UK and allies reveal global scale of Chinese cyber campaign

December 20, 2018 –

Along with its allies, the UK has announced that a group known as APT 10 acted on behalf of the Chinese Ministry of State Security to carry out a malicious cyber campaign targeting intellectual property and sensitive commercial data in Europe, Asia and the US.

The National Cyber Security Centre (NCSC) assesses with the highest level of probability that the group widely known as APT 10 is responsible for this sustained cyber campaign focused on large-scale service providers. The group almost certainly continues to target a range of global companies, seeking to gain access to commercial secrets.

This campaign shows that elements of the Chinese government are not upholding the commitments China made directly to the UK in a 2015 bilateral agreement. It is also inconsistent with G20 commitments that no country should conduct or support ICT enabled theft of intellectual property, including trade secrets or other confidential business information.

Foreign Secretary, Jeremy Hunt said:

This campaign is one of the most significant and widespread cyber intrusions against the UK and allies uncovered to date, targeting trade secrets and economies around the world.

These activities must stop. They go against the commitments made to the UK in 2015, and, as part of the G20, not to conduct or support cyber-enabled theft of intellectual property or trade secrets.

Our message to governments prepared to enable these activities is clear: together with our allies, we will expose your actions and take other necessary steps to ensure the rule of law is upheld.

The UK is committed to upholding the rules-based international order, which underpins the peace, security and prosperity of the whole world. With its allies, the UK is once again demonstrating that the international community will not hesitate to call out state-sponsored cyber campaigns.

The government will take forward further engagement with service providers to ensure they have robust protections in place against continuing and emerging cyber threats – it is clear that in some cases basic cyber security measures are still not being taken, and this is not acceptable. In the New Year, there will be a roundtable hosted by the government and NCSC inviting a broad range of senior representatives from suppliers to government, including managed service providers and service integrators. Together the community will discuss the necessary step change that is required in contracting and security controls to tackle cyber threats to government and beyond.

The UK’s National Cyber Security Centre assesses that APT 10 was almost certainly responsible for a campaign of activity against global Managed Service Providers (MSPs) since at least 2016, widely known as Cloud Hopper. This targeted intellectual property and commercially sensitive information of the MSPs and their clients. It is highly likely that these accesses were used to engage in commercial espionage.

The NCSC assesses that it is highly likely that APT 10 has an enduring relationship with the Chinese Ministry of State Security, and operates to meet Chinese State requirements. Given the high confidence assessment and the broader context, the UK government has made the judgement that the Chinese Ministry of State Security was responsible.

This is the first time that the UK government has publicly named elements of the Chinese government as being responsible for a cyber campaign. It has previously attributed:

  • the WannaCry ransomware incident to North Korean actors;
  • a multi-year computer network exploitation campaign targeting universities around the world, including the UK, to the Mabna Institute based in Iran; and
  • a series of attacks including NotPetya, the WADA hack and leak and BadRabbit to the GRU (Russian Military Intelligence).

The NCSC published guidance to mitigate against this campaign targeting MSPs on 3 April 2017.