The U.S. Department of Justice (DoJ) charges 12 Chinese nationals for their alleged involvement in state-linked cyber operations.
The U.S. DoJ charged 12 Chinese nationals, including PRC security officers, employees of the hacking firm i-Soon, and members of the APT27 group (aka Emissary Panda, TG-3390, Bronze Union, and Lucky Mouse), for data theft and suppressing dissent worldwide.
“The Justice Department, FBI, Naval Criminal Investigative Service, and Departments of State and the Treasury announced today their coordinated efforts to disrupt and deter the malicious cyber activities of 12 Chinese nationals, including two officers of the People’s Republic of China’s (PRC) Ministry of Public Security (MPS), employees of an ostensibly private PRC company, Anxun Information Technology Co. Ltd. (安洵信息技术有限公司) also known as “i-Soon,” and members of Advanced Persistent Threat 27 (APT27).” reads the press release published by DoJ.
Chinese threat actors, working for i-Soon or freelancing, hacked targets worldwide under PRC orders, including U.S. critics, Asian governments, and the U.S. Treasury in late 2024.
The PRC’s MPS and MSS used private firms and private hackers to obscure state involvement in cyber theft.
These threat actors exploited vulnerable systems for profit, selling stolen data to the PRC government or third parties. This broad hacking approach led to more global intrusions and exposed systems to future attacks. The FBI released Public Service Announcements on the PRC’s hacker-for-hire operations.
A federal court in Manhattan unsealed an indictment against eight i-Soon employees and two MPS officers for hacking email accounts, phones, servers, and websites from 2016 to 2023. The U.S. also seized i-Soon’s primary domain. Acting U.S. Attorney Matthew Podolsky condemned the China-backed cyber activities targeting religious groups, journalists, and government agencies. The FBI is seeking the defendants, and the State Department’s Rewards for Justice program offers up to $10 million for information on individuals conducting state-sponsored cyberattacks against U.S. infrastructure.
The US authorities are offering a reward for the following individuals:
- Wu Haibo (吴海波), Chief Executive Officer
- Chen Cheng (陈诚), Chief Operating Officer
- Wang Zhe (王哲), Sales Director
- Liang Guodong (梁国栋), Technical Staff
- Ma Li (马丽), Technical Staff
- Wang Yan (王堰), Technical Staff
- Xu Liang (徐梁), Technical Staff
- Zhou Weiwei (周伟伟), Technical Staff
- Wang Liyu (王立宇), MPS Officer
- Sheng Jing (盛晶), MPS Officer
“The Department of Justice today unsealed indictments charging Zhou Shuai and Yin Kecheng, eight employees of i-Soon, a Chinese technology company, and two officers of China’s Ministry of Public Security (MPS) with a variety of hacking-related offenses. Further, the Diplomatic Security Service’s Rewards for Justice Program (RFJ) is offering up to $10 million for information on i-Soon, its employees, and the MPS officers engaged in malicious cyber activities highlighted in the Department of Justice’s indictments.” reads the announcement by the U.S. Department of State. “Additionally, the United States imposed sanctions on the Shanghai-based malicious cyber actor and data broker, Zhou Shuai, and his company, Shanghai Heiying Information Technology Company. Zhou Shuai illegally acquired, brokered, and sold data from highly sensitive U.S. critical infrastructure networks, including in the defense industrial base, communications, health, and government sectors. The Department of State also announced reward offers under the Transnational Organized Crime Rewards Program (TOCRP) of up to $2 million each for information leading to the arrests and/or convictions of Zhou Shuai and Yin Kecheng.”
According to DoJ, i-Soon primarily served PRC government agencies, working with at least 43 MSS and MPS bureaus, charging $10,000–$75,000 per hacked email inbox. Victims included U.S. agencies like the Defense Intelligence Agency and Department of Commerce, media outlets critical of the CCP, a major U.S.-based religious organization, human rights groups, a Texas organization promoting religious freedom in China, a state research university, and multiple foreign ministries, including those of Taiwan, India, South Korea, and Indonesia. A Hong Kong newspaper and a religious leader abroad were also targeted.
“In many instances, the PRC government was particularly interested in these victims because they had criticized the PRC government. In other instances, the PRC government was particularly interested in foreign ministries because those foreign ministries were in communication with the U.S.” continues the announcement. “In some instances, i-Soon conducted its hacking at the direct request of the MSS or MPS. In other instances, i-Soon conducted hacks on its own initiative and then sold, or attempted to sell, the stolen data to different bureaus of the MSS or MPS. i-Soon also trained MPS employees how to hack independently of i-Soon and offered a variety of hacking methods for sale to its customers. i-Soon touted what it called a “industry-leading offensive and defensive technology” and a “zero-day vulnerability arsenal” used to successfully hack computer systems. “
i-Soon also sold software specifically designed to target victim accounts on a variety of computer systems and applications, including Microsoft Outlook; Gmail, the email service provided by Google LLC; the social media network X, formerly known as Twitter; the cellphone operating system Android; and the computer operating systems Windows, Macintosh, and Linux. i-Soon advertised its bespoke software as being able to overcome the unique defenses of these systems.
One of these software can target Twitter accounts, it works by sending a victim a spear phishing link and then obtaining access to and control over the victim’s Twitter account. The software can access Twitter accounts even if they are protected by multi-factor authentication.
The purpose of the tool, referred to as “Public Opinion Guidance and Control Platform (Overseas),” was to let the company’s customers leverage the network of hacked X accounts to understand public opinion outside of China.
“HAIBO, 43; CHENG, 40; GUODONG, 32; LI, 31; YAN, 35; ZHE, 44; WEIWEI, 37; LIANG, 28; LIYU, 36; and JING, 36, all nationals of China, are charged with conspiracy to commit computer intrusions, which carries a maximum sentence of five years in prison, and conspiracy to commit wire fraud, which carries a maximum sentence of 20 years in prison.” concludes the announcement. “The maximum potential sentences are prescribed by Congress and are provided here for informational purposes only, as any sentencing of the defendants will be determined by a judge.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Chinese nationals)
