MSP, Managed Services, Email security, Breach, Managed Security Services, Network Security

Chinese Spy Ops Attack 7 MSPs, Feds Allege

Share
Credit: Adobe Stock Images

Chinese state-backed operatives attacked and gained access to the networks of seven managed service providers (MSPs) in the U.S. and overseas as part of a 14-year global espionage campaign that included infiltration of the emails of U.S. legislators from more than 10 states.

The unnamed MSPs include providers based in California, Colorado, Idaho, New York, Massachusetts and overseas, according to an unsealed indictment in U.S. District Court for the Eastern Division of New York filed in January 2024.

Intrusions into the MSPs’ networks took place between 2017 and 2019, according to court documents. Each of the seven defendants are charged with conspiracy to commit computer intrusions and wire fraud conspiracy, according to court documents.

The federal court's charging affidavit reads, “Customers of managed service providers included corporations, non-government organizations and small and medium-sized businesses. By hacking these networks, the Conspirators gained access to the data belonging to customers of the breached managed service providers."

The affected California MSP’s customers include a financial company, a nuclear power engineering company, an enterprise-resources planning company and three additional MSPs.

“In one such computer intrusion, in approximately May 2017, the Conspirators accessed a backup server belonging to a California-based managed service provider and from there accessed servers belonging to the California MSP’s customers,” according to the document.

Malware Intrusions Alleged Against PRC Nationals

The spies allegedly used malware hidden in network security programs to gain access to at least 35 devices on the California MSP’s network. They then exploited the California MSP’s access to customer networks to spread malware to at least 15 servers on as many as seven remote customer networks, U.S. law enforcement alleges.

The crew along with “dozens” of Chinese intelligence officers, contract hackers and support personnel “acting on behalf of the Hubei State Security Department (HSSD),” a Chinese foreign intelligence arm, are part of a group of espionage agents commonly known in the security community as APT31 and Zirconium, according to the indictment.

The defendants, all of whom are People’s Republic of China (PRC) nationals, include:

  • Ni Gaobin
  • Weng Ming
  • Cheng Feng
  • Peng Yaowen
  • Sun Xiaohui
  • Xiong Wang
  • Zhao Guangzong

According to the U.S. Justice Department, Cheng Feng, Sun Xiaohui, Weng Ming, Xiong Wang, and Zhao Guangzong were involved in testing and exploiting malware.

Cheng and Ni Gaobin managed infrastructure associated with some of these intrusions, including the domain name for a command-and-control server that accessed at least 59 unique victim computers.

Sun and Weng operated the infrastructure used in an intrusion into a U.S. company known for its public opinion polls.

Sun and Peng Yaowen conducted research and reconnaissance on several additional U.S. entities that were later the victims of the APT31 Group’s intrusion campaigns.

Ni and Zhao sent emails with links to files containing malware to PRC dissidents, specifically Hong Kong legislators and democracy advocates, as well as targeting U.S. entities focusing on PRC-related issues.

Feds Offer $10 Million Reward

U.S. officials are dangling a reward of up to $10 million for information on the alleged hackers, all of whom are believed to reside in the PRC.

“As alleged in today’s indictment, this prolific global hacking operation — backed by the PRC government — targeted journalists, political officials, and companies to repress critics of the Chinese regime, compromise government institutions, and steal trade secrets,” said Deputy Attorney General Lisa Monaco in a statement.

In addition to U.S. government officials, the wide-sweeping campaign included various U.S. economic and defense industries and a variety of private industry officials, foreign democracy activists, academics and U.K. parliamentarians. According to the indictment, the espionage activities resulted in compromised work and personal email accounts, cloud storage accounts and telephone call records belonging to millions of Americans.

Some information that could influence “democratic processes and institutions, and economic plans, intellectual property, and trade secrets” belonging to American businesses, at an estimated cost of billions of dollars were possibly heisted, U.S. officials believe.

Ten Thousand Malicious Emails Sent

The group's hacking strategy included sending some 10,000 malicious emails from what appeared to be from prominent news outlets or journalists and appeared to contain legitimate news articles but in fact housed hidden tracking links. The defendants and others in APT31 then used information sniped from the emails to bore into the recipients’ home routers and other electronic devices.

Similar emails were also sent to government officials worldwide believed by PRC officials to be critics of the nation. Targeted U.S. government officials included individuals working in the White House, the Departments of Justice, Commerce, Treasury, and State, and U.S. Senators and Representatives of both political parties.

“Neither the breadth nor length of this campaign is that big of a surprise,” said Matt Hull, who heads strategic threat intelligence at consultancy NCC Group. “Foreign intelligence services and the cyber capabilities these APT groups have are highly capable and sophisticated. An espionage campaign relies on being 'low and slow' within the target environment. If they were too loud, their campaign would simply not be successful."

He added, “It is difficult to combat the most capable of threat actors. In most cases for a target of such a group, it is a case of not if, but when a successful compromise will take place.”

APT31's Compromised Industries Listed

The range of unnamed organizations APT31 gained access to between 2010 and 2023 includes defense, IT, telecom, manufacturing and trade, finance, legal and research industries.

A list of dozens of compromised companies across industries, as excerpted from the allegations, include:

Defense

  • A cleared defense contractor based in Oklahoma that designed and manufactured military flight simulators for the U.S. Army, Air Force and Navy
  • A cleared aerospace and defense contractor based in Tennessee
  • An Alabama-based research corporation in the aerospace and defense industries
  • A Maryland-based professional support services company that services the Department of Defense and other government agencies

IT

  • An American manufacturer of software and computer services based in California
  • A global provider of wireless technology based in Illinois
  • A technology company based in New York
  • A software company servicing the industrial controls industry based in California
  • An IT consulting company based in California
  • An IT services and spatial processing company based in Colorado
  • A multi-factor authentication company
  • An American trade association
  • Multiple information technology training and support companies

Telecom

  • A provider of 5G network equipment in the U.S
  • An IT solutions and 5G integration service company based in Idaho
  • A telecommunications company based in Illinois
  • A voice technology company headquartered in California
  • A manufacturing association based in Washington, D.C.

Finance

  • A finance company headquartered in New York
  • An American multinational management consulting company with offices in Washington, D.C.
  • A financial ratings company based in New York

Legal

  • Multiple global law firms based in New York and throughout the U.S.

Research

  • A machine learning laboratory based in Virginia
  • A university based in California
  • Multiple research hospitals and institutes located in New York and Massachusetts
  • An international non-profit organization headquartered in Washington, D.C.

An In-Depth Guide to Network Security

Get essential knowledge and practical strategies to fortify your network security.
D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.