US Charges 5 Chinese Nationals With Hacking More Than 100 Companies, Entities Worldwide

September 16, 2020 Updated: September 16, 2020

Five Chinese nationals and two Malaysians have been indicted on charges relating to sprawling hacking campaigns to steal trade secrets and sensitive information from more than 100 companies and entities worldwide, the U.S. Justice Department announced on Sept. 16.

The five Chinese nationals are part of a hacker group known as “APT41” that stole source code, consumer data, and business information from victims in the United States and abroad, across a range of sectors including tech companies, universities, foreign governments, and pro-democracy proponents in Hong Kong, the department said.

Cybersecurity researchers have described APT41’s recent activities as “one of the broadest campaigns by a Chinese cyber espionage actor in recent years.”

In an effort to make more money, two of the Chinese hackers compromised the networks of video game companies to steal in-game resources, such as video game currency, which they later sold on the black market with the help of two Malaysian businessmen, Wong Ong Hua, 46, and Ling Yang Ching, 32. They were arrested in Malaysia on Sunday upon an extradition request by the United States and now face extradition proceedings.

The five Chinese nationals, Zhang Haoran, 35, Tan Dailin, 35, Jiang Lizhi, 35, Qian Chuan, 39, and Fu Qiang, 37, remain at-large in China. The seven defendants were charged in three separate indictments unsealed on Sept. 16.

The charges were unveiled less than two months after the department announced an indictment against two Chinese hackers accused of a decade-long campaign to steal trade secrets from defense contractors and hundreds of firms around the world, as well as attempting to acquire COVID-19-related research. They come as the Trump administration broadens its actions countering Chinese state-sanctioned theft of American intellectual property and personal information.

“The scope and sophistication of the crimes in these unsealed indictments is unprecedented,” Michael R. Sherwin, Acting U.S. Attorney for the District of Columbia, said in a statement.

Deputy Attorney General Jeffrey A. Rosen criticized the Chinese regime for not cooperating with U.S. authorities to take action against the Chinese defendants. 

“The Chinese Government has made a deliberate choice to allow its citizens to commit computer intrusions and attacks around the world because these actors will also help the PRC,” Rosen said at a press conference on Wednesday, referring to the People’s Republic of China. 

“No country can be respected as a global leader while paying only lip service to the rule of law and without taking steps to disrupt brazen criminal acts like these,” he added.

According to one indictment, one of the Chinese hackers, Jiang, had boasted to an associate that he was “very close” to the Ministry of State Security, China’s top intelligence agency, and would be protected “unless something very big happens.” The hacker and his associate agreed not to “touch domestic stuff anymore,” to avoid getting caught under the crosshairs of Chinese police.

“Some of these criminal actors believed their association with the PRC provided them free license to hack and steal across the globe,” Sherwin said. 

Prosecutors said APT41 deployed sophisticated techniques to hack into victim networks. In one method known as “supply chain attack,” the cyber group targeted software providers around the world and hacked into their code to install backdoors, which then allowed then to hack customers who installed the software.

Federal authorities, through seizure warrants, were also able to block the hackers from accessing online tools used for their campaigns, such as servers, accounts, and domain names.

Authorities also worked with Microsoft to develop technical measures to prevent the hackers from accessing victims’ computer systems, the department said, adding that the company’s actions “were a significant part” in overall efforts to neutralize them.

In March, U.S. cybersecurity firm FireEye said that it detected a surge in new cyberspying by APT41 back in late January, when the CCP Virus began to spread beyond China. The firm said the group targeted more than 75 of its customers, from manufacturers and media companies to healthcare organizations and nonprofits.

In another report in November 2019, FireEye said APT41 hacked several major telecom firms to obtain text messages and call records of “high-value” targets, such as politicians, intelligence organizations, and political movements at odds with the Chinese regime.

Follow Cathy on Twitter: @CathyHe_ET