Using careful language, Canada has backed U.S .allegations that for about 12 years two Chinese citizens hacked managed Internet service providers in several countries to get intellectual property and confidential business and technological information of businesses.
In a statement on Thursday, Canada’s electronic spy agency, the Communications Security Establishment said it “also assesses that it is almost certain that actors likely associated with the People’s Republic of China (PRC) Ministry of State Security (MSS) are responsible for the compromise of several managed service providers [in Canada] beginning as early as 2016.”
The government didn’t identify the Canadian providers hacked. As a sector, managed service providers include major telcos Bell, Rogers, Telus as well as companies like IBM Canada, CGI, Scalar Decisions, Navantis, Herjevec Group, HighVail and others
Managed service providers would be ideal targets because they link to many customer networks. The compromise of one provider can be a gateway into many private and public sector organizations.
The Globe and Mail quoted Public Safety Minister Ralph Goodale on Thursday as also being publicly careful with his words. Asked if China has broken the terms of the 2017 anti-cyber-espionage agreement it signed with the Trudeau government, Goodale replied that “obviously, we are deeply disappointed if a commitment made in the past has been violated, and we think it is important to point out when that occurs,”
On Thursday the U.S. unsealed an indictment charging Zhu Hua and Zhang Shilong with conspiracy to commit computer intrusions, conspiracy to commit wire fraud, and aggravated identity theft.
The indictment alleges Zhu and Zhang were members of a hacking group operating in China known within the cyber security community as Advanced Persistent Threat 10 (the APT10 Group). While they worked for a company in China called Huaying Haitai Science and Technology Development Company (Huaying Haitai) , it is alleged they worked with the Chinese Ministry of State Security’s Tianjin State Security Bureau.
“The indictment alleges that the defendants were part of a group that hacked computers in at least a dozen countries and gave China’s intelligence service access to sensitive business information,” said Deputy Attorney General Rosenstein. “This is outright cheating and theft, and it gives China an unfair advantage at the expense of law-abiding businesses and countries that follow the international rules in return for the privilege of participating in the global economic system.”
The APT10 Group allegedly obtained unauthorized access to the computers of a service provider that had offices in the Southern District of New York and compromised data of customers involved in banking and finance, telecommunications and consumer electronics, medical equipment, packaging, manufacturing, consulting, healthcare, biotechnology, automotive, oil and gas exploration, and mining.
Overall, the indictment says, APT10 stole hundreds of gigabytes of sensitive data and targeted the computers of 45 companies involved in aviation, space and satellite technology, manufacturing technology, pharmaceutical technology, oil and gas exploration and production technology, communications technology, computer processor technology, and maritime technology, as well as U.S. government agencies.
David Swan, the Alberta-based director of cyber intelligence for the Centre for Strategic Cyberspace + Security Science, said in an email the U.S. indictment should come as no surprise to cyber security analysts. “China announces its strategic objectives in its ‘Five Year Plans’. Chinese hacking generally follows that direction.
“Despite agreements between China and the United States (under President Obama) and more recently between China and Canada (under Prime Minister Trudeau) there has been no change in the direction or substance of Chinese hacking. Chief Security Officers (CSO’s) and cyber security personnel face Chinese hacking on an ongoing basis. Chinese hacking has touched all aspects of Canadian life from academic to defence, from start-up innovators to corporations, from individuals to the National Research Council (NRC).”
This is a reference to the 2014 hack of the NRC which Ottawa blamed on a Chinese threat actor.
What was surprising, Swan added, was the recognition during the U.S. announcement that China was unlikely to change its policies. “This is the first time I have heard an official source admit that.”
The press release from CSE is interesting in that it is in stark contrast with the milder statements from Liberal politicians and senior bureaucrats, he added.
David Senf, founder of the Toronto-based cyber security consultancy Cyverity said in an email that it’s clear that the intellectual property of Canadian firms and Canadian subsidiaries of multinationals is valuable to China and other nations. The concerns is less about stolen credit card information and more about company and state secrets in this case.
“Organizations have to assume that they are a target, their cloud provider is a target and so are MSPs. But it’s still better to do something than nothing. It’s still better to get outside help than not to protect, detect and respond to attacks.”
“If we assume the government reports are correct about one or more MSPs being compromised, it is still better for Canadian customers to rely on outside help than to go without. Continuous threat monitoring, for example, is an MSP service that is important for organizations to consider, as they likely don’t have the ability to maintain that kind of staff time and infrastructure themselves.”
The indictment and support from other countries comes as China is pressured from a number of sides. The U.S. is putting a squeeze on Canada and other members of the Five Eyes intelligence co-operative to refuse to allow their carriers to install Chinese wireless equipment on their upcoming next-generation 5G networks. Australia and New Zealand have agreed; Canada and the U.K. are still thinking about it.
At the sam time the U.S. and China are involved in a trade dispute.
The Senior Leader’s Guidebook to Emergency Management and Business Continuity