The U.S. Department of Justice (DoJ) has announced charges against 12 Chinese nationals for their alleged participation in a wide-ranging scheme designed to steal data and suppress free speech and dissent globally.
The individuals include two officers of the People’s Republic of China’s (PRC) Ministry of Public Security (MPS), eight employees of an ostensibly private PRC company, Anxun Information Technology Co. Ltd. (安洵信息技术有限公司) also known as i-Soon, and members of Advanced Persistent Threat 27 (APT27, aka Budworm, Bronze Union, Emissary Panda, Lucky Mouse, and Iron Tiger) –
- Wu Haibo (吴海波), Chief Executive Officer
- Chen Cheng (陈诚), Chief Operating Officer
- Wang Zhe (王哲), Sales Director
- Liang Guodong (梁国栋), Technical Staff
- Ma Li (马丽), Technical Staff
- Wang Yan (王堰), Technical Staff
- Xu Liang (徐梁), Technical Staff
- Zhou Weiwei (周伟伟), Technical Staff
- Wang Liyu (王立宇), MPS Officer
- Sheng Jing (盛晶), MPS Officer
- Yin Kecheng (尹可成), APT27 actor aka “YKC”
- Zhou Shuai (周帅), APT27 actor aka “Coldface”
“These malicious cyber actors, acting as freelancers or as employees of i-Soon, conducted computer intrusions at the direction of the PRC’s MPS and Ministry of State Security (MSS) and on their own initiative,” the DoJ said. “The MPS and MSS paid handsomely for stolen data.”
Court documents reveal that the MPS and MSS employed a network of private companies and contractors in China to indiscriminately infiltrate companies and steal data, while also obscuring the involvement of the government.
The eight i-Soon employees, alongside two MPS officers, have been accused of breaking into email accounts, cell phones, servers, and websites from at least in or around 2016 through in or around 2023.
The U.S. Federal Bureau of Investigation (FBI), in a court filing, said the activities associated with i-Soon are tracked by the cybersecurity community under the monikers Aquatic Panda (aka RedHotel), while APT27 overlaps with that of Silk Typhoon, UNC5221, and UTA0178.
The agency further pointed out that the Chinese government is using formal and informal connections with freelance hackers and information security companies to compromise computer networks worldwide.
Separately, the U.S. Department of State’s Rewards for Justice (RFJ) program has announced a reward of up to $10 million for information leading to the identification or location of any person who engages in malicious cyber activities against U.S. critical infrastructure while acting under the direction of a foreign government.
The DoJ further noted that i-Soon and its employees generated tens of millions of dollars in revenue, making the company a key player in the PRC hacker-for-hire ecosystem. It’s estimated to have charged anywhere between $10,000 and $75,000 for each email inbox it successfully exploited.
“In some instances, i-Soon conducted computer intrusions at the request of the MSS or MPS, including cyber-enabled transnational repression at the direction of the MPS officer defendants,” the department said.
“In other instances, i-Soon conducted computer intrusions on its own initiative and then sold, or attempted to sell, the stolen data to at least 43 different bureaus of the MSS or MPS in at least 31 separate provinces and municipalities in China.”
Targets of i-Soon’s attacks included a large religious organization in the United States, critics and dissidents of the PRC government, a state legislative body, United States government agencies, the ministries of foreign affairs of multiple governments in Asia, and news organizations.
An additional monetary reward of up to $2 million each has been announced for information leading to the arrests and/or convictions of Shuai and Kecheng, who are accused of participating in a years-long, sophisticated computer hacking conspiracies to breach U.S. victim companies, municipalities, and organizations for profit from 2011, and steal data after establishing persistent access via the PlugX malware.
Concurrent to the charges, the DoJ has also announced the seizure of four domains linked to i-Soon and the APT27 actors.
- ecoatmosphere.org
- newyorker.cloud
- heidrickjobs.com, and
- maddmail.site
“i-Soon’s victims were of interest to the PRC government because, among other reasons, they were prominent overseas critics of the PRC government or because the PRC government considered them threatening to the rule of the Chinese Communist Party,” the DoJ said.
The company is also said to have trained MPS employees how to hack independently of i-Soon and provided for sale various hacking methods that it described as an “industry-leading offensive and defensive technology” and a “zero-day vulnerability arsenal.”
Advertised among the tools was a software called the “Automated Penetration Testing Platform” that’s capable of sending phishing emails, creating files with malware that provide remote access to victims’ computers upon opening, and cloning websites of victims in an attempt to trick them into providing sensitive information.
Another of i-Soon’s offerings is a password-cracking utility known as the “Divine Mathematician Password Cracking Platform” and a program engineered to hack into various online services like Microsoft Outlook, Gmail, and X (formerly Twitter), among others.
“With respect to Twitter, i-Soon sold software with the capability to send a victim a spear phishing link and then to obtain access to and control over the victim’s Twitter account,” the DoJ explained.
“The software had the ability to access Twitter even without the victim’s password and to bypass multi-factor authentication. After a victim’s Twitter was compromised, the software could send tweets, delete tweets, forward tweets, make comments, and like tweets.”
The purpose of the tool, referred to as “Public Opinion Guidance and Control Platform (Overseas),” was to let the company’s customers leverage the network of hacked X accounts to understand public opinion outside of China.
“The charges announced today expose the PRC’s continued attempts to spy on and silence anyone it deems threatening to the Chinese Communist Party,” Acting Assistant Director in Charge Leslie R. Backschies said in a statement.
“The Chinese government tried to conceal its efforts by working through a private company, but their actions amount to years of state-sponsored hacking of religious and media organizations, numerous government agencies in multiple countries, and dissidents around the world who dared criticize the regime.”
