Canada among targets of alleged Chinese hacking campaign
Prosecutors say Zhu Hua and Zhang Shilong were acting on behalf of China’s main intelligence agency to pilfer information from several countries
OTTAWA—Companies in Canada were among the targets of two Chinese citizens charged with waging an extensive hacking campaign to steal valuable data over many years, U.S. authorities say.
In an indictment unsealed Thursday, prosecutors say Zhu Hua and Zhang Shilong were acting on behalf of China’s main intelligence agency to pilfer information from several countries.
Beginning about four years ago, Zhu and Zhang waged an intrusion campaign to gain access to computers and networks of “managed service providers” for businesses and governments around the world, the indictment says.
Such providers are private firms that manage clients’ information by furnishing servers, storage, networking, consulting and information-technology support. Breaking into one such computer system can provide a route into multiple customers’ data; the hackers breached the computers of enterprises involved in activities ranging from banking and telecommunications to mining and health care, say the papers filed in U.S. District Court.
The indictment says Zhu and Zhang are members of a group operating in China known as Advanced Persistent Threat 10. They purportedly broke into computers belonging to—or providing services to—companies in at least 12 countries, including Canada.
How? According to the indictment, they used forged emails to get unwitting recipients to open files impregnated with security-breaching malware, a technique called “spear-phishing.”
The two suspects, who worked for Huaying Haital Science and Technology Development Co. in Tianjin, are accused of acting in association with the Chinese Ministry of State Security’s Tianjin State Security Bureau.
Canada’s Communications Security Establishment issued a statement supporting the U.S. allegations a few hours after the American announcement.
“Today, many of Canada’s allies and partners have made statements concerning the compromise of several Managed Service Providers. CSE also assesses that it is almost certain that actors likely associated with the People’s Republic of China (PRC) Ministry of State Security (MSS) are responsible for the compromise of several Managed Service Providers (MSP), beginning as early as 2016,” it said.
The statement said Canadian authorities detected the threat at the time and warned businesses in general terms about good security habits in dealing with these providers.
The CSE sent out a more detailed bulletin after Thursday’s indictments, advocating practices such as “multi-factor authentication,” which requires people to sign into computers in more than one way, and running background monitoring software that sends up an alert when an apparently legitimate user starts doing unusual things on a company network.
Public Safety Minister Ralph Goodale said in a news conference that the government isn’t aware that any data was stolen from Canadians.
“To the best of our knowledge, we do not have reports—to the best of my knowledge—of specific losses, but we are aware of intrusions,” he said. “So the incidents took place, the hacking and the compromise took place. Whether there was actually a theft committed or the withdrawal of information or data, that’s not information that’s within our domain.”
He refused to name any of the victims Canadian authorities have identified, saying that’s commercially confidential information the government can’t reveal.
As disappointed as the Canadian government is by China’s espionage, Goodale said, it will separate this case from China’s detention of two Canadians in apparent retaliation for the arrest in Vancouver of Chinese technology executive Meng Wanzhou on a U.S. warrant.
“They are two quite separate incidents,” Goodale said. “The situation that we’re dealing with today in terms of cybersecurity was first detected going back to 2016 and we have been taking the appropriate steps with the private sector ever since then? We will deal with these as very serious matters in their own right but not matters that intersect with each other.”
He said no charges are pending in Canada now but standing side-by-side with allies such as the Americans should “send a very strong message that it is serious, that it is important, and we are taking all necessary steps to ensure that Canadians are protected.”
The alleged hackers provided Chinese intelligence officials with sensitive business information, said U.S. deputy attorney general Rod Rosenstein.
“This is outright cheating and theft, and it gives China an unfair advantage at the expense of law-abiding businesses and countries that follow the international rules in return for the privilege of participating in the global economic system,” Rosenstein said.
In one case, the indictment says, the APT10 Group obtained unauthorized access to the computers of an unnamed service provider that had offices in New York state and then compromised the data of the provider and clients in Canada, the United States, Britain, Brazil, Finland, France, Germany, India, Japan, Sweden, Switzerland and the United Arab Emirates.
The victims included a global financial institution, three telecommunications or consumer electronics companies, three manufacturing firms, two consulting companies, and businesses involved in healthcare, biotechnology, mining, automotive supply and drilling, authorities say. None of them is specified by name in the indictment.
In another campaign that began as early as 2006, the APT10 Group, including Zhu and Zhang, allegedly attacked the computers and networks of more than 45 technology companies and U.S. government agencies to steal valuable information and data about various technologies.
The group made off with hundreds of gigabytes of sensitive data by targeting the computers of companies involved in aviation, space and satellite technology, manufacturing, pharmaceuticals, and oil and gas exploration, among others, the indictment says. It also broke into computers that held data belonging to NASA and the U.S. navy and took private identify information of more than 100,000 navy personnel, the indictment says.
—With files from David Reevely