U.S. Charges China Intelligence Officers Over Hacking Companies and Agencies

By Dustin Volz , Kate O’Keeffe and Bob Davis (Wall Street Journal)

Updated Dec. 20, 2018 10:13 p.m. ET

U.S. officials also accused China of violating a 2015 pact under which both nations vowed to not engage in state-sponsored hacking for economic gain

WASHINGTON—The Trump administration exerted further pressure Thursday on Beijing, unsealing criminal charges against two Chinese citizens allegedly tied to a state-sponsored campaign to steal sensitive information from businesses and several U.S. government agencies, including the Navy.

The charges come amid a broader push by the U.S. to deter cyberattacks and technology theft, and to reset trade relations with the world’s second largest economy on more favorable terms, through tariffs, sanctions, indictments and investment restrictions.

However, concerned about unsettling ongoing trade talks, the administration held off on an earlier plan to sanction Chinese entities that benefited from the hacks. That prompted criticism from officials who privately complained the indictments will do little on their own.

The indictments, senior Justice Department and other administration officials said, provide additional evidence that China violated a 2015 pact with the Obama administration under which both countries vowed to not engage in state-sponsored hacking for economic gain.

“No country should be able to flout the rule of law—so we’re going to keep calling out this behavior for what it is: illegal, unethical and unfair,” Federal Bureau of Investigation Director Christopher Wray said at a news conference announcing the charges, which were unsealed in federal court in Manhattan. “No country poses a broader, more severe long-term threat.”

U.S. officials say China’s alleged cyberattacks have metastasized into a pre-eminent national and economic security threat. In Thursday’s indictments, prosecutors drew direct links between the alleged hackers and China’s Ministry of State Security. The indictments also allege that Chinese authorities approved of and directed the campaign.

 “It is unacceptable that we continue to uncover cyber crime committed by China against other nations,” Deputy Attorney General Rod Rosenstein said at the news conference. He said added that more than 90% of Justice Department cases alleging economic espionage over the past seven years involved China, as did over two-thirds of those involving theft of trade secrets.

Companies in at least a dozen countries were victimized by the cyber campaign described Thursday. Waged by a known hacking group called APT 10, or cloudhopper, its victims include businesses in the banking, finance, telecommunications, health care, energy and automotive industries, Mr. Rosenstein said.

Officials declined to identify the victims, but two people familiar with the matter said International Business Machines Corp. and Hewlett Packard Enterprise Co. [HPE] are among companies whose computer-services operations allegedly were breached by hackers, who then used that access to burrow into their clients. Reuters first reported that those companies were among the victims.

In a statement, an HPE spokeswoman said the company couldn’t comment on the details alleged in the indictment. She said HPE sold its managed-service-provider business in 2017.

An IBM spokesman said the company was aware of the reported attacks and had already taken “extensive countermeasures world-wide” to protect itself and its clients. He added that IBM had no evidence sensitive IBM company or client data had been compromised.

In a statement backing the U.S. indictments, U.K. Foreign Secretary Jeremy Hunt said that Britain and its allies believe the Chinese government has been conducting an extensive campaign to steal commercial secrets from companies in Europe, Asia and the U.S. Other allied countries also applauded the moves in their own statements.

A central plank of the hacking campaign was to target technology-services providers that support businesses with a range of digital chores, such as cloud storage, and then leverage that access to infiltrate their networks of clients. Service providers have grown more prominent in recent years as companies have sought to reduce their in-house information technology costs.

“You’ve all heard about situations where you see somebody essentially the cyber equivalent of breaking into a house,” the FBI’s Mr. Wray said. “This is more like breaking in and getting the keys of the maintenance supervisor who has keys to hundreds and hundreds of apartments and all the residents in those apartments.”

The defendants, Zhu Hua and Zhang Shilong, are also accused of participating in hacking campaigns that targeted several U.S. government agencies, including the Energy Department, laboratories at NASA and the U.S. Navy, whose contractors have continued to suffer debilitating breaches from suspected Chinese state actors.

The Chinese hacking group implicated in Thursday’s charges stole personal information, including Social Security numbers and dates of birth, from over 100,000 Navy personnel, officials said.

China’s Ministry of Foreign Affairs called the allegations in the indictment groundless and characterized the prosecution as “a serious violation of the basic norms of international relations.” Ministry spokeswoman Hua Chunying demanded the U.S. withdraw the indictment and stop its vilification of China on cybersecurity to avoid causing serious harm to the countries’ relations. The defendants weren’t immediately available for comment.

Additional Chinese nationals had been under consideration for U.S. prosecution, and the administration had also considered levying sanctions against people involved in the hack and against the entities that benefited from the stolen information, according to current and former U.S. officials and others familiar with the matter. Some expressed disappointment at what they considered a relatively tame effort to punish China for its alleged misdeeds.

The Justice Department actions come at the same time the Trump administration is trying to negotiate a deal with China by March 1 to ease trade tensions. The Treasury Department, which is playing a major role in the talks, also has the ability to sanction foreign companies beyond the reach of U.S. courts.

The Treasury didn’t invoke its sanctions authority in part because it wanted to preserve its role in the negotiations, said people familiar with the negotiations. A delegation of senior Chinese officials is expected to continue trade negotiations in Washington in mid-January.

“There is some hesitance to smack around Chinese institutions, because it would interfere with the trade discussions,” said Christian Whiton, a former State Department official in the Trump administration.

Thursday’s moves mark the latest in a flurry of actions taken by the Justice Department and other agencies to publicly shame and punish China for what officials have described as years of cyberattacks against U.S. companies that cost the American economy as much as hundreds of billions of dollars annually, according to some government estimates.

In October, federal prosecutors unsealed charges against 10 Chinese intelligence officers with a different regional bureau of the Ministry of State Security, accusing them of hacking U.S. aviation companies. The Justice Department followed days later with more charges against a Chinese state-owned company and its Taiwan partner for allegedly stealing trade secrets from the U.S. memory-chip maker Micron Technology Inc.

Taken collectively, the charges over the past three months represent the most significant effort to date by U.S. law-enforcement officials to publicize and condemn Beijing’s intrusions into American businesses. They also arrive as federal investigators have grown increasingly confident that the data breach recently disclosed by Marriott International Inc. was China’s handiwork. China denied any role in the Marriott breach.

—Josh Chin in Beijing and Jason Douglas in London contributed to this article.

Write to Dustin Volz at dustin.volz@wsj.com, Kate O’Keeffe at kathryn.okeeffe@wsj.com and Bob Davis at bob.davis@wsj.com

Appeared in the December 21, 2018, print edition as 'U.S. Steps Up Effort To Fight Hacking.'


How China Allegedly Hacked America and Its Allies

By Dustin Volz (Wall Street Journal)

Dec. 20, 2018 4:36 p.m. ET

U.S. says ‘Godkiller’ and ‘Atreexp’ honed their techniques over a decade, breaking into government and company computers world-wide

WASHINGTON—Federal charges unsealed Thursday against two Chinese nationals lay out how hackers allegedly working for an arm of China’s main intelligence service spent the last 12 years victimizing businesses and government agencies in the U.S. and around the world.

The two alleged hackers, Zhu Hua and Zhang Shilong, are accused of working for a company called Huaying Haitai located in the Chinese port city of Tianjin in direct coordination with the Ministry of State Security’s local bureau.

Using monikers including “Godkiller” and “Atreexp,” the pair allegedly spent over a decade breaking into computer networks. The indictment says they honed their techniques to steal advanced technologies and other valuable information as part of a “continuous and unrelenting effort” waged by a Chinese hacking enterprise variously known as APT 10, for Advanced Persistent Threat, or cloudhopper.

The defendants couldn’t immediately be reached for comment and the Chinese Embassy in Washington didn’t return a request for comment. Chinese Foreign Ministry officials have consistently said that Beijing doesn’t condone computer hacking in any form.

The charging papers accuse APT 10 of using a common technique known as “spearphishing” to trick targets into opening emails laced with malware and unknowingly reveal their passwords to the hackers.

This allowed them to breach computers of more than 45 commercial and defense technology companies and U.S. agencies in at least 12 states, including Arizona, California, Florida, Texas and Virginia, as part of a conspiracy dating back to at least 2006 and continuing through this year.

Prosecutors said the intrusions allowed the hackers to steal hundreds of gigabytes of sensitive data from a wide array of industries, including aviation, space and satellite, manufacturing and maritime technology.

But possibly the most severe aspect of the hacking campaign began in 2014, as Messrs. Zhu and Zhang and their co-conspirators allegedly focused on technology-service providers that work for businesses and governments around the world.

By attacking service providers, the Chinese were able to infiltrate computer networks to steal reams of confidential data on a global scale, prosecutors said, compromising victims in at least a dozen countries, including Brazil, Canada, France, Germany, India, Japan, the United Arab Emirates, the U.K. and the U.S.

Current and former U.S. officials have described the assault on technology-service providers as one of the most audacious and potentially damaging of all the campaigns waged by Chinese hackers in recent years against American interests, one intended to steal intellectual property and support Beijing’s espionage goals.

Private-sector cybersecurity researchers previously identified those attacks as the work APT 10 and linked them to Beijing. The hacks allowed intruders potential access to scores of U.S. companies and government agencies that rely on the service providers for jobs including the remote management of computers and cloud storage.

Write to Dustin Volz at dustin.volz@wsj.com



House Passes Bill to Create National Quantum Computing Program (Dec. 19)

Chinese Hackers Breach U.S. Navy Contractors (Dec. 14)

FBI Says Chinese Espionage Poses ‘Most Severe’ Threat to American Security (Dec. 12)