Chinese hackers indicted for Global Hacking Campaign

By installing malware including a keylogger, Chinese hackers managed to hack hundreds of companies in 12 countries. 

December 20, 2018

Details of the breach

On Monday, December 17th, the US government unsealed an DOJ (Department of Justice) indictment against two Chinese nationals. The indictment from the US Southern District Court of New York alleges that the two individuals who go by the names “Godkiller” and “Baobeilong” are members of the hacking group known as “Advanced Persistent Threat 10” or APT10. The DOJ claims that the individuals worked in association with the Chinese Ministry of State Security’s Tianjin State Security Bureau to steal sensitive data from US based companies and US government agencies. 


The indictment indicates that the hacking group APT10 has “… engaged in an intrusion campaign to obtain unauthorized access to the computers and computer networks of commercial and defense technology companies and U.S. Government agencies in order to steal information and data …”referred to as “The Technology Theft Campaign”. During this campaign hundreds of gigabytes of sensitive data was stolen from a diverse array of companies including aviation, space, satellite technology, and communications companies; a US Department of Energy National Laboratory, as well as NASA’s Goddard Space Flight Center and its Jet Propulsion Laboratory.

Additionally, APT10 also targeted managed service providers (MSPs) in their “MSP Theft Campaign”. MSPs deliver network, application, system and e-management services across a network to multiple enterprises. MSPs tend to be web hosting or application service providers that allow users to outsource their network and application resources. In most cases, MSPs own the entire physical back-end infrastructure and provide resources to end users remotely over the Internet on a self-service, on-demand basis. The MSP Theft Campaign leveraged the MSP’s access to their client’s networks to infiltrate companies secure servers in at least 12 different countries. The victims of these attacks ranged from financial institutions, telecommunication companies, industrial manufacturing, healthcare providers, biotechnology companies along with many others.

The attacks orchestrated by APT10 followed an iterative process, which according to the DOJ, typically started with an attack known as spear phishing to infect the victims’ computers with malware including keyloggers. Members of the conspiracy masked themselves with seemingly legitimate email addresses to trick the recipients. The emails also contained attached documents loaded with malicious code which were named in a way that made them look relevant to the company. 


To illustrate just how devious the hackers were, the DOJ gives an example of one of APT10’s attacks. In this attack APT10 exploited one of the companies they compromised earlier by sending an email out from their domain to another company that they did business with. The second unnamed company who was involved in helicopter manufacturing then received an email from a legitimate email address associated with familiar domain name of the first company. The subject line read “C17 Antenna problems,” and attached to it was a malicious Microsoft Word document named “12-204 Side Load Testing.doc.” Once the user then opened the Word document, the computer was then infected with malware. The DOJ described the malware typically included keyloggers which were used to steal usernames and passwords as the user of the victim systems typed them.

"The DOJ described the malware typically included keyloggers which were used to steal usernames and passwords as the user of the victim systems typed them."

Once the keylogger was successfully deployed to the endpoint, it was then utilized to steal secure credentials. Once administrative credentials are obtained, traversing the network becomes a trivial task because now the hackers appear to the system as legitimate employees allowing them to fly completely under the radar of the enterprise security policies. At this point the hackers are then able to install additional keyloggers and compromise even further sections of the network and can continue to repeat this process until every secure area has been breached. These credentials can also be used to access secure databases and files allowing them to be decrypted and stolen. APT10 was able to steal the personal information of over a hundred thousand US Navy serviceman using these techniques.

How to Stop the Threat of Keyloggers
Keyloggers are one of the main components of malware needed to advance a cyber-attack, including the attack to the DOJ described above. Eliminating this attack vector stops the function of the keylogger.  Utilizing EndpointLock™ keystroke encryption software, all keystrokes are encrypted making them invisible to keyloggers. Keystroke Transport Layer Security (KTLS™) Protocol provides strong cryptography at the time of keystroke entry. This protects the initial transmission of usernames and passwords and subsequent keystrokes entered into any desktop or mobile device. EndpointLock™ would have played an integral part in preventing the attacks described in the DOJ indictment. EndpointLock™ would have eliminated the risk of APT10’s keyloggers preventing them from being able to obtain the secure credentials needed to further their attack.