US Indicts 4 Chinese Nationals for Lengthy Hacking CampaignAll Aligned With China's Ministry of State Security
Four Chinese nationals working with the nation's Ministry of State Security, the civilian intelligence, security and secret police agency, have been indicted in connection with an alleged hacking campaign conducted from 2011 to 2018 that targeted universities and government entities to obtain trade secrets, medical research and other intellectual property, according to an indictment unsealed Friday by the U.S. Department of Justice.
If convicted on charges of conspiracy to commit computer fraud and conspiracy to commit economic espionage, the defendants face up to 20 years in prison. But because China does not have an extradition treaty with the U.S., it's unlikely they will ever face the charges.
Nevertheless, the indictment is significant because "the Chinese have just been made aware that we can identify individual actors that have worked on cyber tools and campaigns," says Mike Hamilton, former Department of Homeland Security vice-chair for the State, Local, Tribal Territorial Government Coordinating Council.
"So they know we know, and will hopefully see that further action will publicly implicate the regime," says Hamilton, founder and CISO for security firm Critical Insight.
Concealing Government's Role
The indictment alleges that the defendants, who worked with China's Hainan State Security Department, or HSSD - a unit of the Ministry of State Security, or MSS, "sought to obfuscate the Chinese government's role" in the information theft through the use of a front company - now disbanded - called Hainan Xiandun Technology Development Co. The criminal gang operated out of Haikou in China's southern Hainan Province with support from state-owned and sponsored organizations, according to the indictment.
On Monday, the Biden administration also formally accused the MSS of carrying out a series of attacks against vulnerable Microsoft Exchange email servers earlier this year that affected thousands of organizations in the U.S. as well as around the world. The administration says it has "a high degree of confidence" that attackers associated with MSS conducted the global Exchange campaign (see: US: Chinese Government Waged Microsoft Exchange Attacks).
The indictment unsealed Friday is separate and not tied to the Exchange incident nor ransomware attacks that have also been attributed to MSS.
The four defendants indicted allegedly targeted the aviation, defense, education, government, healthcare, biopharmaceutical and maritime sectors, among others. The global hacking campaign targeted victims in the U.S., Austria, Cambodia, Canada, Germany, Indonesia, Malaysia, Norway, Saudi Arabia, South Africa, Switzerland and the U.K., the indictment says.
The indictment alleges that Ding Xiaoyang, Cheng Qingmin and Zhu Yunmin - all HSSD officers - were responsible for coordinating, facilitating and managing computer hackers and linguists for MSS front companies, including Hainan Xiandun - to hack systems "for the benefit of China." Wu Shurong, a Hainan Xiandun hacker, allegedly created malware, hacked into the systems of foreign governments, companies and universities, and supervised other hackers.
The Chinese hacking group had previously been identified by private sector researchers as APT 40, also known as Bronze, Mohawk, Feverdeam, Goo65, Gadolinium, GreenCrash, HellSing, Kryptonite Panda, Leviathan, Mudcarp, Periscope, Temp. Periscope and Temp.Jumper.
U.S. prosecutors say that in some cases, the APT group targeted research institutions and universities to obtain infectious disease research - including on Ebola and HIV/AIDS. Prosecutors also say the three charged MSS officers coordinated with staff and professors at universities in China "to further the conspiracy's goals." One institution helped manage the MSS front company Hainan Xiandun, prosecutors say.
The hackers also stole trade secrets and confidential business information - ranging from details around submersibles and autonomous vehicles, plus chemical formulas, aircraft servicing and genetic-sequencing technology and data, the indictment says.
“These criminal charges once again highlight that China continues to use cyber-enabled attacks to steal what other countries make, in flagrant disregard of its bilateral and multilateral commitments,” says Deputy Attorney General Lisa O. Monaco. “The breadth and duration of China’s hacking campaigns, including these efforts targeting a dozen countries across sectors ranging from healthcare and biomedical research to aviation and defense, remind us that no country or industry is safe.”
To gain initial network access, those indicted sent fraudulent spear-phishing emails backed by fictitious online profiles with links to doppelganger domain names - mimicking legitimate companies, DOJ alleges. The APT group also allegedly developed sophisticated malware to obtain, expand and maintain unauthorized network access.
The group's malware has been identified by researchers as Badflick, aka GreenCrash; Photo, aka Derusbi; Murkytop, aka mt.exe; and Homefry, aka dp.dll. Researchers claim the malware allowed for both initial and continued intrusions into victims' systems, lateral movement within a system and theft of credentials, including administrative privileges.
The operators also allegedly used anonymizer services, including The Onion Router, or TOR, to access malware on victims' networks and manage their infrastructure, according to DOJ. In obscuring its hacking activities, the group used GitHub to store malware and stolen data. The group also used Dropbox Application Programming Interface keys in commands to upload stolen data directly to accounts controlled by the group - making exfiltration appear outwardly legitimate to network defenders, prosecutors allege.
“The FBI, alongside our federal and international partners, remains committed to imposing risk and consequences on these malicious cyber actors here in the U.S. and abroad," says FBI Deputy Director Paul M. Abbate. "We will not allow the Chinese government to continue to use these tactics to obtain unfair economic advantage for its companies and commercial sectors through criminal intrusion and theft."
In a statement Monday, the Biden administration notes: "Much of the MSS activity alleged in the Department of Justice’s charges stands in stark contrast to [China's] bilateral and multilateral commitments to refrain from engaging in cyber-enabled theft of intellectual property for commercial advantage."
The FBI and the U.S. Cybersecurity and Infrastructure Security Agency also released a joint advisory Monday containing technical details, indicators of compromise and mitigation measures for Chinese hacking.
The indictments helps to illustrate the extent of China's cyber capabilities, says Ben Read, director of analysis at Mandiant Threat Intelligence.
"The indictment highlights the significant threat to multiple businesses from Chinese espionage," Read says. "The group's focus on biomedical research shows that emerging technologies are still a key target for Chinese espionage. Alongside that, the theft of negotiating strategies underscores the risk posed to all companies doing business with China, not just those with high-value intellectual property."