U.S. Charges 7 Chinese Nationals in Major 14-Year Cyber Espionage Operation
27.3.24 BigBrothers The Hacker News
The U.S. Department of Justice (DoJ) on Monday unsealed indictments against seven Chinese nationals for their involvement in a hacking group that targeted U.S. and foreign critics, journalists, businesses, and political officials for about 14 years.
The defendants include Ni Gaobin (倪高彬), Weng Ming (翁明), Cheng Feng (程锋), Peng Yaowen (彭耀文), Sun Xiaohui (孙小辉), Xiong Wang (熊旺), and Zhao Guangzong (赵光宗).
The suspected cyber spies have been charged with conspiracy to commit computer intrusions and conspiracy to commit wire fraud in connection with a state-sponsored threat group tracked as APT31, which is also known as Altaire, Bronze Vinewood, Judgement Panda, and Violet Typhoon (formerly Zirconium). The hacking collective has been active since at least 2010.
Specifically, their responsibilities entail testing and exploiting the malware used to conduct the intrusions, managing the attack infrastructure, and conducting surveillance of specific U.S. entities, federal prosecutors noted, adding the campaigns are designed to advance China's economic espionage and foreign intelligence objectives.
Both Gaobin and Guangzong are alleged to be linked to Wuhan Xiaoruizhi Science and Technology Company, Limited (Wuhan XRZ), a front company that's believed to have conducted several malicious cyber operations for the Ministry of State Security (MSS).
Intrusion Truth, in a report published in May 2023, characterized Wuhan XRZ as a "sketchy-looking company in Wuhan looking for vulnerability-miners and foreign language experts."
As well as announcing a reward of up to $10 million for information that could lead to identification or whereabouts of people associated with APT31, the U.K. and the U.S. have also levied sanctions against Gaobin, Guangzong, and Wuhan XRZ for endangering national security and for targeting parliamentarians across the world.
"These allegations pull back the curtain on China's vast illegal hacking operation that targeted sensitive data from U.S. elected and government officials, journalists and academics; valuable information from American companies; and political dissidents in America and abroad," stated U.S. Attorney Breon Peace.
"Their sinister scheme victimized thousands of people and entities across the world, and lasted for well over a decade."
The sprawling hacking operation – which took place between at least 2010 and November 2023 – involved the defendants and other members of APT31 sending more than 10,000 emails to targets of interest that purported to be from prominent journalists and seemingly contained legitimate news articles.
But, in reality, they came with hidden tracking links that would allow information about the victims' location, internet protocol (IP) addresses, network schematics, and the devices used to access the email accounts to be exfiltrated simply upon opening the messages.
This information subsequently enabled the threat actors to conduct more targeted attacks tailored to specific individuals, including by compromising the recipients' home routers and other electronic devices.
The threat actors are also said to have leveraged zero-day exploits to maintain persistent access to victim computer networks, resulting in the confirmed and potential theft of telephone call records, cloud storage accounts, personal emails, economic plans, intellectual property, and trade secrets associated with U.S. businesses.
Other spear-phishing campaigns orchestrated by APT31 have further been found to target U.S. government officials working in the White House, at the Departments of Justice, Commerce, Treasury and State, and U.S. Senators, Representatives, and election campaign staff of both political parties.
The attacks were facilitated by means of custom malware such as RAWDOOR, Trochilus RAT, EvilOSX, DropDoor/DropCat, and others that established secure connections with adversary-controlled servers to receive and execute commands on the victim machines. Also put to use was a cracked version of Cobalt Strike Beacon to conduct post-exploitation activities.
Some of the prominent sectors targeted by the group are defense, information technology, telecommunications, manufacturing and trade, finance, consulting, and legal and research industries. APT31 also singled out dissidents around the world and others who were perceived to be supporting them.
"APT31 is a collection of Chinese state-sponsored intelligence officers, contract hackers, and support staff that conduct malicious cyber operations on behalf of the Hubei State Security Department (HSSD)," the Treasury said.
"In 2010, the HSSD established Wuhan XRZ as a front company to carry out cyber operations. This malicious cyber activity resulted in the surveillance of U.S. and foreign politicians, foreign policy experts, academics, journalists, and pro-democracy activists, as well as persons and companies operating in areas of national importance."
"Chinese state-sponsored cyber espionage is not a new threat and the DoJ's unsealed indictment today showcases the full gambit of their cyber operations in order to advance the People's Republic of China (PRC) agenda. While this is not a new threat, the scope of the espionage and the tactics deployed are concerning," Alex Rose, director of government partnerships at Secureworks Counter Threat Unit, said.
"The Chinese have evolved their typical MO in the last couple of years to evade detection and make it harder to attribute specific cyber-attacks to them. This is part of a broader strategic effort that China is able to execute on. The skills, resources and tactics at the disposal of the PRC make them an ongoing high and persistent threat to governments, businesses, and organizations around the world."
The charges come after the U.K. government pointed fingers at APT31 for targeting parliamentarians' emails in 2021 and an unnamed China state-affiliated threat actor for "malicious cyber campaigns" aimed at the Electoral Commission. The breach of the Electoral Commission led to the unauthorized access of voter data belonging to 40 million people.
The incident was disclosed by the regulator in August 2023, although there is evidence that the threat actors accessed the systems two years prior to it.
Coinciding with the revelations from the U.K. and the U.S., New Zealand said it uncovered links between the Chinese state-sponsored apparatus and cyber attacks against parliamentary entities in the country in 2021. The activity has been attributed to another MSS-backed group tracked as APT40 (aka Bronze Mohawk, Gingham Typhoon, ISLANDDREAMS, and Kryptonite Panda).
Australia, in its own statement, expressed "serious concerns" about the malicious cyber activities conducted by China state-sponsored actors targeting the U.K., and called on "all states to act responsibly in cyberspace." However, it claimed that its own electoral systems "were not compromised by the cyber campaigns targeting the U.K."
China, however, has rejected the accusations, describing them as "completely fabricated" and amounting to "malicious slanders." A spokesperson for the Chinese embassy in Washington D.C. told the BBC News the countries have "made groundless accusations."
"The origin-tracing of cyberattacks is highly complex and sensitive. When investigating and determining the nature of cyber cases, one needs to have adequate and objective evidence, instead of smearing other countries when facts do not exist, still less politicize cybersecurity issues," Foreign Ministry Spokesperson Lin Jian said.
"We hope relevant parties will stop spreading disinformation, take a responsible attitude and jointly safeguard peace and security in the cyberspace. China opposes illegal and unilateral sanctions and will firmly safeguard its lawful rights and interests."