US, UK Accuse China of Years-Long Cyberespionage Campaign
The United States, the UK, and other countries this week accused a state-sponsored Chinese threat group of running a massive global hacking campaign for more than a decade that targeted political figures, journalists, businesses, political dissidents, and elections officials to steal information and spy on targets.
U.S. Attorney Breon Peace called the work of the group dubbed APT31 a “sinister scheme,” adding that “these allegations pull back the curtain on China’s vast illegal hacking operation that targeted sensitive data from U.S. elected and government officials, journalists, and academics; valuable information from American companies; and political dissidents in America and abroad.”
The U.S. Justice Department (DOJ) this week indicted seven Chinese nationals for their roles with the advanced persistent threat (APT) group – which is part of a larger cyberespionage program run by the Hubei State Security Department that is part of the Chinese government’s Ministry of State Security – and the Treasury Department sanctioned the Wuhan Xiaoruizhi Science and Technology Co. (Wuhan XRZ), which U.S. officials said was a front to cover multiple malicious cyber operations run by the government.
The Hubei State Security Department is located in Wuhan.
Treasury also designated two Chinese officials affiliated with Wuhan ZRX – Zhao Guangzong and Ni Goabin – for their roles in targeting U.S. critical infrastructure organizations.
Meanwhile, the DOJ, through its Rewards for Justice program, is offering up to $10 million for information about the seven indicted Chinese nationals, APT31 (also known as Zirconium, Violet Typhoon, Judgement Panda, and Altaire), or associated people or entities. Those who give information may also be “eligible for relocation,” according to the notice.
Those indicated – Ni Gaobin, 38; Weng Ming, 37; Cheng Feng, 34; Peng Yaowen, 38; Sun Xiaohui, 38; Xiong Wang, 35; and Zhao Guangzong, 38 – likely are still in China, the DOJ said.
UK, Australia, New Zealand Blame China
For its part, the UK’s National Cyber Security Centre this week attributed hacks of parliamentarians’ emails in 2021 and the country’s Electoral Commission’s system between 2021 and 2022 to APT31. At the same time, leaders in both Australia and New Zealand supported the UK’s statement, with Judith Collins, the minister responsible for New Zealand’s Government Communications Security Bureau, saying that “the use of cyber-enabled espionage operations to interfere with democratic institutions and processes anywhere is unacceptable.”
The Chinese Embassy in the UK pushed back at the accusations, saying that the “UK’s claim that China was responsible for malicious cyber campaigns targeting the UK is completely unfounded and constitutes malicious slander” and that it is China that has been “a major victim” of cyberattacks. It called the “UK’s hype-up of the so-called ‘Chinese cyber attacks’ without basis and the announcement of sanctions is outright political manipulation and malicious slander.”
At Least 14 Years in the Making
According to the DOJ, the expansive operation spanned 14 years, running since at least 2010, with APT31 targeting thousands of people and organizations in the United States and elsewhere. The group sent more than 10,000 malicious emails to targets that appeared to be from prominent news outlets or journalists and contained seemingly legitimate news stories.
However, the emails contained hidden tracking links that would collect sensitive information if the recipient simply opened the email. The information included the target’s location, IP addresses, network schematics, and devices used to access relevant email accounts and was sent to a server controlled by APT31.
“The defendants and others in the APT31 Group then used this information to enable more direct and sophisticated targeted hacking, such as compromising the recipients’ home routers and other electronic devices,” the DOJ wrote.
Worldwide Campaign
Similar tracking-link emails were also sent to government officials around the world who criticized the Chinese government, with the DOJ pointing to the campaigns against UK parliamentarians and the country’s elections officials.
The hackers gained and kept access to targets’ networks through such techniques as zero-day exploits, which led to the compromise of economic plans, intellectual properties, and trade secrets of American business and an estimated billions of dollars lost every year due to the transfer of U.S. technology to the People’s Republic of China (PRC).
In the United States, APT31 targets included people working in the White House and at the Justice, Commerce, Treasury, and State departments and U.S. senators and representatives of both political parties. The hackers accessed both professional and personal email accounts, addresses and also targeted some of the victims’ spouses, including those of a high-ranking DOJ official, high-ranking White House officials, and multiple senators. In addition, election campaign staff members of both parties were targeted during the runup to the 2020 election.
Worries About China
The APT31 campaign is only the latest concerns about China’s malicious cybersecurity activities. In its 2023 annual threat report, the U.S. Office of the Director of National Intelligence called China “the broadest, most active, and persistent cyber espionage threat to the U.S. Government and private-sector networks.” FBI Director Christopher Wray last year testified that “there’s no country that presents a more significant threat to our innovation, our ideas, our economic security, our national security than Chinese government. That’s why we’ve grown the number of investigations into threats from China about 1,300%.”
More recently, the government and cybersecurity pros have warned about Chinese-back threat groups. Mandiant researchers reported this month about a PRC-connected hacker dubbed UNC5174 who may be working as a contractor with China’s MSS exploiting flaws in ConnectWise’s ScreenConnect (CVE-2024-1709) and F5 Networks’ BIG-IP (CVE-2023-46747) to target U.S. defense contractors and UK government offices.
In addition, CISA, the FBI, and other U.S. agencies last month said that the Chinese-linked group Volt Typhoon has infiltrated and hidden away in computers and networks of U.S. critical infrastructure organizations, essentially pre-positioning itself to attack and disrupt operations if conflicts arise between the United States and China. Volt Typhoon hackers had hidden in some systems for as long as five years.
Microsoft and the U.S. government said China’s APT group Storm-0558 was responsible for a hack last year of Microsoft 365 and Exchange Online and stealing email from government and corporate accounts. The group got in by stealing a Microsoft signing key.