The U.S. Department of Justice (DoJ) on Monday unsealed indictments against seven Chinese nationals for their involvement in a hacking group that targeted U.S. and foreign critics, journalists, businesses, and political officials for about 14 years.
The defendants include Ni Gaobin (倪高彬), Weng Ming (翁明), Cheng Feng (程锋), Peng Yaowen (彭耀文), Sun Xiaohui (孙小辉), Xiong Wang (熊旺), and Zhao Guangzong (赵光宗).
The suspected cyber spies have been charged with conspiracy to commit computer intrusions and conspiracy to commit wire fraud in connection with a state-sponsored threat group tracked as APT31, which is also known as Altaire, Bronze Vinewood, Judgement Panda, and Violet Typhoon (formerly Zirconium). The hacking collective has been active since at least 2010.
Specifically, their responsibilities entail testing and exploiting the malware used to conduct the intrusions, managing the attack infrastructure, and conducting surveillance of specific U.S. entities, federal prosecutors noted, adding the campaigns are designed to advance China’s economic espionage and foreign intelligence objectives.
Both Gaobin and Guangzong are alleged to be linked to Wuhan Xiaoruizhi Science and Technology Company, Limited (Wuhan XRZ), a front company that’s believed to have conducted several malicious cyber operations for the Ministry of State Security (MSS).
Intrusion Truth, in a report published in May 2023, characterized Wuhan XRZ as a “sketchy-looking company in Wuhan looking for vulnerability-miners and foreign language experts.”
As well as announcing a reward of up to $10 million for information that could lead to identification or whereabouts of people associated with APT31, the U.K. and the U.S. have also levied sanctions against the Gaobin, Guangzong, and Wuhan XRZ for endangering national security and for targeting parliamentarians across the world.
“These allegations pull back the curtain on China’s vast illegal hacking operation that targeted sensitive data from U.S. elected and government officials, journalists and academics; valuable information from American companies; and political dissidents in America and abroad,” stated U.S. Attorney Breon Peace.
“Their sinister scheme victimized thousands of people and entities across the world, and lasted for well over a decade.”
The sprawling hacking operation involved the defendants and other members of APT31 sending more than 10,000 emails to targets of interest that came with hidden tracking links that exfiltrated the victims’ location, internet protocol (IP) addresses, network schematics, and the devices used to access the email accounts simply upon opening the messages.
This information subsequently enabled the threat actors to conduct more targeted attacks tailored to specific individuals, including by compromising the recipients’ home routers and other electronic devices.
The threat actors are also said to have leveraged zero-day exploits to maintain persistent access to victim computer networks, resulting in the confirmed and potential theft of telephone call records, cloud storage accounts, personal emails, economic plans, intellectual property, and trade secrets associated with U.S. businesses.
Other spear-phishing campaigns orchestrated by APT31 have further been found to target U.S. government officials working in the White House, at the Departments of Justice, Commerce, Treasury and State, and U.S. Senators, Representatives, and election campaign staff of both political parties.
The attacks were facilitated by means of custom malware such as RAWDOOR, Trochilus, EvilOSX, DropDoor/DropCat, and others that established secure connections with adversary-controlled servers to receive and execute commands on the victim machines. Also put to use was a cracked version of Cobalt Strike Beacon to conduct post-exploitation activities.
Some of the prominent sectors targeted by the group are defense, information technology, telecommunications, manufacturing and trade, finance, consulting, and legal and research industries. APT31 also singled out dissidents around the world and others who were perceived to be supporting them.
“APT31 is a collection of Chinese state-sponsored intelligence officers, contract hackers, and support staff that conduct malicious cyber operations on behalf of the Hubei State Security Department (HSSD),” the Treasury said.
“In 2010, the HSSD established Wuhan XRZ as a front company to carry out cyber operations. This malicious cyber activity resulted in the surveillance of U.S. and foreign politicians, foreign policy experts, academics, journalists, and pro-democracy activists, as well as persons and companies operating in areas of national importance.”
“Chinese state-sponsored cyber espionage is not a new threat and the DoJ’s unsealed indictment today showcases the full gambit of their cyber operations in order to advance the People’s Republic of China (PRC) agenda. While this is not a new threat, the scope of the espionage and the tactics deployed are concerning,” Alex Rose, director of government partnerships at Secureworks Counter Threat Unit, said.
“The Chinese have evolved their typical MO in the last couple of years to evade detection and make it harder to attribute specific cyber-attacks to them. This is part of a broader strategic effort that China is able to execute on. The skills, resources and tactics at the disposal of the PRC make them an ongoing high and persistent threat to governments, businesses, and organizations around the world.”
The charges come after the U.K. government pointed fingers at APT31 for “malicious cyber campaigns” aimed at the country’s Electoral Commission and politicians. The breach of the Electoral Commission led to the unauthorized access of voter data belonging to 40 million people.
The incident was disclosed by the regulator in August 2023, although there is evidence that the threat actors accessed the systems two years prior to it.
China, however, has rejected the accusations, describing them as “completely fabricated” and amounting to “malicious slanders.” A spokesperson for the Chinese embassy in Washington D.C. told the BBC News the countries have “made groundless accusations.”
“The origin-tracing of cyberattacks is highly complex and sensitive. When investigating and determining the nature of cyber cases, one needs to have adequate and objective evidence, instead of smearing other countries when facts do not exist, still less politicize cybersecurity issues,” Foreign Ministry Spokesperson Lin Jian said.
“We hope relevant parties will stop spreading disinformation, take a responsible attitude and jointly safeguard peace and security in the cyberspace. China opposes illegal and unilateral sanctions and will firmly safeguard its lawful rights and interests.”