Security

The US Justice Department on Monday unsealed an indictment charging seven men with hacking or attempting to hack dozens of US companies in a 14-year campaign furthering an economic espionage and foreign intelligence gathering by the Chinese government.

All seven defendants, federal prosecutors alleged, were associated with Wuhan Xiaoruizhi Science & Technology Co., Ltd. a front company created by the Hubei State Security Department, an outpost of the Ministry of State Security located in Wuhan province. The MSS, in turn, has funded an advanced persistent threat group tracked under names including APT31, Zirconium Violet Typhoon, Judgment Panda, and Altaire.

Relentless 14-year campaign

“Since at least 2010, the defendants … engaged in computer network intrusion activity on behalf of the HSSD targeting numerous US government officials, various US economic and defense industries and a variety of private industry officials, foreign democracy activists, academics and parliamentarians in response to geopolitical events affecting the PRC,” federal prosecutors alleged. “These computer network intrusion activities resulted in the confirmed and potential compromise of work and personal email accounts, cloud storage accounts and telephone call records belonging to millions of Americans, including at least some information that could be released in support of malign influence targeting democratic processes and institutions, and economic plans, intellectual property, and trade secrets belonging to American businesses, and contributed to the estimated billions of dollars lost every year as a result of the PRC’s state-sponsored apparatus to transfer US technology to the PRC.”

The relentless, 14-year campaign targeted thousands of individuals and dozens of companies through the use of zero-day attacks, website vulnerability exploitation, and the targeting of home routers and personal devices of high-ranking US government officials and politicians and election campaign staff from both major US political parties.

“The targeted US government officials included individuals working in the White House, at the Departments of Justice, Commerce, Treasury and State, and US Senators and Representatives of both political parties,” Justice Department officials said. “The defendants and others in the APT31 Group targeted these individuals at both professional and personal email addresses. Additionally in some cases, the defendants also targeted victims’ spouses, including the spouses of a high-ranking Department of Justice official, high-ranking White House officials and multiple United States Senators. Targets also included election campaign staff from both major US political parties in advance of the 2020 election.”

One technique the defendants allegedly used was the sending of emails to journalists, political officials, and companies. The messages, which were made to appear as originating from news outlets or journalists, contained hidden tracking links, which, when activated, gave APT31 members information about the locations, IP addresses, network schematics, and specific devices of the targets for use in follow-on attacks. Some of the targets of these emails included foreign government officials who were part of the Inter-Parliamentary Alliance on China, a group formed after the 1989 Tiananmen Square massacre that’s critical of the Chinese government; every European Union member of that’s a member of that group; and 43 UK parliamentary accounts part of the group or critical of the People’s Republic of China.

APT31 used a variety of methods to infect networks of interest with custom malware such as RAWDOOR, Trochilus, EvilOSX, DropDoor/DropCa, and later the widely available Cobalt Strike Beacon security testing tool. In late 2016, the hacking group exploited what was then a zero-day vulnerability in unnamed software to gain access to an unidentified defense contractor. In their indictment, prosecutors wrote:

Using the zero-day privilege escalation exploit, the Conspirators first obtained administrator access to a subsidiary’s network before ultimately pivoting into the Defense Contractor’s core corporate network,” prosecutors wrote in the indictment. “The Conspirators used a SQL injection, in which they entered malicious code into a web form input box to gain access to information that was not intended to be displayed, to create an account on the subsidiary’s network with the username “testdew23.” The Conspirators used malicious software to grant administrator privileges to the “testdew23” user account. Next, the Conspirators uploaded a web shell, or a script that enables remote administration of the computer, named “Welcome to Chrome,” onto the subsidiary’s web server. Thereafter, the Conspirators used the web shell to upload and execute at least two malicious files on the web server, which were configured to open a connection between the victim’s network and computers outside that network that were controlled by the Conspirators. Through this method, the Conspirators successfully gained unauthorized access to the Defense Contractor’s network.

Other APT31 targets include military contractors and companies in the aerospace, IT services, software, telecommunications, manufacturing, and financial services industries. APT31 has long been known to target not only individuals and entities with information of primary interest but also companies or services that the primary targets rely on. Primary targets were dissidents and critics of the PRC and Western companies in possession of technical information of value to the PRC.

Prosecutors said targets successfully hacked by APT31 include:

• a cleared defense contractor based in Oklahoma that designed and manufactured military flight simulators for the US military
• a cleared aerospace and defense contractor based in Tennessee
• an Alabama-based research corporation in the aerospace and defense industries
• a Maryland-based professional support services company that serviced the Department of Defense and other government agencies
• a leading American manufacturer of software and computer services based in California
• a leading global provider of wireless technology based in Illinois; a technology company based in New York
• a software company servicing the industrial controls industry based in California
• an IT consulting company based in California; an IT services and spatial processing company based in Colorado
• a multifactor authentication company; an American trade association
• multiple information technology training and support companies
• a leading provider of 5G network equipment in the United States
• an IT solutions and 5G integration service company based in Idaho
• a telecommunications company based in Illinois
• a voice technology company headquartered in California;
• a prominent trade organization with offices in New York and elsewhere
• a manufacturing association based in Washington, DC
• a steel company
• an apparel company based in New York
• an engineering company based in California
• an energy company based in Texas
• a finance company headquartered in New York
• A US multi-national management consulting company with offices in Washington, DC, and elsewhere
• a financial ratings company based in New York
• an advertising agency based in New York
• a consulting company based in Virginia;
• multiple global law firms based in New York and throughout the United States
• a law firm software provider
• a machine learning laboratory based in Virginia
• a university based in California
• multiple research hospitals and institutes located in New York and Massachusetts
• an international non-profit organization headquartered in Washington, DC.

The defendants are:

• Ni Gaobin (倪高彬), age 38
• Weng Ming (翁明), 37
• Cheng Feng (程锋), 34
• Peng Yaowen (彭耀文), 38
• Sun Xiaohui (孙小辉), 38
• Xiong Wang (熊旺), 35
• Zhao Guangzong (赵光宗), 38

The men were charged with conspiracy to commit computer intrusions and conspiracy to commit wire fraud. While none of the men are in US custody or likely to face prosecution, the US Department of Treasury on Monday sanctioned Wuhan Xiaoruizhi Science and Technology Company, Limited. The department also designated Zhao Guangzong and Ni Gaobin for their roles in hacks targeting US critical infrastructure.

“As a result of today’s action, all property and interests in property of the designated persons and entity described above that are in the United States or in the possession or control of US persons are blocked and must be reported to OFAC,” Treasury officials wrote. “In addition, any entities that are owned, directly or indirectly, individually or in the aggregate, 50 percent or more by one or more blocked persons are also blocked. Unless authorized by a general or specific license issued by OFAC, or exempt, OFAC’s regulations generally prohibit all transactions by US persons or within (or transiting) the United States that involve any property or interests in property of designated or otherwise blocked persons.”

The US State Department is offering $10 million for information leading to the identification or location of any of the defendants or others associated with the campaign.