720-891-1663
Return to the list of client alerts
I am not sure how to measure the effectiveness of the U.S. trade war on the Chinese to stop them from stealing our intellectual property. We are certainly indicting more people and occasionally we even arrest one or two. According to law enforcement, the amount of Chinese hacking is actually up compared to a year ago, but not at an all time high. That makes me feel better (not!).
The two indicted last week, Zhu Hua and Zhang Shilong, both Chinese citizens, are alleged to be part of the Chinese hacker group APT10.
They are accused of stealing blueprints and other secrets from dozens of corporations, government departments and others at the direction of Beijing.
How did they do it?
They are accused of targeting MSPs (with apparently not so good security, which is why the Trump administration is not naming them) and using those stolen credentials to steal data from those MSP’s customers.
Even though the government won’t name any of the MSPs hacked, it seems to be known that at least two of the MSPs who were compromised were HP and IBM.
As part of the U.S. government’s effort to embarrass China (it doesn’t seem to be working, but maybe), the U.K. government dog-piled on.
The UK’s National Cyber Security Centre (NCSC), part of the UK spy agency GCHQ, said that the targets included healthcare, defense, aerospace, government, heavy industry/mining, managed service providers (MSPs) and tech, among many others. Pretty much anyone with anything worth stealing.
The NCSC says that the theft is current (as opposed to occurring say, during the previous administration) and further added that “in some cases basic cyber security measures are still not being taken.”
U.S. Energy Secretary Rick Perry said that the hackers are targeting our critical infrastructure.
The hacking runs from 2006 thru 2018. So far. Nothing in the indictment says that they have stopped or slowed down.
The attacks on MSPs started in 2014. The indictment says that APT10 compromised a service provider with clients in at least 12 countries including Brazil, Canada, Finland, France, Germany, India, Japan, Sweden, Switzerland, the United Arab Emirates, the United Kingdom and the United States.
APT10 is also blamed for breaking into US Navy systems and stealing confidential information on 100,00 Navy personnel.
Even Deputy AG Rod Rosenstein says that it is unlikely that the two will appear before a US judge any time soon. Of course, the Feds did get the Canadians to arrest the CFO of Huawei when she transited Canada recently, although I suspect that the Chinese will get smart about managing travel as a result of that.
Rosenstein also said that there is no free pass to violate American laws.
The Register added … There is no real penalty either.
It seems to me that the indictments should include those MSPs with shoddy security, but don’t count on that.
As you can probably tell from the tone of this post, I am more than a little bit annoyed.
There is something that businesses can do and it doesn’t require an Act of Congress.
Each and every company needs to have a vendor cyber risk management program and aggressively hold its vendor’s feet to the fire. If vendors such as the apparently poorly protected MSPs start shedding customers and if those customers’ contracts hold those vendors financially liable for their client’s losses, they will change their practices, even without a law. Contract law works just fine. My two cents.
Information for this post came from The Register.