The United States and the United Kingdom announced an indictment Thursday against state-linked Chinese hackers, in a fresh bid to build an international front against Chinese spying.
The announcement includes U.S. criminal charges against Chinese government hackers accused of stealing American businesses’ intellectual property worth hundreds of billions of dollars. The U.S. also said it holds China’s government accountable for sponsoring economic cyberattacks, including in Europe and Asia.
The activities “go against the commitments made to the U.K. in 2015, and, as part of the G20, not to conduct or support cyber-enabled theft of intellectual property or trade secrets,” U.K. Foreign Secretary Jeremy Hunt said.
Australia, Canada, Japan and Germany were expected to join the coalition condemning Beijing over hacking, a diplomat said.
The warnings complement a U.S.-driven campaign to convince Western governments to ban Chinese telecom equipment vendors from providing the gear to build 5G networks. In past months, Australia, Canada, New Zealand and Japan have announced new market restrictions on Huawei and ZTE — China’s two leading telecom equipment makers — due to security concerns.
The indictments effectively kill a deal that Obama struck with Chinese President Xi Jinping in 2015 to limit cyber-espionage activities.
The criminal charges unveiled Thursday target a hacker group that acted on behalf of the Chinese Ministry of State Security and “almost certainly [continue] to target a range of global companies, seeking to gain access to commercial secrets,” the U.K. Foreign Office said in a statement.
Specifically, it charges two Chinese hackers, Zhu Hua and Zhang Shilong, of computer hacking, conspiracy to commit wire fraud and aggravated identity theft. The document lays out how the hackers had targeted sectors including aviation, space and satellite technology, manufacturing, pharmaceutical, computer processor companies and other sectors from as early as 2006.
The indictment said affected companies were located in at least 12 countries — Sweden, Finland, France, Germany, Switzerland and the U.K. in Europe as well as India, Brazil, Canada, Japan, the United Arab Emirates and the U.S.
The hackers used techniques known as “spear phishing,” which targets high-value individuals with mock emails tricking them into downloading malware, which in turn would give hackers remote access to the networks.
Their group performed services as a contractor for the ministry, infiltrating networks to provide intelligence and information. Hackers lurk inside corporate networks for months, even years, before stealing data. The accused group is known as the “advanced persistent threat group 10″ (APT10), also known as Cloud Hopper, Menupass and Stone Panda.
A report by consultancy PricewaterhouseCoopers released in April 2017 revealed the group’s methods and targets, asserting that it had ramped up its activities in 2016 and targeted industrial manufacturing and engineering sectors in Europe and beyond.
“The group focuses on what we call ‘access operations,’ effectively gaining and holding access until it had a requirement to take data,” said Kris McConkey, cybersecurity partner at PwC. “We’ve seen activity until as late as the summer of 2018. In the last eight to 12 weeks we’ve seen a little less activity.”
The indictments effectively kill a deal that ex-President Barack Obama struck with Chinese President Xi Jinping in 2015 to limit cyber-espionage activities. Intellectual property theft has long been a source of tension between the U.S. and China, and in September 2015 the two struck a landmark agreement to tone down the cyber intrusions.
“The difference between this initiative and what preceded the deal reached between the U.S. and China in 2015 is that the U.K., Germany and other governments were not as public then as they are now,” said Chris Painter, Obama’s chief cyber diplomat who negotiated the deal, and left the U.S. government under President Donald Trump.
“This joint action, especially with these countries involved, is significant: It is harder for Beijing to ignore,” Painter said.
Attempted coup de grâce
The indictment caps a series of revelations and statements calling out Chinese hacker groups and the Chinese government for violating international agreements and norms on cyber espionage.
Last week, Secretary of State Mike Pompeo blamed Beijing for the Marriott hack that stole passport data and other information on as many as 500 million people. U.S. officials believe this massive data breach was also part of Beijing’s counterintelligence project. U.S. officials testified before a committee last week at which FBI assistant director Bill Priestap called China “the most severe counterintelligence threat facing our country today.”
The conflict between Washington and Beijing worsened last week when Canadian authorities arrested Huawei’s CFO Sabrina Meng.
In October the U.S. also announced that Belgian authorities had extradited to the U.S. a senior officer at China’s Ministry of State Security to face economic espionage charges, also related to aviation firms.
In parallel, a U.S. cybersecurity company founded by former National Security Agency officials on Tuesday released a disputed report that the EU’s communication system for diplomatic correspondence had been hacked by Chinese hackers linked to the People’s Liberation Army. EU officials are still investigating the incident.
The conflict between Washington and Beijing worsened last week when Canadian authorities arrested Huawei’s chief financial officer, Sabrina Meng, at the request of the U.S. European governments including the U.K., Germany, Belgium, the Czech Republic, the European Commission and others are actively exploring ways to shut off parts of the telecom networks for Huawei.
“The U.S. approach to China’s cyber espionage has evolved rapidly over the past six months,” Paul Triolo, a cyber expert at the think-tank Eurasia Group, said earlier.
He noted that Washington appears to no longer be settling for indicting Chinese hackers who will probably never show up in an American courtroom — and instead is working with like-minded countries to arrest them.
Thursday’s revelations could lead to sanctions, diplomatic sources said, including measures issued by the European Union as a whole.
EU institutions in the past year have worked out a system to respond to cyber threats with diplomatic measures, ranging from statements to economic sanctions. But the bloc has still yet to name Moscow as being behind cyber operations.
Denmark, Estonia, Lithuania and Great Britain joined the U.S., Australia and Canada in condemning Russia for orchestrating a large-scale attack using malware known as NotPetya.
As attention now shifts to Beijing, the EU would against consider its options in how to respond to the new allegations.
In the case of China, hackers have targeted companies in Australia, Japan and Europe, Adam Segal and Lorand Laskai of the Council on Foreign Relations pointed out.
“If other countries are involved, it makes it look more like China is standing outside international norms,” Segal told POLITICO earlier.