The US Department of Justice (DOJ) – alongside the FBI, Naval Criminal Investigative Service, and the Departments of State and the Treasury – have announced a coordinated effort to disrupt and deter cyber espionage activity by 12 Chinese nationals.
The 12 individuals include two officers of the Ministry of Public Security (MPS), employees of a Chinese company known as Anxun Information Technology or “i-Soon,” and members of Advanced Persistent Threat 27 (APT27).
The DOJ alleges these actors – working both freelance and as employees of i-Soon – conducted computer intrusions at the behest of the MPS and Ministry of State Security (MSS), as well as on their own initiative.
The MPS and MSS are accused of paying handsomely for stolen data, with victims including US-based critics of the Chinese government, a large religious organisation, Asian foreign ministries, and US federal and state government agencies, including the Treasury in late 2024.
“The Department of Justice will relentlessly pursue those who threaten our cybersecurity by stealing from our government and our people,” said Sue J. Bai, Head of the Justice Department’s National Security Division.
“Today, we are exposing the Chinese government agents directing and fostering indiscriminate and reckless attacks against computers and networks worldwide, as well as the enabling companies and individual hackers that they have unleashed. We will continue to fight to dismantle this ecosystem of cyber mercenaries and protect our national security.”
The FBI echoed these sentiments, highlighting the role of the MPS in allegedly paying hackers to target Americans who criticise the Chinese Communist Party (CCP).
“To those victims who bravely came forward with evidence of intrusions, we thank you for standing tall and defending our democracy,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division.
“And to those who choose to aid the CCP in its unlawful cyber activities, these charges should demonstrate that we will use all available tools to identify you, indict you, and expose your malicious activity for all the world to see.”
Court documents reveal the MPS and MSS allegedly employed a network of private companies and contractors in China to obfuscate the government’s involvement in hacking and data theft.
This network is accused of operating from a “safe haven” in China, indiscriminately targeting vulnerable computers worldwide and selling the stolen information to the highest bidder, including the Chinese government. This approach, the DOJ says, has resulted in a vast number of victims and compromised systems globally.
Indictments and seizures over Chinese cyber espionage activity
A federal court in Manhattan unsealed an indictment charging eight i-Soon employees and two MPS officers for their alleged involvement in widespread hacking of email accounts, mobile phones, servers, and websites between 2016 and 2023. The court also authorised the seizure of i-Soon’s primary internet domain.
Matthew Podolsky, Acting US Attorney for the Southern District of New York, commented: “State-sponsored hacking is an acute threat to our community and national security. For years, these 10 defendants – two of whom we allege are PRC officials – used sophisticated hacking techniques to target religious organisations, journalists, and government agencies, all to gather sensitive information for the use of the PRC.
“These charges will help stop these state-sponsored hackers and protect our national security. The career prosecutors of this office and our law enforcement partners will continue to uncover alleged state-sponsored hacking schemes, disrupt them, and bring those responsible to justice.”
The defendants remain at large, and the US Department of State’s Rewards for Justice programme has announced a reward of up to $10 million for information leading to their capture:
i-Soon and its employees are alleged to have generated tens of millions of dollars in revenue, acting as a key player in the “hacker-for-hire” ecosystem. The company is accused of conducting intrusions for both the MSS and MPS, including cyber-enabled transnational repression, and selling stolen data to 43 different bureaus of the MSS or MPS across China.
Targets of i-Soon’s alleged hacking activities included:
- A large religious organisation critical of the Chinese government
- An organisation promoting human rights and religious freedom in China
- News organisations in the US opposed to the CCP
- The New York State Assembly
- A religious leader and his office
- A Hong Kong newspaper critical of the Chinese government
- The foreign ministries of Taiwan, India, South Korea, and Indonesia
In a separate case, a federal court unsealed two indictments charging APT27 actors Yin Kecheng and Zhou Shuai – also known as “Coldface” – for their involvement in multi-year, for-profit computer intrusion campaigns. Court-authorised seizures of internet domains and computer server accounts used by the defendants were also announced.
“These indictments and actions show this office’s long-standing commitment to vigorously investigate and hold accountable Chinese hackers and data brokers who endanger US national security and other victims across the globe,” said Interim US Attorney Edward R. Martin Jr. for the District of Columbia.
“The defendants in these cases have been hacking for the Chinese government for years, and these indictments lay out the strong evidence showing their criminal wrongdoing. We again demand that the Chinese government to put a stop to these brazen cyber criminals who are targeting victims across the globe and then monetising the data they have stolen by selling it across China.”
Yin and Zhou are alleged to have exploited network vulnerabilities, installed malware, and stolen data from numerous US-based organisations, including technology companies, think tanks, law firms, defence contractors, local governments, healthcare systems, and universities. Their actions are said to have resulted in millions of dollars in damages.
The documents also allege Yin’s involvement in the recent hacking of the Treasury between September and December 2024. The FBI seized virtual private servers and other infrastructure allegedly used in the attack.
The Treasury’s Office of Foreign Assets Control (OFAC) has announced sanctions against both Yin and Zhou, as well as Shanghai Heiying Information Technology, a company operated by Zhou.
Private sector partners are also involved in the effort to combat the alleged Chinese cyber activity. Microsoft has published research highlighting its insights into Silk Typhoon’s tactics, techniques, and procedures, specifically its targeting of the IT supply chain.
This coordinated effort by US authorities and private sector partners underscores the growing concern over state-sponsored activity like we’ve seen from Chinese cyber actors and the determination to hold perpetrators accountable.
(Photo by David Trinks)
See also: Cisco further exposes Salt Typhoon intrusions of telecoms networks
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including Digital Transformation Week, IoT Tech Expo, Blockchain Expo, and AI & Big Data Expo.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.
👇Follow more 👇
👉 bdphone.com
👉 ultractivation.com
👉 trainingreferral.com
👉 shaplafood.com
👉 bangladeshi.help
👉 www.forexdhaka.com
👉 uncommunication.com
👉 ultra-sim.com
👉 forexdhaka.com
👉 ultrafxfund.com
👉 bdphoneonline.com
👉 dailyadvice.us