Imagine you’re a burglar. You’ve decided to tackle a high-end luxury apartment, the kind of building with multiple Picassos in the penthouse. You could spend weeks or months casing the place, studying every resident’s schedule, analyzing the locks on all the doors. You could dig through trash for hints about which units have alarms, run through every permutation of what the codes might be. Or you could also just steal the super’s keys.

According to a Justice Department indictment Thursday, that is effectively what China has done to the rest of the world since 2014. That’s when the country’s elite APT10—short for “advanced persistent threat”—hacking group decided to target not just individual companies in its long-standing efforts to steal intellectual property, but instead focus on so-called managed service providers. They’re the businesses that provide IT infrastructure like data storage or password management. Compromise MSPs, and you have a much easier path into all these clients. They're the super.

“MSPs are incredibly valuable targets. They are people that you pay to have privileged access to your network,” says Benjamin Read, senior manager for cyberespionage analysis at FireEye. “It’s a potential foothold into hundreds of organizations.”

"More than two-thirds of the Justice Department’s cases involving thefts of trade secrets are connected to China." Deputy attorney general Rod Rosenstein

For an even greater sense of scale: The indictment alleges, among other things, that by hacking into a single New York-based MSP, APT10 was able to compromise data from companies in a dozen countries, from Brazil to the United Arab Emirates. With a single initial intrusion, Chinese spies could leapfrog to industries as varied as banking and finance, biotech, consumer electronics, health care, manufacturing, oil and gas, telecommunications, and more. (The full indictment is at the bottom of this story.)

The DOJ's indictment also outlines alleged APT10 activity that focused on government agencies and defense contractors, dating back to 2006, that took a more conventional approach. But the MSP hacks don't just show China’s hacking sophistication; they demonstrate its ruthless efficiency and determination.

“More than 90 percent of the department’s cases alleging economic espionage over the past seven years involve China,” said deputy attorney general Rod Rosenstein at a press conference detailing the indictment. “More than two-thirds of the department’s cases involving thefts of trade secrets are connected to China.”

As tensions between China and the US continue to escalate on trade and other fronts, it’s worth taking a closer look at exactly how they’ve operated—and whether there is any hope of stopping them.

Down With MSP

An APT10 hack of MSPs starts like so many others in recent years: with a carefully crafted email. “C17 Antenna problems,” read the subject line of one APT10 message that hit the inbox of a helicopter manufacturer, part of the 2006 campaign. The body copy was a simple request to open the attached file, a Microsoft Word doc called “12-204 Side Load Testing.” The email appeared to come from a communications technology company. It all seemed very legit.

But of course it’s not. The Word attachments in these spear-phishing attempts were malicious, loaded with customized remote access trojans—which let hackers gain access to and control the computer—and keystroke loggers for stealing usernames and passwords.

Once installed, the malware would report back to APT10-controlled domains. The group used dynamic Domain Name System service providers to host those domains, which helped them avoid detection by letting them switch up IP address on the fly. If a security filter got wise and tried to block a known malicious domain, for instance, APT10 could simply change the associated IP address and continue on its merry way.

The federal indictment mostly offers a high-level look from there, but China’s hackers followed a fairly standard playbook. Once they had established themselves on a computer, they would download still more malware to escalate their privileges, until they found what they were looking for: data.

In the case of the MSP intrusions, that malware appears to have mostly made up of customized variants of PlugX, RedLeaves—which have previously been linked to Chinese actors—and QuasarRAT, an open source remote access trojan. The malware posed as legitimate on a victim’s computer to avoid antivirus detection, and communicated with any of the 1,300 unique domains APT10 registered for the campaign.