The US government has released images of seven Chinese hackers wanted on charges of infiltrating the communications of targets in Britain and America over a 14-year period.
In a newly unsealed indictment, the Department of Justice (DoJ) accused the men of participating in a state-sponsored hacking ring known to U.S. authorities by the codename APT 31, or “Violet Typhoon.”
The documents reveal the extent of China’s illicit intrusion into Western public life using malicious emails designed to collect data on its targets.
The defendants, two of whom were also sanctioned by the US Treasury, are: Ni Gaobin; WengMing; Cheng Feng; Peng Yaowen; Sun Xiaohui; Xiong Wang; and Zhao Guangzong.
The men, aged between 34 and 38, are linked to Wuhan Xiaoruizhi Science and Technology, a front company operated by an arm of the ministry of state security, China’s foreign intelligence agency.
Since 2010, the unit has been tasked with carrying out “computer intrusion activities,” particularly through email attacks on foreign targets, in what U.S. government officials have called an “evil plan” on the part of the Chinese government.
The list of targets included US government departments, White House staff, China-sceptical British MPs and the UK Electoral Commission.
The list also included Democratic and Republican senators, members of Congress, as well as the U.S. Naval Academy and the U.S. Naval War College’s China Maritime Studies Institute.
The targets were selected “for the purpose of furthering the PRC’s economic espionage and foreign intelligence objectives,” namely, gathering information about potential threats abroad and violating data privacy and computer misuse laws.
Over a 14-year period, hackers and Chinese intelligence officers compromised the security of thousands of business and personal email addresses, cloud storage accounts and phone call records, the Justice Department said.
The group operated by sending more than 10,000 emails to its targets that appeared to be legitimate messages from journalists or news organizations and contained actual news articles that piqued the recipient’s interest.
However, when a hidden tracking link in the email is opened, the user’s location, IP address and device information will be collected and sent back to Wuhan for processing by Chinese intelligence services.
Using this information, APT 31 was able to access targets’ email accounts and networks using so-called “zero-day exploits,” which is the manipulation of security bugs that manufacturers have not yet fixed with software updates.
The indictment, released Monday, describes tactics used at each of the target groups, from U.S. government officials to campaign workers to family members of potential targets.
In 2021, the group began hacking the email accounts of British MPs affiliated with the Chinese Inter-Parliamentary Alliance Ipac after they began publicly criticizing China and the Chinese Communist Party.
Hackers created 10 email accounts to send more than 1,000 emails to 400 people connected to Ipac and retrieved data from their targets’ accounts. Targets included 43 parliamentary accounts and all Ipac members in the EU.
Joint sanctions
The US and UK announced joint sanctions on two members of the group, Zao Guangzong and Ni Gaobin, and the Chinese front company.
“These defendants are a Chinese government-sponsored computer network that has been targeting U.S. businesses and U.S. political officials for intrusions for more than a decade as part of a larger, malicious global campaign,” said FBI Deputy Director in Charge James Smith. “He was part of a hacking group,” he said. New York field office.
“These charges are yet another example of the PRC’s hostile actions to attack not only American businesses and infrastructure but also the security of our nation.”
In the UK, Deputy Prime Minister Oliver Dowden said any hostile cyber activity against British parliamentarians was “completely unacceptable”.
He said the two attacks showed “a clear and persistent pattern of behavior that indicates China’s hostile intent.”
APT 31, short for Advanced Persistent Threat 31, was first publicly disclosed in 2016 and is believed to have been operating since 2010.
The most devastating attack occurred in 2021, when APT 31 and another state-sponsored group exploited a flaw in Microsoft’s email server system, Exchange, to steal personal data.
Approximately 250,000 email servers were affected by the attack, including 7,000 in the UK.
Victims of the attacks included the European Banking Authority and the Norwegian parliament; The NCSC claimed the attack “enabled large-scale espionage.”
Cyber experts described the group as “highly skilled and sophisticated”.
On Monday, the Foreign Office said sanctions against APT 31 and two individuals in the group would freeze all UK-based assets and prevent individuals from entering Britain.