APT31, a China state-affiliated actor, was almost certainly responsible for targeting UK parliamentarians’ emails in 2021.
25 March 2024
The National Cyber Security Centre – a part of GCHQ – assesses that the China state-affiliated cyber actor APT31 was almost certainly responsible for conducting online reconnaissance activity in 2021 against the email accounts of UK parliamentarians, most of whom have been prominent in calling out the malign activity of China.
Separately, the compromise of computer systems at the UK Electoral Commission between 2021 and 2022 has also been attributed to a China state-affiliated actor. The NCSC assesses it is highly likely the threat actors accessed and exfiltrated email data, and data from the Electoral Register during this time.
The data, in combination with other data sources, would highly likely be used by the Chinese intelligence services for a range of purposes, including large-scale espionage and transnational repression of perceived dissidents and critics in the UK.
To help bolster the UK’s cyber resilience, the NCSC has today published updated guidance in its Defending Democracy collection for political organisations – such as parties and thinktanks – and organisations coordinating the delivery of elections, with advice on how to reduce the likelihood of cyber attacks.
Paul Chichester, NCSC Director of Operations, said:
“The malicious activities we have exposed today are indicative of a wider pattern of unacceptable behaviour we are seeing from China state-affiliated actors against the UK and around the world.
“The targeting of our democratic system is unacceptable and the NCSC will continue to call out cyber actors who pose a threat to the institutions and values that underpin our society.
“It is vital that organisations and individuals involved in our democratic processes defend themselves in cyberspace and I urge them to follow and implement the NCSC’s advice to stay safe online.”
The cyber campaign against the parliamentary email accounts of members across both Houses of Parliament was identified and successfully mitigated by Parliament’s Security Department before any accounts could be compromised.
The compromise of systems at the UK Electoral Commission was made public last year after steps had been taken to remediate and recover, with support from the NCSC.
The publication of new Defending Democracy guidance follows the release of fresh advice for high-risk individuals published in December.
The newly issued guidance for political organisations offers advice to help IT practitioners implement security measures that will help prevent common cyber attacks. These include: putting controls in place to defend against spear-phishing and DDoS attacks and setting up multi-factor authentication on cloud- and internet-connected services.
Meanwhile the guidance for organisations involved in coordinating elections, such as local authorities, advises on steps to take to protect electoral management systems.
The NCSC has previously warned about the threat from China state-linked cyber capabilities, including from APT31 which was previously linked to the Chinese Ministry of State Security in 2021 following compromise of Microsoft Exchange Server.
More recently, the NCSC has warned about China state-sponsored actors using living off the land techniques to evade detection on compromised critical infrastructure networks.
www.ncsc.gov.uk
Defendants Operated as Part of the APT31 Hacking Group in Support of China’s Ministry of State Security’s Transnational Repression, Economic Espionage and Foreign Intelligence Objectives
BROOKLYN, NY – An indictment was unsealed today charging seven nationals of the People’s Republic of China (PRC) with conspiracy to commit computer intrusions and conspiracy to commit wire fraud for their involvement in a PRC-based hacking group that spent approximately 14 years targeting U.S. and foreign critics, businesses and political officials in furtherance of the PRC’s economic espionage and foreign intelligence objectives.
The defendants are Ni Gaobin (倪高彬), Weng Ming (翁明), Cheng Feng (程锋), Peng Yaowen (彭耀文), Sun Xiaohui (孙小辉), Xiong Wang (熊旺), and Zhao Guangzong (赵光宗).
Merrick B. Garland, United States Attorney General; Breon Peace, United States Attorney for the Eastern District of New York; Lisa O. Monaco, United States Deputy Attorney General; Matthew G. Olsen, Assistant Attorney General of the Justice Department’s National Security Division; James Smith, Assistant Director-in-Charge, Federal Bureau of Investigation, New York Field Office (FBI), and Robert W. “Wes” Wheeler, Jr., Special Agent-in-Charge, FBI, Chicago Field Office (FBI), announced the indictment.
“The Justice Department will not tolerate efforts by the Chinese government to intimidate Americans who serve the public, silence the dissidents who are protected by American laws, or steal from American businesses,” said Attorney General Merrick B. Garland. “This case serves as a reminder of the ends to which the Chinese government is willing to go to target and intimidate its critics, including launching malicious cyber operations aimed at threatening the national security of the United States and our allies.”
“These allegations pull back the curtain on China’s vast illegal hacking operation that targeted sensitive data from U.S. elected and government officials, journalists and academics; valuable information from American companies; and political dissidents in America and abroad. Their sinister scheme victimized thousands of people and entities across the world, and lasted for well over a decade,” stated U.S. Attorney Peace. “America’s sovereignty extends to its cyberspace. Today’s charges demonstrate my Office’s commitment to upholding and protecting that jurisdiction, and to putting an end to malicious nation state cyber activity.”
“Over 10,000 malicious emails, impacting thousands of victims, across multiple continents. As alleged in today’s indictment, this prolific global hacking operation – backed by the PRC government – targeted journalists, political officials, and companies to repress critics of the Chinese regime, compromise government institutions, and steal trade secrets,” said Deputy Attorney General Lisa Monaco. “The Department of Justice will relentlessly pursue, expose, and hold accountable cyber criminals who would undermine democracies and threaten our national security.”
“The indictment unsealed today, together with statements from our foreign partners regarding related activity, shed further light on the PRC Ministry of State Security’s aggressive cyber espionage and transnational repression activities worldwide,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division. “Today’s announcements underscore the need to remain vigilant to cybersecurity threats and the potential for cyber-enabled foreign malign influence efforts, especially as we approach the 2024 election cycle. The Department of Justice will continue to leverage all tools to disrupt malicious cyber actors who threaten our national security and aim to repress fundamental freedoms worldwide.”
“These defendants were part of a Chinese government sponsored hacking group, targeting U.S. businesses and U.S. political officials for intrusion for over a decade as part of a larger, malicious global campaign. These charges are yet another example of hostile actions taken by the PRC to attack not only American businesses and infrastructure, but the security of our nation. FBI New York is united with our partners - internationally, federally, and the private sector – to protect our common goals and ideals from antagonistic nation state actors,” stated FBI Assistant Director-in-Charge Smith.
“APT31 Group’s practices further demonstrate the size and scope of the PRC’s state-sponsored hacking apparatus,” said Robert W. “Wes” Wheeler, Jr., Special Agent-in-Charge of the Chicago Field Office of the FBI. “FBI Chicago worked tirelessly to uncover this complex web of alleged foreign intelligence and economic espionage crimes. Thanks to these efforts, as well as our partnerships with the U.S. Attorney’s Offices and fellow Field Offices, the FBI continues to be successful in holding groups accountable and protecting national security.”
Overview
As alleged in the indictment and court filings, the defendants, along with dozens of identified PRC Ministry of State Security (MSS) intelligence officers, contractor hackers, and support personnel, were members of a hacking group operating in the PRC and known within the cyber security community as Advanced Persistent Threat 31 (the APT31 Group). The APT31 Group was part of a cyberespionage program run by the MSS’s Hubei State Security Department, located in the city of Wuhan. Through their involvement with the APT31 Group, since at least 2010, the defendants conducted global campaigns of computer hacking targeting political dissidents and perceived supporters located inside and outside of China, government and political officials, candidates and campaign personnel in the United States and elsewhere and American companies.
The defendants and others in the APT31 Group targeted thousands of U.S. and foreign individuals and companies. Some of this activity resulted in successful compromises of the targets’ networks, email accounts, cloud storage accounts, and telephone call records, with some surveillance of compromised email accounts lasting many years.
Hacking Scheme
The more than 10,000 malicious emails that the defendants and others in the APT31 Group sent to these targets often appeared to be from prominent news outlets or journalists and appeared to contain legitimate news articles. The malicious emails contained hidden tracking links, such that if the recipient simply opened the email, information about the recipient, including the recipient’s location, internet protocol (IP) addresses, network schematics and specific devices used to access the pertinent email accounts, was transmitted to a server controlled by the defendants and those working with them. The defendants and others in the APT31 Group then used this information to enable more direct and sophisticated targeted hacking, such as compromising the recipients’ home routers and other electronic devices.
The defendants and others in the APT31 Group also sent malicious tracking-link emails to government officials across the world who expressed criticism of the PRC government. For example, in or about 2021, the Conspirators targeted the email accounts of various foreign government individuals world who were part of the Inter-Parliamentary Alliance on China (IPAC), a group founded in 2020 on the anniversary of the 1989 Tiananmen Square protests whose stated purpose was to counter the threats posed by the Chinese Communist Party to the international order and democratic principles. The targets included every European Union member of IPAC, and 43 United Kingdom parliamentary accounts, most of whom were members of IPAC or had been outspoken on topics relating to the PRC government.
To gain and maintain access to the victim computer networks, the defendants and others in the APT31 Group employed sophisticated hacking techniques including zero-day exploits, which are exploits that the hackers became aware of before the manufacturer or the victim were able to patch or fix the vulnerability. These activities resulted in the confirmed and potential compromise of economic plans, intellectual property, and trade secrets belonging to American businesses, and contributed to the estimated billions of dollars lost every year as a result of the PRC’s state-sponsored apparatus to transfer U.S. technology to the PRC.
Targeting of U.S. Government Officials and U.S. and Foreign Politicians and Campaigns
The targeted U.S. government officials included individuals working in the White House, at the Departments of Justice, Commerce, Treasury and State, and U.S. Senators and Representatives of both political parties. The defendants and others in the APT31 Group targeted these individuals at both professional and personal email addresses. Additionally in some cases, the defendants also targeted victims’ spouses, including the spouses of a high-ranking Department of Justice official, high-ranking White House officials and multiple United States Senators. Targets also included election campaign staff from both major U.S. political parties in advance of the 2020 election.
The allegations in the indictment regarding the malicious cyber activity targeting political officials, candidates, and campaign personnel are consistent with the March 2021 Joint Report of the Department of Justice and the Department of Homeland Security on Foreign Interference Targeting Election Infrastructure or Political Organization, Campaign, or Candidate Infrastructure Related to the 2020 US Federal Elections. That report cited incidents when Chinese government-affiliated actors “materially impacted the security of networks associated with or pertaining to US political organizations, candidates, and campaigns during the 2020 federal elections.” That report also concluded that “such actors gathered at least some information they could have released in influence operations,” but which the Chinese actors did not ultimately deploy in such a manner. Consistent with that conclusion, the indictment does not allege that the hacking furthered any Chinese government influence operations against the U.S. The indictment’s allegations nonetheless serve to underscore the need for U.S. and allied political organizations, candidates, and campaigns to remain vigilant in their cybersecurity posture and in otherwise protecting their sensitive information from foreign intelligence services, particularly in light of the U.S. Intelligence Community’s recent assessment that “[t]he PRC may attempt to influence the U.S. elections in 2024 at some level because of its desire to sideline critics of China and magnify U.S. societal divisions.”
Targeting of U.S. Companies
The defendants and others in the APT31 Group also targeted individuals and dozens of companies operating in areas of national economic importance, including the defense, information technology, telecommunications, manufacturing and trade, finance, consulting, legal and research industries. The defendants and others in the APT31 Group hacked and attempted to hack dozens of companies or entities operating in these industries, including multiple cleared defense contractors who provide products and services to the U.S. military, multiple managed service providers who managed the computer networks and security for other companies, a leading provider of 5G network equipment, and a leading global provider of wireless technology, among many others.
Targeting for Transnational Repression of Dissidents
The defendants and the APT31 Group also targeted individual dissidents around the world and other individuals who were perceived as supporting such dissidents. For example, in 2018, after several activists who spearheaded Hong Kong’s Umbrella Movement were nominated for the Nobel Peace Prize, the defendants and the APT31 Group targeted Norwegian government officials and a Norwegian managed service provider. The conspirators also successfully compromised Hong Kong pro-democracy activists and their associates located in Hong Kong, the United States, and other foreign locations with identical malware.
The charged defendants’ roles in the conspiracy consisted of testing and exploiting the malware used to conduct these intrusions, managing infrastructure associated with these intrusions, and conducting surveillance and intrusions against specific U.S. entities. For example, defendants Cheng Feng, Sun Xiaohui, Weng Ming, Xiong Wang and Zhao Guangzong were involved in testing and exploiting malware, including malware used in some of these intrusions. Cheng and Ni Gaobin managed infrastructure associated with some of these intrusions, including the domain name for a command-and-control server that accessed at least 59 unique victim computers, including a telecommunications company that was a leading provider of 5G network equipment in the United States, an Alabama-based research corporation in the aerospace and defense industries and a Maryland-based professional support services company. Sun and Weng operated the infrastructure used in an intrusion into a U.S. company known for its public opinion polls. Sun and Peng Yaowen conducted research and reconnaissance on several additional U.S. entities that were later the victims of the APT31 Group’s intrusion campaigns. Ni and Zhao sent emails with links to files containing malware to PRC dissidents, specifically Hong Kong legislators and democracy advocates, as well as targeting U.S. entities focusing on PRC-related issues.
The government’s case is being prosecuted by the Office’s National Security and Cybercrime Section. Assistant United States Attorneys Douglas M. Pravda, Saritha Komatireddy and Jessica Weigel are in charge of the prosecution, with assistance from Matthew Anzaldi and Matthew Chang of the National Security Division’s National Security Cyber Section and from the Office’s Litigation Analyst Mary Clare McMahon.
www.justice.gov
Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Wuhan Xiaoruizhi Science and Technology Company, Limited (Wuhan XRZ), a Wuhan, China-based Ministry of State Security (MSS) front company that has served as cover for multiple malicious cyber operations. OFAC is also designating Zhao Guangzong and Ni Gaobin, two Chinese nationals affiliated with Wuhan XRZ, for their roles in malicious cyber operations targeting U.S. entities that operate within U.S. critical infrastructure sectors, directly endangering U.S. national security. This action is part of a collaborative effort with the U.S. Department of Justice, Federal Bureau of Investigation (FBI), Department of State, and the United Kingdom Foreign, Commonwealth & Development Office (FCDO).
People’s Republic of China (PRC) state-sponsored malicious cyber actors continue to be one of the greatest and most persistent threats to U.S. national security, as highlighted in the most recent Office of the Director of National Intelligence Annual Threat Assessment.
“The United States is focused on both disrupting the dangerous and irresponsible actions of malicious cyber actors, as well as protecting our citizens and our critical infrastructure,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “Through our whole-of-government approach and in close coordination with our British partners, Treasury will continue to leverage our tools to expose these networks and protect against these threats.”
Today, the Department of Justice unsealed indictments of Zhao Guangzong, Ni Gaobin, and five other defendants; and the U.S. Department of State announced a Rewards for Justice offer for information on these individuals, their organization, or any associated individuals or entities; and the UK Foreign, Commonwealth & Development Office implemented matching sanctions.
APT 31 has targeted victims in some of America’s most vital critical infrastructure sectors, including the Defense Industrial Base, information technology, and energy sectors. APT 31 actors have gained unauthorized access to multiple Defense Industrial Base victims, including a defense contractor that manufactured flight simulators for the U.S. military, a Tennessee-based aerospace and defense contractor, and an Alabama-based aerospace and defense research corporation. Additionally, APT 31 actors gained unauthorized access to a Texas-based energy company, as well as a California-based managed service provider.
In 2010, the HSSD established Wuhan XRZ as a front company to carry out cyber operations. This malicious cyber activity resulted in the surveillance of U.S. and foreign politicians, foreign policy experts, academics, journalists, and pro-democracy activists, as well as persons and companies operating in areas of national importance. In 2018, employees of Wuhan XRZ conducted an APT 31 malicious cyber operation on a Texas-based energy company, gaining unauthorized access.
OFAC is designating Wuhan XRZ pursuant to Executive Order (E.O.) 13694, as amended by E.O. 13757 (E.O. 13694, as amended), for being responsible for or complicit in, or having engaged in, directly or indirectly cyber enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States that are reasonably likely to result in, or has materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States and that have the purpose or effect of harming, or otherwise significantly compromising the provision of services by, a computer or network of computers that support one or more entities in a critical infrastructure sector.
Zhao Guangzong is a Chinese national who has conducted numerous malicious cyber operations against U.S. victims as a contractor for Wuhan XRZ. Zhao Guangzong was behind the 2020 APT 31 spear phishing operation against the United States Naval Academy and the United States Naval War College’s China Maritime Studies Institute. Additionally, Zhao Guangzong has conducted numerous spear phishing operations against Hong Kong legislators and democracy advocates.
OFAC is designating Zhao Guangzong pursuant to E.O. 13694, as amended, for being owned or controlled by, or having acted or purported to act for or on behalf of, directly or indirectly, Wuhan XRZ, an entity whose property or interest in property are blocked pursuant to E.O. 13694, as amended.
Ni Gaobin is a Chinese national who has conducted numerous malicious cyber operations against U.S. victims. Ni Gaobin assisted Zhao Guangzong in many of his most high profile malicious cyber activities while Zhao Guangzong was a contractor at Wuhan XRZ, including the 2020 spear phishing operation against the United States Naval Academy and United States Naval War College’s China Maritime Studies Institute.
OFAC is designating Ni Gaobin pursuant to E.O. 13694, as amended, for being owned or controlled by, or having acted or purported to act for or on behalf of, directly or indirectly, Wuhan XRZ, an entity whose property or interest in property are blocked pursuant to E.O. 13694, as amended.
In addition, financial institutions and other persons that engage in certain transactions or activities with the sanctioned entities and individuals may expose themselves to sanctions or be subject to an enforcement action. The prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any designated person, or the receipt of any contribution or provision of funds, goods, or services from any such person.
25 March 2024
- GCHQ’s National Cyber Security Centre assesses China state-affiliated actor APT31 was almost certainly responsible for targeting UK parliamentarians’ emails in 2021.
- The compromise of the UK Electoral Commission’s systems has also been attributed to a China state-affiliated actor in a separate instance of malicious activity.
- Organisations and individuals involved in democratic processes urged to follow NCSC advice to bolster their security in face of cyber threats.
The National Cyber Security Centre – a part of GCHQ – assesses that the China state-affiliated cyber actor APT31 was almost certainly responsible for conducting online reconnaissance activity in 2021 against the email accounts of UK parliamentarians, most of whom have been prominent in calling out the malign activity of China.
Separately, the compromise of computer systems at the UK Electoral Commission between 2021 and 2022 has also been attributed to a China state-affiliated actor. The NCSC assesses it is highly likely the threat actors accessed and exfiltrated email data, and data from the Electoral Register during this time.
The data, in combination with other data sources, would highly likely be used by the Chinese intelligence services for a range of purposes, including large-scale espionage and transnational repression of perceived dissidents and critics in the UK.
To help bolster the UK’s cyber resilience, the NCSC has today published updated guidance in its Defending Democracy collection for political organisations – such as parties and thinktanks – and organisations coordinating the delivery of elections, with advice on how to reduce the likelihood of cyber attacks.
Paul Chichester, NCSC Director of Operations, said:
“The malicious activities we have exposed today are indicative of a wider pattern of unacceptable behaviour we are seeing from China state-affiliated actors against the UK and around the world.
“The targeting of our democratic system is unacceptable and the NCSC will continue to call out cyber actors who pose a threat to the institutions and values that underpin our society.
“It is vital that organisations and individuals involved in our democratic processes defend themselves in cyberspace and I urge them to follow and implement the NCSC’s advice to stay safe online.”
The cyber campaign against the parliamentary email accounts of members across both Houses of Parliament was identified and successfully mitigated by Parliament’s Security Department before any accounts could be compromised.
The compromise of systems at the UK Electoral Commission was made public last year after steps had been taken to remediate and recover, with support from the NCSC.
The publication of new Defending Democracy guidance follows the release of fresh advice for high-risk individuals published in December.
The newly issued guidance for political organisations offers advice to help IT practitioners implement security measures that will help prevent common cyber attacks. These include: putting controls in place to defend against spear-phishing and DDoS attacks and setting up multi-factor authentication on cloud- and internet-connected services.
Meanwhile the guidance for organisations involved in coordinating elections, such as local authorities, advises on steps to take to protect electoral management systems.
The NCSC has previously warned about the threat from China state-linked cyber capabilities, including from APT31 which was previously linked to the Chinese Ministry of State Security in 2021 following compromise of Microsoft Exchange Server.
More recently, the NCSC has warned about China state-sponsored actors using living off the land techniques to evade detection on compromised critical infrastructure networks.
UK calls out China state-affiliated actors for malicious cyber targeting of UK democratic institutions and parliamentarians
APT31, a China state-affiliated actor, was almost certainly responsible for targeting UK parliamentarians’ emails in 2021.
Seven Hackers Associated with Chinese Government Charged with Computer Intrusions Targeting Perceived Critics of China and U.S. Businesses and Politicians
March 25, 2024Defendants Operated as Part of the APT31 Hacking Group in Support of China’s Ministry of State Security’s Transnational Repression, Economic Espionage and Foreign Intelligence Objectives
BROOKLYN, NY – An indictment was unsealed today charging seven nationals of the People’s Republic of China (PRC) with conspiracy to commit computer intrusions and conspiracy to commit wire fraud for their involvement in a PRC-based hacking group that spent approximately 14 years targeting U.S. and foreign critics, businesses and political officials in furtherance of the PRC’s economic espionage and foreign intelligence objectives.
The defendants are Ni Gaobin (倪高彬), Weng Ming (翁明), Cheng Feng (程锋), Peng Yaowen (彭耀文), Sun Xiaohui (孙小辉), Xiong Wang (熊旺), and Zhao Guangzong (赵光宗).
Merrick B. Garland, United States Attorney General; Breon Peace, United States Attorney for the Eastern District of New York; Lisa O. Monaco, United States Deputy Attorney General; Matthew G. Olsen, Assistant Attorney General of the Justice Department’s National Security Division; James Smith, Assistant Director-in-Charge, Federal Bureau of Investigation, New York Field Office (FBI), and Robert W. “Wes” Wheeler, Jr., Special Agent-in-Charge, FBI, Chicago Field Office (FBI), announced the indictment.
“The Justice Department will not tolerate efforts by the Chinese government to intimidate Americans who serve the public, silence the dissidents who are protected by American laws, or steal from American businesses,” said Attorney General Merrick B. Garland. “This case serves as a reminder of the ends to which the Chinese government is willing to go to target and intimidate its critics, including launching malicious cyber operations aimed at threatening the national security of the United States and our allies.”
“These allegations pull back the curtain on China’s vast illegal hacking operation that targeted sensitive data from U.S. elected and government officials, journalists and academics; valuable information from American companies; and political dissidents in America and abroad. Their sinister scheme victimized thousands of people and entities across the world, and lasted for well over a decade,” stated U.S. Attorney Peace. “America’s sovereignty extends to its cyberspace. Today’s charges demonstrate my Office’s commitment to upholding and protecting that jurisdiction, and to putting an end to malicious nation state cyber activity.”
“Over 10,000 malicious emails, impacting thousands of victims, across multiple continents. As alleged in today’s indictment, this prolific global hacking operation – backed by the PRC government – targeted journalists, political officials, and companies to repress critics of the Chinese regime, compromise government institutions, and steal trade secrets,” said Deputy Attorney General Lisa Monaco. “The Department of Justice will relentlessly pursue, expose, and hold accountable cyber criminals who would undermine democracies and threaten our national security.”
“The indictment unsealed today, together with statements from our foreign partners regarding related activity, shed further light on the PRC Ministry of State Security’s aggressive cyber espionage and transnational repression activities worldwide,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division. “Today’s announcements underscore the need to remain vigilant to cybersecurity threats and the potential for cyber-enabled foreign malign influence efforts, especially as we approach the 2024 election cycle. The Department of Justice will continue to leverage all tools to disrupt malicious cyber actors who threaten our national security and aim to repress fundamental freedoms worldwide.”
“These defendants were part of a Chinese government sponsored hacking group, targeting U.S. businesses and U.S. political officials for intrusion for over a decade as part of a larger, malicious global campaign. These charges are yet another example of hostile actions taken by the PRC to attack not only American businesses and infrastructure, but the security of our nation. FBI New York is united with our partners - internationally, federally, and the private sector – to protect our common goals and ideals from antagonistic nation state actors,” stated FBI Assistant Director-in-Charge Smith.
“APT31 Group’s practices further demonstrate the size and scope of the PRC’s state-sponsored hacking apparatus,” said Robert W. “Wes” Wheeler, Jr., Special Agent-in-Charge of the Chicago Field Office of the FBI. “FBI Chicago worked tirelessly to uncover this complex web of alleged foreign intelligence and economic espionage crimes. Thanks to these efforts, as well as our partnerships with the U.S. Attorney’s Offices and fellow Field Offices, the FBI continues to be successful in holding groups accountable and protecting national security.”
Overview
As alleged in the indictment and court filings, the defendants, along with dozens of identified PRC Ministry of State Security (MSS) intelligence officers, contractor hackers, and support personnel, were members of a hacking group operating in the PRC and known within the cyber security community as Advanced Persistent Threat 31 (the APT31 Group). The APT31 Group was part of a cyberespionage program run by the MSS’s Hubei State Security Department, located in the city of Wuhan. Through their involvement with the APT31 Group, since at least 2010, the defendants conducted global campaigns of computer hacking targeting political dissidents and perceived supporters located inside and outside of China, government and political officials, candidates and campaign personnel in the United States and elsewhere and American companies.
The defendants and others in the APT31 Group targeted thousands of U.S. and foreign individuals and companies. Some of this activity resulted in successful compromises of the targets’ networks, email accounts, cloud storage accounts, and telephone call records, with some surveillance of compromised email accounts lasting many years.
Hacking Scheme
The more than 10,000 malicious emails that the defendants and others in the APT31 Group sent to these targets often appeared to be from prominent news outlets or journalists and appeared to contain legitimate news articles. The malicious emails contained hidden tracking links, such that if the recipient simply opened the email, information about the recipient, including the recipient’s location, internet protocol (IP) addresses, network schematics and specific devices used to access the pertinent email accounts, was transmitted to a server controlled by the defendants and those working with them. The defendants and others in the APT31 Group then used this information to enable more direct and sophisticated targeted hacking, such as compromising the recipients’ home routers and other electronic devices.
The defendants and others in the APT31 Group also sent malicious tracking-link emails to government officials across the world who expressed criticism of the PRC government. For example, in or about 2021, the Conspirators targeted the email accounts of various foreign government individuals world who were part of the Inter-Parliamentary Alliance on China (IPAC), a group founded in 2020 on the anniversary of the 1989 Tiananmen Square protests whose stated purpose was to counter the threats posed by the Chinese Communist Party to the international order and democratic principles. The targets included every European Union member of IPAC, and 43 United Kingdom parliamentary accounts, most of whom were members of IPAC or had been outspoken on topics relating to the PRC government.
To gain and maintain access to the victim computer networks, the defendants and others in the APT31 Group employed sophisticated hacking techniques including zero-day exploits, which are exploits that the hackers became aware of before the manufacturer or the victim were able to patch or fix the vulnerability. These activities resulted in the confirmed and potential compromise of economic plans, intellectual property, and trade secrets belonging to American businesses, and contributed to the estimated billions of dollars lost every year as a result of the PRC’s state-sponsored apparatus to transfer U.S. technology to the PRC.
Targeting of U.S. Government Officials and U.S. and Foreign Politicians and Campaigns
The targeted U.S. government officials included individuals working in the White House, at the Departments of Justice, Commerce, Treasury and State, and U.S. Senators and Representatives of both political parties. The defendants and others in the APT31 Group targeted these individuals at both professional and personal email addresses. Additionally in some cases, the defendants also targeted victims’ spouses, including the spouses of a high-ranking Department of Justice official, high-ranking White House officials and multiple United States Senators. Targets also included election campaign staff from both major U.S. political parties in advance of the 2020 election.
The allegations in the indictment regarding the malicious cyber activity targeting political officials, candidates, and campaign personnel are consistent with the March 2021 Joint Report of the Department of Justice and the Department of Homeland Security on Foreign Interference Targeting Election Infrastructure or Political Organization, Campaign, or Candidate Infrastructure Related to the 2020 US Federal Elections. That report cited incidents when Chinese government-affiliated actors “materially impacted the security of networks associated with or pertaining to US political organizations, candidates, and campaigns during the 2020 federal elections.” That report also concluded that “such actors gathered at least some information they could have released in influence operations,” but which the Chinese actors did not ultimately deploy in such a manner. Consistent with that conclusion, the indictment does not allege that the hacking furthered any Chinese government influence operations against the U.S. The indictment’s allegations nonetheless serve to underscore the need for U.S. and allied political organizations, candidates, and campaigns to remain vigilant in their cybersecurity posture and in otherwise protecting their sensitive information from foreign intelligence services, particularly in light of the U.S. Intelligence Community’s recent assessment that “[t]he PRC may attempt to influence the U.S. elections in 2024 at some level because of its desire to sideline critics of China and magnify U.S. societal divisions.”
Targeting of U.S. Companies
The defendants and others in the APT31 Group also targeted individuals and dozens of companies operating in areas of national economic importance, including the defense, information technology, telecommunications, manufacturing and trade, finance, consulting, legal and research industries. The defendants and others in the APT31 Group hacked and attempted to hack dozens of companies or entities operating in these industries, including multiple cleared defense contractors who provide products and services to the U.S. military, multiple managed service providers who managed the computer networks and security for other companies, a leading provider of 5G network equipment, and a leading global provider of wireless technology, among many others.
Targeting for Transnational Repression of Dissidents
The defendants and the APT31 Group also targeted individual dissidents around the world and other individuals who were perceived as supporting such dissidents. For example, in 2018, after several activists who spearheaded Hong Kong’s Umbrella Movement were nominated for the Nobel Peace Prize, the defendants and the APT31 Group targeted Norwegian government officials and a Norwegian managed service provider. The conspirators also successfully compromised Hong Kong pro-democracy activists and their associates located in Hong Kong, the United States, and other foreign locations with identical malware.
The charged defendants’ roles in the conspiracy consisted of testing and exploiting the malware used to conduct these intrusions, managing infrastructure associated with these intrusions, and conducting surveillance and intrusions against specific U.S. entities. For example, defendants Cheng Feng, Sun Xiaohui, Weng Ming, Xiong Wang and Zhao Guangzong were involved in testing and exploiting malware, including malware used in some of these intrusions. Cheng and Ni Gaobin managed infrastructure associated with some of these intrusions, including the domain name for a command-and-control server that accessed at least 59 unique victim computers, including a telecommunications company that was a leading provider of 5G network equipment in the United States, an Alabama-based research corporation in the aerospace and defense industries and a Maryland-based professional support services company. Sun and Weng operated the infrastructure used in an intrusion into a U.S. company known for its public opinion polls. Sun and Peng Yaowen conducted research and reconnaissance on several additional U.S. entities that were later the victims of the APT31 Group’s intrusion campaigns. Ni and Zhao sent emails with links to files containing malware to PRC dissidents, specifically Hong Kong legislators and democracy advocates, as well as targeting U.S. entities focusing on PRC-related issues.
The government’s case is being prosecuted by the Office’s National Security and Cybercrime Section. Assistant United States Attorneys Douglas M. Pravda, Saritha Komatireddy and Jessica Weigel are in charge of the prosecution, with assistance from Matthew Anzaldi and Matthew Chang of the National Security Division’s National Security Cyber Section and from the Office’s Litigation Analyst Mary Clare McMahon.
Seven Hackers Associated with Chinese Government Charged with Computer Intrusions Targeting Perceived Critics of China and U.S. Businesses and Politicians
“These allegations pull back the curtain on China’s vast illegal hacking operation that targeted sensitive data from U.S. elected and government officials, journalists and academics; valuable information from American companies; and political dissidents in America and abroad. Their sinister...
Treasury Sanctions China-Linked Hackers for Targeting U.S. Critical Infrastructure
March 25, 2024Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Wuhan Xiaoruizhi Science and Technology Company, Limited (Wuhan XRZ), a Wuhan, China-based Ministry of State Security (MSS) front company that has served as cover for multiple malicious cyber operations. OFAC is also designating Zhao Guangzong and Ni Gaobin, two Chinese nationals affiliated with Wuhan XRZ, for their roles in malicious cyber operations targeting U.S. entities that operate within U.S. critical infrastructure sectors, directly endangering U.S. national security. This action is part of a collaborative effort with the U.S. Department of Justice, Federal Bureau of Investigation (FBI), Department of State, and the United Kingdom Foreign, Commonwealth & Development Office (FCDO).
People’s Republic of China (PRC) state-sponsored malicious cyber actors continue to be one of the greatest and most persistent threats to U.S. national security, as highlighted in the most recent Office of the Director of National Intelligence Annual Threat Assessment.
“The United States is focused on both disrupting the dangerous and irresponsible actions of malicious cyber actors, as well as protecting our citizens and our critical infrastructure,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “Through our whole-of-government approach and in close coordination with our British partners, Treasury will continue to leverage our tools to expose these networks and protect against these threats.”
Today, the Department of Justice unsealed indictments of Zhao Guangzong, Ni Gaobin, and five other defendants; and the U.S. Department of State announced a Rewards for Justice offer for information on these individuals, their organization, or any associated individuals or entities; and the UK Foreign, Commonwealth & Development Office implemented matching sanctions.
APT 31: A CHINESE MALICIOUS CYBER GROUP
An Advanced Persistent Threat (APT) is a sophisticated cyber actor or group with the capability to conduct advanced and sustained malicious cyber activity, often with the goal of maintaining ongoing access to a victim’s network. Information security researchers will categorize and name certain APTs based on observed patterns such as the location of the perpetrators, the types of victims targeted, and the techniques used in the malicious cyber activity. APT 31 is a collection of Chinese state-sponsored intelligence officers, contract hackers, and support staff that conduct malicious cyber operations on behalf of the Hubei State Security Department (HSSD). APT 31 has targeted a wide range of high-ranking U.S. government officials and their advisors integral to U.S. national security including staff at the White House; the Departments of Justice, Commerce, the Treasury, and State; members of Congress, including both Democrat and Republican Senators; the United States Naval Academy; and the United States Naval War College’s China Maritime Studies Institute.APT 31 has targeted victims in some of America’s most vital critical infrastructure sectors, including the Defense Industrial Base, information technology, and energy sectors. APT 31 actors have gained unauthorized access to multiple Defense Industrial Base victims, including a defense contractor that manufactured flight simulators for the U.S. military, a Tennessee-based aerospace and defense contractor, and an Alabama-based aerospace and defense research corporation. Additionally, APT 31 actors gained unauthorized access to a Texas-based energy company, as well as a California-based managed service provider.
In 2010, the HSSD established Wuhan XRZ as a front company to carry out cyber operations. This malicious cyber activity resulted in the surveillance of U.S. and foreign politicians, foreign policy experts, academics, journalists, and pro-democracy activists, as well as persons and companies operating in areas of national importance. In 2018, employees of Wuhan XRZ conducted an APT 31 malicious cyber operation on a Texas-based energy company, gaining unauthorized access.
OFAC is designating Wuhan XRZ pursuant to Executive Order (E.O.) 13694, as amended by E.O. 13757 (E.O. 13694, as amended), for being responsible for or complicit in, or having engaged in, directly or indirectly cyber enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States that are reasonably likely to result in, or has materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States and that have the purpose or effect of harming, or otherwise significantly compromising the provision of services by, a computer or network of computers that support one or more entities in a critical infrastructure sector.
Zhao Guangzong is a Chinese national who has conducted numerous malicious cyber operations against U.S. victims as a contractor for Wuhan XRZ. Zhao Guangzong was behind the 2020 APT 31 spear phishing operation against the United States Naval Academy and the United States Naval War College’s China Maritime Studies Institute. Additionally, Zhao Guangzong has conducted numerous spear phishing operations against Hong Kong legislators and democracy advocates.
OFAC is designating Zhao Guangzong pursuant to E.O. 13694, as amended, for being owned or controlled by, or having acted or purported to act for or on behalf of, directly or indirectly, Wuhan XRZ, an entity whose property or interest in property are blocked pursuant to E.O. 13694, as amended.
Ni Gaobin is a Chinese national who has conducted numerous malicious cyber operations against U.S. victims. Ni Gaobin assisted Zhao Guangzong in many of his most high profile malicious cyber activities while Zhao Guangzong was a contractor at Wuhan XRZ, including the 2020 spear phishing operation against the United States Naval Academy and United States Naval War College’s China Maritime Studies Institute.
OFAC is designating Ni Gaobin pursuant to E.O. 13694, as amended, for being owned or controlled by, or having acted or purported to act for or on behalf of, directly or indirectly, Wuhan XRZ, an entity whose property or interest in property are blocked pursuant to E.O. 13694, as amended.
SANCTIONS IMPLICATIONS
As a result of today’s action, all property and interests in property of the designated persons and entity described above that are in the United States or in the possession or control of U.S. persons are blocked and must be reported to OFAC. In addition, any entities that are owned, directly or indirectly, individually or in the aggregate, 50 percent or more by one or more blocked persons are also blocked. Unless authorized by a general or specific license issued by OFAC, or exempt, OFAC’s regulations generally prohibit all transactions by U.S. persons or within (or transiting) the United States that involve any property or interests in property of designated or otherwise blocked persons.In addition, financial institutions and other persons that engage in certain transactions or activities with the sanctioned entities and individuals may expose themselves to sanctions or be subject to an enforcement action. The prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any designated person, or the receipt of any contribution or provision of funds, goods, or services from any such person.
