Australian businesses have been infiltrated by large-scale global cyber attacks instigated by China.
The attacks focused on managed service providers (MSPs), which remotely manage the IT infrastructure of organisations, and often hold sensitive information.
It follows the US announcement that it had indicted two Chinese nationals: Zhu Hua (朱华), aka Afwar, aka CVNX, aka Alayos, aka Godkiller; and Zhang Shilong (张士龙), aka Baobeilong, aka Zhang Jianguo, aka Atreexp, both members of hacking group Advanced Persistent Threat 10 (APT10).
APT10 acts on behalf of China’s intelligence and security agency, the Chinese Ministry of State Security.
It is believed the two men, who are on the FBI’s Wanted list, are currently in China.
The pair can now be arrested if they travel outside of China.
This morning, Australia joined the US in publicly condemning the attacks that have stolen intellectual property from businesses and government, with Senator the Hon Marise Payne, Minister for Foreign Affairs, and the Hon Peter Dutton, Minister for Home Affairs, expressing “serious concern”.
“The worldwide cyber security compromise serves as a reminder that all organisations must remain vigilant about security and that organisations such as MSPs must be responsible and accountable to those they serve,” they said in a joint statement.
In 2015, countries at the G20 Summit – including China – agreed to “refrain from cyber-enabled theft of intellectual property, trade secrets and confidential business information with the intent of obtaining a competitive advantage”.
Australia and China reaffirmed the agreement bilaterally just last year.
China slammed by US
The US Department of Justice (DoJ) said “hundreds of gigabytes of sensitive data were secretly taken” by APT10 which had targeted a range of companies since 2006.
These companies spanned aviation, banking and finance, satellite and maritime technology, mining and gas exploration, and manufacturing to name a few.
FBI Director Christopher Wray described the list of companies, not named in the indictment, as a “Who’s Who” of the global economy.
“Healthy competition is good for the global economy. Criminal conduct is not. Rampant theft is not. Cheating is not,” Wray said at a press conference.
“China’s goal, simply put, is to replace the US as the world’s leading superpower, and they’re using illegal methods to get there. They’re using an expanding set of non-traditional and illegal methods,” Wray said.
“China’s state-sponsored actors are the most active perpetrators of state-sponsored espionage against us.”
The DoJ echoed the sentiments.
“It is galling that American companies and government agencies spent years of research and countless dollars to develop their intellectual property, while the defendants simply stole it and got it for free,” said US Attorney Berman.
“As a nation, we cannot, and will not, allow such brazen thievery to go unchecked.
“No country should be able to flout the rule of law – so we’re going to keep calling out this behaviour for what it is: illegal, unethical, and unfair.”
Earlier this year, Australian cyber security expert Charles Widdis warned of China attacking businesses to steal information relating to quality management systems and business processes.
“If you're a company doing business with other countries, you can expect that you're being hacked – because they want to know your negotiating position,” he told Information Age.
“I don’t think [business leaders] accept that there are people whose job it is – they get paid – to take your information. It’s an employee in a company that’s attacking you.
“It’s nothing personal, he doesn’t dislike you – it’s just a job. At the end of the day, he goes home, he’s got a family to feed.
“It’s a real thing and it goes on.”
How China did it
APT 10 used ‘spear phishing’ techniques to introduce malware onto targeted computers. The hackers sent emails that appeared to be from legitimate addresses but contained attachments that installed a program to secretly record all keystrokes on the machine, including user names and passwords.
The DoJ said NASA and the Department of Energy were victims, adding APT10 had compromised “more than 40 computers in order to steal sensitive data belonging to the Navy, including the names, Social Security numbers, dates of birth, salary information, personal phone numbers, and email addresses of more than 100,000 Navy personnel.”
The Australian government was less forthright, declining to name affected companies.
The Age named both IBM and SAP as being affected.
ACS President Yohan Ramasundara said the government had done the right thing in calling out the attacks.
“It is encouraging to see the Federal Government come out today and condemn the audacious and targeted Chinese attacks on MSPs that have occurred for more than a decade,” Ramasundara said.
“In a combined report released earlier this year, the Australian Strategic Policy Institute (ASPI) and ACS recommended governments use public attribution as a tool in deterring global cyber crime.
“Deploying improved messaging to both partners and adversaries, as well as creating consequences for actions, are also listed as key recommendations.
“Minister for Foreign Affairs, Senator the Hon Marise Payne, and Minister for Home Affairs, the Hon Peter Dutton MP, have led the way with their attribution of the Chinese cyber-enabled commercial intellectual property theft.”
Nigel Phair, Director of UNSW Canberra Cyber, agreed naming China was a step in the right direction, adding businesses need to be less lax about their cyber security.
“Organisations need to not take information security so lightly and think that it’s not going to happen to them,” he told Information Age.
“This is another wake-up call in a long line of wake-up calls.”
The Australian Cyber Security Centre (ACSC) has issued advice MSPs and their clients can use to limit their exposure and protect their information.