China-linked hacker group has gone quiet, but DHS expects resurgence

An advanced persistent threat group linked to the Chinese government accused of conducting a widespread cyber espionage campaign against IT service providers has gone quiet since two of its members were indicted by the Department of Justice last year, according to a Department of Homeland Security official, but it remains an active threat to American businesses.

The group, known as APT 10, has a history of targeting the U.S. technology supply chain. In recent years, it has begun focusing attention on compromising managed service and cloud providers who often remotely manage IT systems and store data on behalf of client companies and -- when compromised -- can offer hackers wider access to the networks of multiple businesses.

Rex Booth, chief of cyber threat analysis at the Cybersecurity and Infrastructure Security Agency, said at a DHS webinar held Feb. 6, the campaign against IT service providers started in 2014 and continued through 2018. The campaign is part of a larger strategic shift by APT10 in recent years from "labor intensive, one-off compromises of individual targets" to "force multiplier effects that enable them to compromise multiple targets through a single attack."

Booth said that APT 10 has gone quiet recently following last year's indictments, but DHS is confident "they haven't gone away."

Adam Meyers, vice president of intelligence at Crowdstrike, told FCW last year that is not uncommon for APT groups to temporarily go underground after being publicly outed in order to change tools and tactics so they can evade similar means of detection in the future.

Former White House Cybersecurity Coordinator and National Security Agency Senior Advisor Rob Joyce said on the information security podcast Risky Business this month that threats to U.S. managed service providers from Chinese hackers remain "a real and present commercial threat."

U.S. officials say the primary targets from the campaign were companies who support commercial activities that align with priorities listed in China's 2025 plan to become a global leader in emerging technologies. The technological focus of affected companies listed in the December 2018 indictment, including satellites, aviation, telecommunications, industrial factory automation, biotechnology, mining and others, "reads like a shopping list from China's strategic plans," Booth said.

The group uses a few unique tools to attack providers but mostly relies on common attack vectors like spearphishing and theft of login credentials, especially for users with elevated access.

DHS officials are worried that the attacks will only become more common as companies continue to migrate to the cloud and outsource IT services to third-parties. On the call, Cybersecurity and Infrastructure Security Agency (CISA) Director Christopher Krebs said many businesses and customers have shifted toward using more cloud and IT service providers in recent years and that "this type of activity has the potential to be used much more widely to affect millions more internet users around the world."

The Trump administration and federal agencies have increasingly ratcheted up pressure on the Chinese government in recent years, with a particular focus on curbing alleged economic, espionage of American businesses and technologies. Last month the Department of Justice indicted Chinese telecommunications giant Huawei for committing intellectual property theft and fraud against American businesses.

Intelligence and law enforcement agencies are also making a concerted push to discourage businesses and countries around the world from doing business with Chinese telecommunications firm Huawei and other Chinese companies when building out their 5G networks. CISA leadership has indicated that communicating the threat posed by China to the technology supply chain and 5G will be one of the top priorities for the agency this year, according to a DHS source familiar with internal deliberations.