Two Chinese nationals ended up indicted for charges of computer hacking, conspiracy to commit wire fraud, and aggravated identity theft against multiple industries including manufacturing, oil and gas, automotive, and mining.
The two, U.S. Department of Justice (DoJ) investigators said, are members of a hacking group known as menuPass (aka APT10/Stone Panda/Red Apollo/CVNX/Potassium) which according to the indictment, carried out the activity at the behest of the Chinese Ministry of State Security.
Zhu Hua, also known as “Afwar,” “CVNX,” “Alayos,” and “Godkiller,” and Zhang Shilong, also known as “Baobeilong,” “Zhang Jianguo,” and “Atreexp” were named in the indictment.
The charges in the indictment stem from a lengthy attack campaign called Operation Cloud Hopper that started up in 2014 which largely targeted Managed Security Providers (MSPs) to not only steal MSP and clients’ intellectual property but also leverage the networks for further attacks, according to a report from Palo Alto Networks’ Unit 42. The US-Cert also published two advisories, TA17-117A and TA18-276B. The first details the activity and the second contained protection, detection, and remediation advice for MSPs and customers.
Those compromised clients included companies that were involved in a diverse array of commercial activity, industries, and technologies, including banking and finance, telecommunications and consumer electronics, medical equipment, packaging, manufacturing, consulting, healthcare, biotechnology, automotive, oil and gas exploration, and mining, according to the indictment.
menuPass’ hacking activity started as early as 2006 and continues to this day; they have shown a marked interest in Japan since 2014.
In 2016 and 2017, the group targeted managed IT service providers, manufacturing and mining companies, and a university.
Unit 42 released all indicators of compromise they have associated with menuPass in an effort to provide defenders with an extensive list of their malware and attack infrastructure.
Unit 42 also published a menuPass Playbook based on activity from late 2016. The described attacks took place during the timeframe pointed out by DoJ and match the TTPs described in the indictment.