Chinese Cyberactors Who Impersonated Lawmaker Part of Indicted Group: Researchers

The group targeted experts who might have insider information and influence over US–China trade policy.
Chinese Cyberactors Who Impersonated Lawmaker Part of Indicted Group: Researchers
Chairman of the House Select Committee on the Chinese Communist Party Rep. John Moolenaar (R-Mich.) speaks during an event in Washington on Feb. 11, 2025. Madalina Vasiliu/The Epoch Times
|Updated:
0:00
Cybersecurity researchers with Proofpoint on Sept. 16 detailed a spear phishing campaign that targeted the U.S. government, a think tank, and academic organizations, which aligns with activity that the House Select Committee on the Chinese Communist Party (CCP) disclosed recently.
The Chinese state-backed malicious cyberactor group TA415 overlaps with what other researchers track as APT41, Brass Typhoon, or Wicked Panda—a group whose members have been charged by the Justice Department for hacks into more than 100 U.S. companies.

Proofpoint researchers confirmed that TA415 impersonated the committee chair, Rep. John Moolenaar (R-Mich.), as well as the U.S.–China Business Council, in correspondence with trusted contacts.

The impersonators tried to “target a range of individuals and organizations predominantly focused on U.S.–China relations, trade, and economic policy,” according to the Proofpoint blog post, with the goal of establishing remote access to the targets’ devices without the use of malware.

TA415’s other recent campaigns tracked by Proofpoint have also been spear phishing campaigns that use legitimate services, such as Google Sheets and Google Calendar, instead of malware, researchers said.

“This is likely a concerted effort from TA415 to blend in with existing legitimate traffic to these trusted services,” researchers stated.

“[The targets] specialized in international trade, economic policy, and U.S.-China relations.”

The campaign appears to have begun in July and continued through August.

Some of the emails impersonating Moolenaar had invited targets to click on a link that purportedly led to a proposed piece of legislation, requesting their insight.

Others that appeared to come from the U.S.–China Business Council invited targets to a supposed closed-door briefing on U.S.–Taiwan and U.S.–China affairs.

The activity is similar to campaigns run by TA415 in 2024 that used malware instead, the researchers said.

In this case, targets who clicked on the links would have downloaded a password-protected archive file that would contain a decoy PDF document that was corrupted. The file would also contain other files that would execute a scheduled task named something such as GoogleUpdate or MicrosoftHealthcareMonitorNode.

This would establish remote access to the targets’ devices for the malicious cyberactors, and collect system information and the contents of user directories.

The researchers also published known emails and links used by TA415 in this campaign.

“In this case, many of the targeted entities are consistent with known Chinese intelligence collection priorities,” the Proofpoint blog post reads. “However, the timing of TA415’s pivot toward these targets is particularly noteworthy given the ongoing complex evolution of economic and foreign policy relations between China and the United States.”

Moolenaar on Sept. 8 had confirmed Wall Street Journal reports of this campaign, and said in a statement that the committee had determined that the hackers were from China.

“This is another example of China’s offensive cyber operations designed to steal American strategy and leverage it against Congress, the Administration, and the American people,” Moolenaar said in a statement. “We will not be intimidated, and we will continue our work to keep America safe.”

The committee noted that it had seen a similar campaign target staffers in January, in the midst of a confidential investigation into the Chinese state-owned port machinery company Shanghai Zhenhua Heavy Industries.

According to a federal indictment, the cybergroup operates out of Chengdu, in Sichuan Province, China, and claimed connections to China’s Ministry of State Security, the regime’s spy agency.

From August 2019 to August 2020, hackers with this group penetrated more than 100 targets including telecom providers, social media companies, software development companies, computer hardware manufacturers, critics of the CCP, nonprofits, universities, think tanks, and foreign governments.

Google LogoMark Us Preferred on Google
Catherine Yang
Catherine Yang
Author
Catherine Yang has been with The Epoch Times in New York since 2008. She also launched and previously served as chief editor of American Essence magazine and Epoch Health.