The US Department of Justice (DoJ) has unsealed an indictment charging seven Chinese nationals with conspiracy to commit computer intrusions and conspiracy to commit wire fraud, alleging their involvement in the state-backed APT31 hacking group over a 14-year period.
Concurrent with new sanctions issued today by deputy prime minister Oliver Dowden, APT31 is accused by the Americans of a wide-ranging campaign of espionage furthering the intelligence objectives of the Chinese government.
Those named are Ni Gaobin, 38; Weng Ming, 37; Cheng Feng, 34; Peng Yaowen, 38; Sun Xiaohui, 38; Xiong Wang, 35; and Zhao Guangzong, 38. All are believed to be located in China, and it is highly unlikely they will face a court.
“Over 10,000 malicious emails, impacting thousands of victims, across multiple continents. As alleged in today’s indictment, this prolific global hacking operation – backed by the People’s Republic of China government – targeted journalists, political officials and companies to repress critics of the Chinese regime, compromise government institutions and steal trade secrets,” said US deputy attorney general Lisa Monaco.
“The Department of Justice will relentlessly pursue, expose and hold accountable cyber criminals who would undermine democracies and threaten our national security.”
Attorney general Merrick Garland added: “The Justice Department will not tolerate efforts by the Chinese government to intimidate Americans who serve the public, silence the dissidents who are protected by American laws, or steal from American businesses.
“This case serves as a reminder of the ends to which the Chinese government is willing to go to target and intimidate its critics, including launching malicious cyber operations aimed at threatening the national security of the United States and our allies.”
“This case serves as a reminder of the ends to which the Chinese government is willing to go to target and intimidate its critics, including launching malicious cyber operations aimed at threatening the national security of the United States and our allies”
Merrick Garland, US attorney general
The US said it was pulling back the curtain on China’s vast hacking operation, underscoring the need to remain vigilant to cyber security threats and cyber-enabled malign influence campaigns, especially in the run-up to the fraught presidential election in November 2024, which will be a rematch of the 2020 contest between Joe Biden and Donald Trump.
The DoJ said it would continue to leverage all possible tools to disrupt malicious cyber actors threatening both US and global security.
Wuhan-based hackers
The alleged defenders supposedly worked alongside dozens of identified Chinese Ministry of State Security intelligence officers, contractors and support personnel, as part of a cyber espionage programme run out of the city of Wuhan, under the auspices of the Hubei State Security Department. Their activities were concealed through two front companies known as Wuhan XRZ and Wuhan Liuhe.
APT31’s activity allegedly dates back at least to 2010, and the defendants are thought to have been involved in global hacking campaigns since then, targeting political dissidents and their supporters both inside and outside of China, government and political officials, political candidates and campaign officials, and companies, particularly in the tech sector. They are thought to have notched up thousands of victims around the world, including the UK’s Electoral Commission where they accessed records of millions of UK voters.
Often, their attacks began with phishing emails purporting to be from legitimate news outlets and journalists, frequently containing genuine news articles. However, said the DoJ, these malicious emails contained hidden tracking links that returned information on the recipient – such as their location, IP address, network schematics and device information – to APT31’s command and control infrastructure.
This data was then used to enable more direct and sophisticated targeted hacking, including against the recipients’ home broadband equipment and personal devices.
Once compromised, APT31 used living-off-the-land techniques and zero-day exploits to maintain persistence and delve deeper into victims’ networks, resulting in the confirmed compromise of economic plans, intellectual property, trade secrets, and more besides.
Adam Marrè, chief information security officer at Arctic Wolf and a former FBI agent, commented: “Anyone who has worked in cyber security for any amount of time will not be at all surprised by this report… China has been conducting industrial levels of cyber crime and cyber attacks on western governments, individuals and businesses for dozens of years. Beijing continues to see cyber as a natural extension of their statecraft and have seldom been afraid to utilise cyber techniques to further their own national interests.
“2024 will see multiple influential elections, not least in the UK and US, and it is therefore more important than ever that governments and law enforcement are on standby for actions by China and other nation-states looking to utilise cyber techniques to destabilise rivals and erode their power.”
Marrè said it was good to see governments being more transparent about the risks actors like APT31 pose to democratic processes, and good to know law enforcement agencies are actively working to combat these risks.
“Doing so is critical to preserving and increasing trust in the election system and protecting our vital democracies,” he said.
