The US Department of Justice (DoJ) on Monday released charges against seven Chinese nationals for their involvement in a hacking group that has targeted US and foreign critics, journalists, businesses and political officials for approximately 14 years.
The defendants include Ni Gaobin, Weng Ming, Cheng Feng, Peng Yaowen, Sun Xiaohui, Xiong Wang and Zhao Guangzong.
The alleged cyber spies were charged with conspiracy to commit computer intrusion and conspiracy to commit wire fraud in connection with a state-sponsored threat group identified as APT31, also known as Altaire, Bronze Vinewood, Judgment Panda and Violet Typhoon (formerly known as Zirconium). The hacker collective has been active since at least 2010.
Specifically, their responsibilities involve testing and exploiting the malware used to conduct the intrusions, managing the attack infrastructure, and surveillance of specific U.S. entities, federal prosecutors noted, adding that the campaigns are designed to promote the China’s economic espionage and foreign intelligence targets.
Both Gaobin and Guangzong are reportedly linked to the Wuhan Xiaoruizhi Science and Technology Company, Limited (Wuhan XRZ), a front company believed to have conducted several malicious cyber operations for the Ministry of State Security (MSS).
Intrusion Truth, in a report published in May 2023, characterized Wuhan XRZ as “a shady-looking company in Wuhan looking for vulnerability miners and foreign language experts.”
In addition to announcing a reward of up to $10 million for information that could lead to the identification or whereabouts of people associated with APT31, the UK and US also imposed sanctions against Gaobin, Guangzong and Wuhan XRZ for endangering national security and targeting parliamentarians around the world.
“These allegations raise the curtain on China’s vast illegal hacking operation that has targeted sensitive data of U.S. elected and government officials, journalists and academics; valuable information of American companies; and political dissidents in America and abroad,” he said. said US Attorney Breon Peace.
“Their sinister plan victimized thousands of people and entities around the world and lasted over a decade.”
The extensive hacking operation involved the defendants and other members of APT31 sending more than 10,000 emails to targets of interest containing hidden tracking links that gleaned victims’ locations, Internet Protocol (IP) addresses, patterns network and devices used to access email accounts by simply opening messages.
This information subsequently allowed threat actors to conduct more targeted attacks tailored to specific individuals, including by compromising recipients’ home routers and other electronic devices.
Threat actors are also said to have leveraged zero-day exploits to maintain persistent access to victims’ computer networks, resulting in confirmed and potential theft of phone call logs, cloud storage accounts, personal emails, plans economic, intellectual property and trade secrets. associated with US companies.
Other spear phishing campaigns orchestrated by APT31 have also been found to target U.S. government officials working in the White House, the Departments of Justice, Commerce, Treasury, and State, as well as U.S. senators, representatives, and campaign staff from both political parties.
The attacks were facilitated through custom malware such as RAWDOOR, Trochilus, EvilOSX, DropDoor/DropCat, and others that established secure connections with adversary-controlled servers to receive and execute commands on victim machines. A cracked version of Cobalt Strike Beacon was also used to conduct post-exploitation activities.
Some of the prominent sectors targeted by the group are defense, information technology, telecommunications, manufacturing and trading, finance, consulting, and legal and research industries. APT31 has also identified dissidents around the world and others believed to support them.
“APT31 is a collection of Chinese state-sponsored intelligence officers, contract hackers and support personnel who conduct malicious cyber operations on behalf of the Hubei State Security Department (HSSD),” the Treasury said.
“In 2010, the HSSD established Wuhan people and companies operating in areas of national importance.”
“Chinese state-sponsored cyber espionage is not a new threat, and the DoJ’s secret indictment today shows the full extent of their cyber operations to advance the agenda of the People’s Republic of China (PRC). is a new threat, the scale of the espionage and the tactics employed are concerning,” said Alex Rose, director of government partnerships at Secureworks Counter Threat Unit.
“Over the past two years, the Chinese have evolved their typical modus operandi to evade detection and make it more difficult to attribute specific cyber attacks to them. This is part of a broader strategic effort that China is capable of carrying out. The expertise and The resources and tactics at the PRC’s disposal make it an ongoing, high and persistent threat to governments, businesses and organizations around the world.”
The charges come after the UK government pointed the finger at APT31 for “malicious cyber campaigns” aimed at the Electoral Commission and the country’s politicians. The Election Commission breach led to unauthorized access to voter data belonging to 40 million people.
The incident was disclosed by the regulator in August 2023, although there is evidence that threat actors gained access to the systems two years earlier.
China, however, has rejected the allegations, describing them as “completely fabricated” and amounting to “malicious slander”. A spokesperson for the Chinese embassy in Washington DC told BBC News that the countries had “made unfounded accusations”.
“Tracking the origin of cyber attacks is extremely complex and sensitive. When investigating and determining the nature of cyber cases, it is necessary to have adequate and objective evidence, instead of denigrating other countries when the facts do not exist, much less politicize cybersecurity issues,” Foreign Ministry spokesperson Lin Jian said.
“We hope that the relevant parties will stop spreading disinformation, adopt a responsible attitude and jointly safeguard peace and security in cyberspace. China opposes illegal and unilateral sanctions and will firmly safeguard its legitimate rights and interests.”