US Charges 4 Chinese Nationals Working With Spy Agency in Global Hacking Campaign

Four Chinese nationals working with China’s top intelligence agency have been charged in a global hacking campaign to steal trade secrets and sensitive information from companies, universities, and government bodies.

The charges were announced as the United States and allies, in a coordinated push on July 18, condemned the Chinese regime for sponsoring “malicious” cyberattacks against targets around the world. China’s Ministry of State Security (MSS), the regime’s chief intelligence agency, is behind the deployment of these hackers, they said. The United States also attributed the massive hack of Microsoft disclosed earlier this year to hackers working for the MSS.

The defendants and officials in the Hainan State Security Department, a provincial arm of the MSS, attempted to hide the Chinese regime’s role in the hacks by using a front company, according to the indictment, which was returned in May and unsealed on July 16.

The campaign, active from 2011 to 2018, targeted trade secrets in an array of industries, including aviation, defense, education, government, health care, biopharmaceutical, and maritime industries, the Justice Department stated.

Victims of the hacks include entities in Austria, Cambodia, Canada, Germany, Indonesia, Malaysia, Norway, Saudi Arabia, South Africa, Switzerland, the UK, and the United States.

Prosecutors allege that the hackers stole foreign information to help Chinese state-owned companies secure contracts in the targeted companies, such as a large high-speed railway project. The group also targeted research institutes and universities for infectious-disease research relating to Ebola, MERS, HIV/AIDS, Marburg, and tularemia, according to the Justice Department.

“These criminal charges once again highlight that China continues to use cyber-enabled attacks to steal what other countries make, in flagrant disregard of its bilateral and multilateral commitments,” Deputy U.S. Attorney General Lisa Monaco said in the statement.

It said the two-count indictment alleges that Ding Xiaoyang, Cheng Qingmin, and Zhu Yunmin were HSSD officers responsible for coordinating computer hackers and linguists at the front companies.

“The United States and countries around the world are holding the People’s Republic of China accountable for its pattern of irresponsible, disruptive, and destabilizing behavior in cyberspace, which poses a major threat to our economic and national security,” Secretary of State Anthony Blinken said in a July 19 statement.

The MSS is behind the deployment of these hackers, senior administration officials said on July 18. And their targets include managed service providers, semiconductor companies, defense corporations, universities, and medical institutions, according to a U.S. government cybersecurity advisory.

“These cyber operations support China’s long-term economic and military development objectives,” the advisory stated.

The Chinese Communist Party has set out different policies and industrial road maps with the goal of achieving “socialist modernization” by 2035 and becoming a “global leader in innovation.”

Some of the cyberattacks are ransomware operations, which involve malicious actors encrypting victims’ data and making it inaccessible. The actors then demand ransom in exchange for decryption. According to officials, some private companies were asked to pay millions of dollars after being hit with China’s ransomware operations.

The new revelations on China’s long track record of malicious cyber activities drew joint condemnation from multiple countries, including the UK, Australia, Canada, New Zealand, and Japan, as well as from the European Union and NATO.

“We’re making it clear to China that for as long as these irresponsible, malicious cyber activities continue, it will unite countries around the world who are all victims to call them out, promote network defense, and cybersecurity working together in that way,” Biden administration officials said.

In response to China’s new cyber threats, the officials explained that the Five Eyes countries—the United States, Canada, the UK, Australia, and New Zealand—along with Japan, the EU, and NATO, would work together on information sharing and expanding diplomatic engagement to “strengthen our collective cyber resilience and security cooperation.” They expect more countries to join the cooperation in the coming weeks.

The senior officials also said that they had “high confidence” that the Chinese regime was responsible for the cyberattack against Microsoft, saying that “malicious cyber actors” affiliated with the MSS exploited zero-day vulnerabilities in the U.S. tech giant’s Exchange Server software, compromising tens of thousands of systems globally.

“We’ve raised our concerns about both the Microsoft incident and the PRC’s [People’s Republic of China] broader malicious cyber activity with senior PRC government officials, making clear that the PRC’s actions threaten security, confidence, and stability in cyberspace,” the senior U.S. officials said.

“The U.S. and our allies and partners are not ruling out further actions to hold the PRC accountable.”

“By exposing the PRC’s malicious activity with allies and partners, we’re continuing the administration’s efforts to inform and empower system owners and operators to act at home and around the world,” the senior U.S. officials said.

China’s state-sponsored cyber actors are known to mask their identities through virtual private servers, as well as by evading detection by using small office and home office (SOHO) broadband routers.

Among the different Microsoft products targeted were Microsoft 365, Outlook Web Access, and the Exchange Offline Address Book.

These actors are also known to be carrying out spearphishing campaigns—sending out infected emails with a malicious link or attached files—in order to gain control of the victim’s device.