{ "id": "674629f3-56bf-472d-9139-5c7ce1a0823c", "created_at": "2026-04-06T02:11:30.395241Z", "updated_at": "2026-04-10T13:11:33.017644Z", "deleted_at": null, "sha1_hash": "4d7c33d258005594fb3a00e24cafb1195e13bcb9", "title": "Two Chinese Hackers Associated With the Ministry of State Security Charged with Global Computer Intrusion Campaigns Targeting Intellectual Property and Confidential Business Information", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 61415, "plain_text": "Two Chinese Hackers Associated With the Ministry of State\r\nSecurity Charged with Global Computer Intrusion Campaigns\r\nTargeting Intellectual Property and Confidential Business\r\nInformation\r\nPublished: 2018-12-20 · Archived: 2026-04-06 01:54:21 UTC\r\nDefendants Were Members of the APT 10 Hacking Group Who Acted in Association with the Tianjin State\r\nSecurity Bureau and Engaged in Global Computer Intrusions for More Than a Decade, Continuing into\r\n2018, Including Thefts from Managed Service Providers and More Than 45 Technology Companies\r\nThe unsealing of an indictment charging Zhu Hua (朱华), aka Afwar, aka CVNX, aka Alayos, aka Godkiller; and\r\nZhang Shilong (张士龙), aka Baobeilong, aka Zhang Jianguo, aka Atreexp, both nationals of the People’s\r\nRepublic of China (China), with conspiracy to commit computer intrusions, conspiracy to commit wire fraud, and\r\naggravated identity theft was announced today.\r\nThe announcement was made by Deputy Attorney General Rod J. Rosenstein, U.S. Attorney Geoffrey S. Berman\r\nfor the Southern District of New York, Director Christopher A. Wray of the FBI, Director Dermot F. O’Reilly of\r\nthe Defense Criminal Investigative Service (DCIS) of the U.S. Department of Defense, and Assistant Attorney\r\nGeneral for National Security John C. Demers.\r\nZhu and Zhang were members of a hacking group operating in China known within the cyber security community\r\nas Advanced Persistent Threat 10 (the APT10 Group).  The defendants worked for a company in China called\r\nHuaying Haitai Science and Technology Development Company (Huaying Haitai) and acted in association with\r\nthe Chinese Ministry of State Security’s Tianjin State Security Bureau. \r\nThrough their involvement with the APT10 Group, from at least in or about 2006 up to and including in or about\r\n2018, Zhu and Zhang conducted global campaigns of computer intrusions targeting, among other data, intellectual\r\nproperty and confidential business and technological information at managed service providers (MSPs), which are\r\ncompanies that remotely manage the information technology infrastructure of businesses and governments around\r\nthe world, more than 45 technology companies in at least a dozen U.S. states, and U.S. government agencies.  The\r\nAPT10 Group targeted a diverse array of commercial activity, industries and technologies, including aviation,\r\nsatellite and maritime technology, industrial factory automation, automotive supplies, laboratory instruments,\r\nbanking and finance, telecommunications and consumer electronics, computer processor technology, information\r\ntechnology services, packaging, consulting, medical equipment, healthcare, biotechnology, pharmaceutical\r\nmanufacturing, mining, and oil and gas exploration and production.  Among other things, Zhu and Zhang\r\nregistered IT infrastructure that the APT10 Group used for its intrusions and engaged in illegal hacking operations.\r\n“The indictment alleges that the defendants were part of a group that hacked computers in at least a dozen\r\ncountries and gave China’s intelligence service access to sensitive business information,” said Deputy Attorney\r\nGeneral Rosenstein.  “This is outright cheating and theft, and it gives China an unfair advantage at the expense of\r\nhttps://www.justice.gov/opa/pr/two-chinese-hackers-associated-ministry-state-security-charged-global-computer-intrusion\r\nPage 1 of 4\n\nlaw-abiding businesses and countries that follow the international rules in return for the privilege of participating\r\nin the global economic system.”\r\n“It is galling that American companies and government agencies spent years of research and countless dollars to\r\ndevelop their intellectual property, while the defendants simply stole it and got it for free” said U.S. Attorney\r\nBerman.  “As a nation, we cannot, and will not, allow such brazen thievery to go unchecked.”\r\n“Healthy competition is good for the global economy, but criminal conduct is not.  This is conduct that hurts\r\nAmerican businesses, American jobs, and American consumers,” said FBI Director Wray.  “No country should be\r\nable to flout the rule of law – so we’re going to keep calling out this behavior for what it is: illegal, unethical, and\r\nunfair.  It's going to take all of us working together to protect our economic security and our way of life, because\r\nthe American people deserve no less.\"\r\n“The theft of sensitive defense technology and cyber intrusions are major national security concerns and top\r\ninvestigative priorities for the DCIS,” said DCIS Director O’Reilly.  “The indictments unsealed today are the\r\ndirect result of a joint investigative effort between DCIS and its law enforcement partners to vigorously\r\ninvestigate individuals and groups who illegally access information technology systems of the U.S. Department of\r\nDefense and the Defense Industrial Base.  DCIS remains vigilant in our efforts to safeguard the integrity of the\r\nDepartment of Defense and its enterprise of information technology systems.”\r\nAccording to the allegations in the Indictment unsealed today in Manhattan federal court:\r\nOverview\r\nZhu Hua (朱华), aka Afwar, aka CVNX, aka Alayos, aka Godkiller, and Zhang Shilong (张士龙), aka Baobeilong,\r\naka Zhang Jianguo, aka Atreexp, the defendants, both nationals of China, were members of a hacking group\r\noperating in China known within the cyber security community as the APT10 Group, or alternatively as “Red\r\nApollo,” “CVNX,” “Stone Panda,” “MenuPass,” and “POTASSIUM.”  The defendants worked for Huaying Haitai\r\nin Tianjin, China, and acted in association with the Chinese Ministry of State Security’s Tianjin State Security\r\nBureau.  From at least in or about 2006 up to and including in or about 2018, members of the APT10 Group,\r\nincluding Zhu and Zhang, conducted extensive campaigns of intrusions into computer systems around the world. \r\nThe APT10 Group used some of the same online facilities to initiate, facilitate and execute its campaigns during\r\nthe conspiracy.\r\nMost recently, beginning at least in or about 2014, members of the APT10 Group, including Zhu and Zhang,\r\nengaged in an intrusion campaign to obtain unauthorized access to the computers and computer networks of MSPs\r\nfor businesses and governments around the world (the MSP Theft Campaign).  The APT10 Group targeted MSPs\r\nin order to leverage the MSPs’ networks to gain unauthorized access to the computers and computer networks of\r\nthe MSPs’ clients and to steal, among other data, intellectual property and confidential business data on a global\r\nscale.  For example, through the MSP Theft Campaign, the APT10 Group obtained unauthorized access to the\r\ncomputers of an MSP that had offices in the Southern District of New York and compromised the data of that MSP\r\nand certain of its clients involved in banking and finance, telecommunications and consumer electronics, medical\r\nequipment, packaging, manufacturing, consulting, healthcare, biotechnology, automotive, oil and gas exploration,\r\nand mining.\r\nhttps://www.justice.gov/opa/pr/two-chinese-hackers-associated-ministry-state-security-charged-global-computer-intrusion\r\nPage 2 of 4\n\nEarlier, beginning in or about 2006, members of the APT10 Group, including Zhu and Zhang, engaged in an\r\nintrusion campaign to obtain unauthorized access to the computers and computer networks of more than 45\r\ntechnology companies and U.S. government agencies, in order to steal information and data concerning a number\r\nof technologies (the Technology Theft Campaign).  Through the Technology Theft Campaign, the APT10 Group\r\nstole hundreds of gigabytes of sensitive data and targeted the computers of victim companies involved in aviation,\r\nspace and satellite technology, manufacturing technology, pharmaceutical technology, oil and gas exploration and\r\nproduction technology, communications technology, computer processor technology, and maritime technology.\r\nIn furtherance of the APT10 Group’s intrusion campaigns, Zhu and Zhang, among other things, worked for\r\nHuaying Haitai and registered malicious domains and infrastructure.  In addition, Zhu, a penetration tester,\r\nengaged in hacking operations on behalf of the APT10 Group and recruited other individuals to the APT10 Group,\r\nand Zhang developed and tested malware for the APT10 Group.\r\nThe MSP Theft Campaign\r\nIn furtherance of the MSP Theft Campaign, Zhu, Zhang, and their co-conspirators in the APT10 Group engaged in\r\nthe following criminal conduct:\r\nFirst, after the APT10 Group gained unauthorized access into the computers of an MSP, the APT10 Group\r\ninstalled multiple variants of malware on MSP computers around the world. To avoid antivirus detection,\r\nthe malware was installed using malicious files that masqueraded as legitimate files associated with the\r\nvictim computer’s operating system.  Such malware enabled members of the APT10 Group to monitor\r\nvictims’ computers remotely and steal user credentials. \r\nSecond, after stealing administrative credentials from computers of an MSP, the APT10 Group used those\r\nstolen credentials to connect to other systems within an MSP and its clients’ networks. This enabled the\r\nAPT10 Group to move laterally through an MSP’s network and its clients’ networks and to compromise\r\nvictim computers that were not yet infected with malware. \r\nThird, after identifying data of interest on a compromised computer and packaging it for exfiltration using\r\nencrypted archives, the APT10 Group used stolen credentials to move the data of an MSP client to one or\r\nmore other compromised computers of the MSP or its other clients’ networks before exfiltrating the data to\r\nother computers controlled by the APT10 Group.\r\nOver the course of the MSP Theft Campaign, Zhu, Zhang, and their co-conspirators in the APT10 Group\r\nsuccessfully obtained unauthorized access to computers providing services to or belonging to victim companies\r\nlocated in at least 12 countries, including Brazil, Canada, Finland, France, Germany, India, Japan, Sweden,\r\nSwitzerland, the United Arab Emirates, the United Kingdom, and the United States.  The victim companies\r\nincluded at least the following:  a global financial institution, three telecommunications and/or consumer\r\nelectronics companies; three companies involved in commercial or industrial manufacturing; two consulting\r\ncompanies; a healthcare company; a biotechnology company; a mining company; an automotive supplier\r\ncompany; and a drilling company. \r\nThe Technology Theft Campaign\r\nOver the course of the Technology Theft Campaign, which began in or about 2006, Zhu, Zhang, and their\r\ncoconspirators in the APT10 Group successfully obtained unauthorized access to the computers of more than 45\r\nhttps://www.justice.gov/opa/pr/two-chinese-hackers-associated-ministry-state-security-charged-global-computer-intrusion\r\nPage 3 of 4\n\ntechnology companies and U.S. Government agencies based in at least 12 states, including Arizona, California,\r\nConnecticut, Florida, Maryland, New York, Ohio, Pennsylvania, Texas, Utah, Virginia and Wisconsin.  The\r\nAPT10 Group stole hundreds of gigabytes of sensitive data and information from the victims’ computer systems,\r\nincluding from at least the following victims: seven companies involved in aviation, space and/or satellite\r\ntechnology; three companies involved in communications technology; three companies involved in manufacturing\r\nadvanced electronic systems and/or laboratory analytical instruments; a company involved in maritime\r\ntechnology; a company involved in oil and gas drilling, production, and processing; and the NASA Goddard\r\nSpace Center and Jet Propulsion Laboratory.  In addition to those victims who had information stolen, Zhu,\r\nZhang, and their co-conspirators successfully obtained unauthorized access to computers belonging to more than\r\n25 other technology-related companies involved in, among other things, industrial factory automation, radar\r\ntechnology, oil exploration, information technology services, pharmaceutical manufacturing, and computer\r\nprocessor technology, as well as the U.S. Department of Energy’s Lawrence Berkeley National Laboratory. \r\nFinally, the APT10 Group compromised more than 40 computers in order to steal sensitive data belonging to the\r\nNavy, including the names, Social Security numbers, dates of birth, salary information, personal phone numbers,\r\nand email addresses of more than 100,000 Navy personnel.\r\n*                *                *\r\nZhu and Zhang are each charged with one count of conspiracy to commit computer intrusions, which carries a\r\nmaximum sentence of five years in prison; one count of conspiracy to commit wire fraud, which carries a\r\nmaximum sentence of 20 years in prison; and one count of aggravated identity theft, which carries a mandatory\r\nsentence of two years in prison. \r\nThe maximum potential sentences in this case are prescribed by Congress and are provided here for informational\r\npurposes only, as any sentencing of the defendants will be determined by the assigned judge.  The charges\r\ncontained in the Indictment are merely accusations and the defendants are presumed innocent unless and until\r\nproven guilty.\r\nThe case was investigated by the FBI, including the New Orleans, New Haven, Houston, New York, Sacramento,\r\nand San Antonio Field Offices; DCIS; and the U.S. Naval Criminal Investigative Service (NCIS).  Mr. Rosenstein,\r\nMr. Berman and Mr. Demers praised the outstanding investigative work of, and collaboration among, the FBI,\r\nDCIS, and NCIS.  They also thanked the U.S. Attorney’s Office for the District of Connecticut, and the\r\nDepartment of Defense’s Computer Forensic Laboratory for their assistance in the investigation.\r\nAssistant U.S. Attorney Sagar K. Ravi of the Southern District of New York’s Complex Frauds and Cybercrime\r\nUnit is in charge of the prosecution, with assistance provided by Trial Attorney Matthew Chang of the National\r\nSecurity Division’s Counterintelligence and Export Control Section.\r\nSource: https://www.justice.gov/opa/pr/two-chinese-hackers-associated-ministry-state-security-charged-global-computer-intrusion\r\nhttps://www.justice.gov/opa/pr/two-chinese-hackers-associated-ministry-state-security-charged-global-computer-intrusion\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.justice.gov/opa/pr/two-chinese-hackers-associated-ministry-state-security-charged-global-computer-intrusion" ], "report_names": [ "two-chinese-hackers-associated-ministry-state-security-charged-global-computer-intrusion" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775441490, "ts_updated_at": 1775826693, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4d7c33d258005594fb3a00e24cafb1195e13bcb9.pdf", "text": "https://archive.orkl.eu/4d7c33d258005594fb3a00e24cafb1195e13bcb9.txt", "img": "https://archive.orkl.eu/4d7c33d258005594fb3a00e24cafb1195e13bcb9.jpg" } }