The US Department of Justice (DoJ) on Monday lifted charges against seven Chinese nationals for their roles in a hacking ring that targeted critics, journalists, businesses and political figures in the US and abroad over a period of nearly 14 years.
The defendants include Ni Gaobin (倪高彬), Weng Ming (翁明), Cheng Kui (锵锋), Peng Yaowen (彭耀wen), Sun Xiaohui (孙小辉), Xiong Wang ( Xiong Wang), Zhao Guangzong (赵Guangzong). .
The cyber espionage suspects are charged with conspiracy to commit computer intrusion and conspiracy to commit wire fraud in connection with a state-sponsored threat group tracked as APT31. APT31 is also known as Altaire, Bronze Vinewood, Judgment Panda, and Violet Typhoon. zirconium). This hacking group has been active since at least 2010.
Specifically, federal prosecutors noted that their responsibilities include testing and exploiting the malware used to carry out the intrusions, managing the attack infrastructure, and conducting surveillance of certain U.S. companies. It added that the campaign is designed to further China's economic espionage and foreign intelligence objectives.
Both Gaobin and Guangzong have ties to Wuhan Xiaoruizhi Technology Co., Ltd. (Wuhan XRZ), a front company that is said to have conducted several malicious cyber operations for the Ministry of State Security (MSS). It is said that
Intrusion Truth characterized Wuhan XRZ in a report published in May 2023 as “a sketchy company in Wuhan looking for vulnerability miners and foreign language experts.”
The UK and US have not only announced rewards of up to $10 million for information that could lead to the identities or whereabouts of people linked to APT31, but have also accused Takahama of endangering national security. , Guangzong, and Wuhan's XRZ were also imposed sanctions. Targeting parliamentarians around the world.
“These allegations involve sensitive data from U.S. elected officials, journalists, and academics, valuable information from U.S. companies, and targeting political dissidents in the U.S. and abroad,” said U.S. Attorney Brion Peace. “This will bring an end to China's massive illegal hacking operation.”
“Their evil plan cost thousands of people and organizations around the world and lasted more than a decade.”
This massive hacking operation included hidden tracking links that allowed the defendants and other members of APT31 to leak victims' locations, Internet Protocol (IP) addresses, network diagrams, and devices used to gain access. It involved sending over 10,000 emails to interested targets. Just open the message to get your email account.
This information could then be used by attackers to carry out more targeted attacks tailored to specific individuals, such as compromising recipients' home routers and other electronic devices.
Attackers also used zero-day exploits to maintain persistent access to victims' computer networks, allowing them to access phone records, cloud storage accounts, personal emails, financial plans, intellectual property, and trade secrets. It is said that the item has been stolen or may be stolen. It has ties to American companies.
Other spear-phishing campaigns organized by APT31 have targeted U.S. government employees at the White House, Department of Justice, Department of Commerce, Treasury, and State Department, as well as U.S. senators and representatives, and campaign staff from both political parties. This is even more clear.
This attack is facilitated by custom malware such as RAWDOOR, Trochilus, EvilOSX, and DropDoor/DropCat that establishes a secure connection with an adversary-controlled server to receive commands on the victim's machine. Executed. A cracked version of his Cobalt Strike Beacon was also used to conduct post-exploitation activities.
Prominent sectors targeted by the group include defence, information technology, telecommunications, manufacturing and trade, finance, consulting, legal and research industries. APT31 also named dissidents and people believed to support dissidents around the world.
“APT31 is a collection of Chinese state-sponsored intelligence agents, contract hackers, and support staff conducting malicious cyber operations on behalf of the Hubei State Security Department (HSSD),” the Treasury Department said.
“In 2010, HSSD established Wuhan XRZ as a front company to conduct cyber operations. “Individuals and companies operating in areas of national importance were subject to surveillance.”
“Chinese state-sponsored cyber espionage is not a new threat, and today's unsealed indictment from the Department of Justice lays out the full strategy of their cyber operations to advance the policies of the People's Republic of China (PRC). “While this is not a new threat, the scope of the espionage effort and the tactics deployed are concerning,” said Alex Rose, Director of Government Partnerships at the SecureWorks Counterthreat Unit.
“China has evolved a typical MO in recent years to avoid detection and make it difficult to attribute certain cyberattacks to China. It is part of a broader strategic effort.The skills, resources, and tactics at China's disposal continue to make it an advanced and persistent threat to governments, businesses, and organizations around the world. ”
The charges came after the British government accused APT31 of a “malicious cyber campaign” targeting the country's electoral commission and politicians. The Election Commission breach resulted in unauthorized access to the data of 40 million voters.
Although the incident was made public by regulators in August 2023, there is evidence that threat actors gained access to the system two years earlier.
However, China rejects the accusations, saying they are “completely fabricated” and amount to “malicious slander.” A spokesperson for the Chinese embassy in Washington, D.C., told BBC News that both countries were “making baseless accusations.”
“Tracking the source of a cyberattack is extremely complex and sensitive. When investigating and determining the nature of a cyber incident, it is important not to smear another country when no facts exist, let alone politicize cybersecurity issues. We need to obtain appropriate and objective evidence, rather than relying on information,” Foreign Ministry spokesperson Lin Ken said.
“We hope that the relevant parties will stop spreading disinformation, adopt a responsible attitude, and jointly protect peace and security in cyberspace. China opposes illegal and unilateral sanctions, and supports legitimate rights and interests. We will resolutely protect it.”
