The US department of justice has charged 2 Chinese hackers affiliated with Beijing’s ministry of state security for running a campaign to hack and steal information from technology companies and the US government.

The hackers are part of a group called APT10 that attacked managed IT service providers to obtain intellectual property and trade secrets from across the world. Managed service providers (MSP) are companies that remotely manage a client’s (a government or another company) servers, storage and other IT infrastructure.

The case has blown the lid on APT10’s attempt — beginning in or about 2014 — to hack into governments and companies across the world through MSPs. The US indictment says the group obtained unauthorised access to computers of an MSP that had offices in New York and “compromised data of that MSP and certain of its clients” in 12 countries, including India; the other nations are the US, UK, Germany, Japan, Canada, Sweden, France, Finland, Brazil, Switzerland, and UAE. The court document said “compromised clients” included companies in banking and finance, oil and gas exploration, mining, telecommunication, biotechnology, and consumer electronics.

APT10 also allegedly hacked into more than 40 computers connected to the US Navy and stole confidential data. “China will find it difficult to pretend that it is not responsible for this action,” US deputy attorney general Rod Rosenstein said. FBI Director Christopher Wray said: “China's goal, simply put, is to replace the US as the world's largest global superpower.”

The US authorities say the indicted hackers, identified as Zhu Hua and Zhang Shilon, worked for Huaying Haitai Science and Technology Development Company and were contracted by China as cyber mercenaries.

IT minister Ravishankar Prasad had told Parliament this week that over 100 government websites, including some managed by the National Informatics Centre, were hacked this year. In all, over 15,000 Indian websites were hacked in 2018.