IT infrastructure. Coupled with the recent Facebook allegations, the public is learning truly how much of personal data is in the hands of third-parties.

 

This incident demonstrates the latest victims of ‘low and slow’ supply chain attacks -- we will see more fall victim from APT10. We’ve identified attacks in the wild that lurk in networks for months, observing the normal network activity and learning how to blend into the background noise, making detection even more difficult.

 

New technologies, such as unsupervised machine learning provide defenders a tool to identify anomalies and prevent having their network and subsequently their partners’ networks compromised.”

Jake Olcott, VP, BitSight:

"Most organizations blindly trust that their service providers are protecting their data. Trust is not a strategy that works in the 21st century.

 

In fact, service provider compromises have become a global phenomenon. Organizations everywhere are at risk due to the rise in outsourcing and contracting. These incidents represent the #1 cyber risk to organizations today, and also threaten global commerce."

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.