Four Chinese nationals working with China’s top intelligence agency have been charged in a global campaign hacking campaign to steal trade secrets and sensitive information from companies, universities, and government bodies.
The charges were announced as the United States and allies in a coordinated push on Monday condemned the Chinese regime for sponsoring “malicious” cyberattacks against targets around the world. China’s Ministry of State Security (MSS), the regime’s chief intelligence agency, is behind the deployment of these hackers, they said. The United States also attributed the massive hack of Microsoft disclosed earlier this year to hackers working for the MSS.
The hackers charged were sponsored by the MSS and focused their theft on information that would significantly benefit Chinese companies, such as research and development processes, according to a statement by the Justice Department.
The defendants and officials in the Hainan State Security Department, a provincial arm of the MSS, tried to hide the Chinese regime’s role in the hacks by using a front company, according to the indictment, which was returned in May and unsealed Friday.
The campaign, active from 2011 to 2018, targeted trade secrets in an array of industries including aviation, defense, education, government, health care, biopharmaceutical, and maritime industries, the Justice Department said.
Victims were in Austria, Cambodia, Canada, Germany, Indonesia, Malaysia, Norway, Saudi Arabia, South Africa, Switzerland, the United Kingdom, and the United States.
Prosecutors allege the hackers stole foreign information to help Chinese state-owned companies to secure contracts in the targeted companies, such as a large high-speed railway project. The group also targeted research institutes and universities for infectious-disease research relating to Ebola, MERS, HIV/AIDS, Marburg and tularemia, the department said.
“These criminal charges once again highlight that China continues to use cyber-enabled attacks to steal what other countries make, in flagrant disregard of its bilateral and multilateral commitments,” Deputy U.S. Attorney General Lisa Monaco said in the statement.
It said the two-count indictment alleges that Ding Xiaoyang, Cheng Qingmin and Zhu Yunmin were HSSD officers responsible for coordinating computer hackers and linguists at the front companies.
The fourth defendant, Wu Shurong, an employee at front company Hainan Xiandun Technology Development Co. Ltd., “created malware, hacked into computer systems operated by foreign governments, companies and universities, and supervised other Hainan Xiandun hackers,” the Justice Department said.
On Monday, the Biden administration, together with a group of allies, criticized the communist regime for its sweeping global hacking campaign that employed contract hackers.
“The United States and countries around the world are holding the People’s Republic of China accountable for its pattern of irresponsible, disruptive, and destabilizing behavior in cyberspace, which poses a major threat to our economic and national security,” U.S. Secretary of State Anthony Blinken said in a statement on July 19.
The MSS, the regime’s chief intelligence agency, is behind the deployment of these hackers, senior administration officials said on July 18. And their targets include managed service providers, semiconductor companies, defense corporations, universities, and medical institutions, according to a U.S. government cybersecurity advisory.
“These cyber operations support China’s long-term economic and military development objectives,” the advisory explained.
The Chinese Communist Party (CCP) has set out different policies and industrial road maps with the goal of achieving “socialist modernization” by 2035 and becoming a “global leader in innovation.”
Some of the cyberattacks are ransomware operations, which involve malicious actors encrypting victims’ data and making it inaccessible. The actors then demand ransom in exchange for decryption. According to the officials, some private companies were asked to pay millions of dollars after being hit with China’s ransomware operations.
The new revelations on China’s long track record of malicious cyber activities drew joint condemnation from multiple countries, including the United Kingdom, Australia, Canada, Japan, New Zealand, and Japan, as well as from the European Union and NATO.
“We’re making it clear to China that for as long as these irresponsible, malicious cyber activities continue, it will unite countries around the world who are all victims to call them out, promote network defense and cybersecurity working together in that way,” said Biden administration officials.
In response to China’s new cyberthreats, the officials explained the Five Eyes countries, Japan, the EU, and NATO, would work together on information sharing and expanding diplomatic engagement to “strengthen our collective cyber resilience and security cooperation.” They expect more countries to join the cooperation in the coming weeks.
It marks the first time that NATO has publicly condemned China’s cyber activities, the Biden officials explained, as the transatlantic alliance adopted a new cyber defense policy in June. It states that a cyberattack against a NATO member is considered an attack against all members, and actions will be considered accordingly to respond.
The senior officials also said that they had “high confidence” that the Chinese regime was responsible for the cyberattack against Microsoft, saying that “malicious cyber actors” affiliated with the MSS exploited zero-day vulnerabilities in the U.S. tech giant’s Exchange Server software, compromising tens of thousands of systems globally.
In March, Microsoft announced that Hafnium, a state-sponsored hacking group operating from China, was responsible for hacking into its email and calendar server. Security experts estimated at the time that at least 30,000 organizations in the United States were hacked.
“We’ve raised our concerns about both the Microsoft incident and the PRC’s [People’s Republic of China] broader malicious cyber activity with senior PRC government officials, making clear that the PRC’s actions threaten security, confidence, and stability in cyberspace,” the senior U.S. officials said.
“The U.S. and our allies and partners are not ruling out further actions to hold the PRC accountable.”
Beijing has previously rejected Microsoft’s claims, saying that companies and media should not “make groundless accusations.”
China’s Cyber Tactics
The cybersecurity advisory outlined Beijing’s tactics and techniques, and provided recommendations on how to shore up computer systems.
“By exposing the PRC’s malicious activity with allies and partners, we’re continuing the administration’s efforts to inform and empower system owners and operators to act at home and around the world,” the senior U.S. officials said.
China’s state-sponsored cyber actors are known to mask their identities through virtual private servers, as well as evading detection by using small office and home office (SOHO) broadband routers.
These actors “consistently scan target networks for critical and high vulnerabilities within days of the vulnerability’s public disclosure,” according to the advisory. They have sought to exploit flaws in applications including Microsoft products, Apache, F5 Big-IP, and Pulse Secure.
In April, California-based cybersecurity firm FireEye issued a report saying that Chinese hackers had exploited Pulse Secure’s virtual private network in order to gain access to government agencies and companies in the United States and Europe. The hackers were suspected to be working for the Chinese regime and had ties to APT5, one of the Chinese advanced persistent threat groups.
Among the different Microsoft products targeted include Microsoft 365, Outlook Web Access, and the Exchange Offline Address Book.
These actors are also known to be carrying out spearphishing campaigns—sending out infected emails with a malicious link or attached files—in order to gain control of the victim’s device.
The advisory offers several mitigation choices, including using a network intrusion detection and prevention system, and monitoring common ports and protocols for command and control activity.