The US government has released images of seven alleged Chinese hackers wanted on charges of infiltrating the communications of targets in Britain and America over a 14-year period.
In a newly unsealed indictment, the Department of Justice (DoJ) accused the men of participating in a state-sponsored hacking ring, known to US authorities as APT 31 or the code name “Violet Typhoon”.
The documents were just the scale of China’s illicit invasion of Western public life, through the use of malicious emails designed to collect data on its targets.
The defendants, two of whom have also been approved by the US Treasury, are: Ni Gaobin; Weng Ming; Cheng Feng; Peng Yaowen; Sun Xiaohui; Xiong Wang; and Zhao Guangzong.
The men, aged between 34 and 38, are linked to Wuhan Xiaoruizhi Science & Technology, a front company operated by an arm of the Ministry of State Security, China’s foreign intelligence agency.
Since 2010, the unit has been tasked with what US government officials have called a “sinister scheme” of “computer intrusion activities” on behalf of the Chinese government, primarily through email attacks on foreign targets.
The hit list included US government departments, White House staff, British MPs from China and the UK Electoral Commission.
The list also included members of Congress, including Democratic and Republican senators, the United States Naval Academy and the United States Naval War College’s China Institute of Maritime Studies.
The targets were chosen “for the PRC’s foreign intelligence and economic espionage purposes” in gathering information about potential threats abroad, and in violation of data privacy and computer misuse laws.
Over a 14-year period, Chinese hackers and intelligence operatives compromised the security of thousands of work and personal email addresses, cloud storage accounts and phone call records, the DoJ said.
The group operated by sending more than 10,000 emails to their targets, disguised as legitimate messages from journalists or news organizations and containing real news articles relevant to the recipient.
However, when opened, a tracking link hidden in the email would extract the user’s location, IP address and device information and transmit it back to Wuhan for processing by Chinese intelligence services.
Using that information, APT 31 was able to gain access to the targets’ email accounts and networks using a “zero-day exploit” – the manipulation of security bugs that manufacturers have not yet updated software for.
The indictment released Monday identifies the tactics used with each of the target groups, from US government officials to election campaign employees and family members of potential targets.
In 2021, the group began hacking British BP email accounts linked to IPAC, the Inter-Parliamentary Alliance on China, after the group began publicly criticizing China and the Chinese Communist Party.
The hackers created 10 email accounts to send more than 1,000 emails to 400 people connected to IPAC, and recovered data from their targets’ accounts.
The targets included 43 parliamentary accounts and all IPAC members in the EU.
Collective sanctions
The United States and the UK announced joint sanctions on two members of the group, Zao Guangzong and Ni Gaobin, and on a Chinese front company operating as a satellite of the intelligence services.
“These defendants were part of a hacking group sponsored by the Chinese government, which targeted US businesses and US political officials for intrusions for over a decade as part of a larger global malicious campaign,” said James Smith, the assistant director in charge of the FBI. New York field office.
“These charges are yet another example of hostile actions taken by the PRC to attack not only American businesses and infrastructure, but our nation’s security.”
In the United Kingdom, Oliver Dowden, the Deputy Prime Minister, said that any hostile cyber activity aimed at UK parliamentarians was “totally unacceptable”.
He said the two attacks showed “a clear and persistent pattern of behavior that indicates hostile intent on the part of China”.
APT 31, short for Advanced Persistent Threat 31, was first publicly identified in 2016 and is believed to have been in operation since 2010.
The most devastating attack occurred in 2021 when APT 31 and another state-backed group exploited a flaw in Microsoft’s Exchange email server system to steal personal data.
The hack affected around 250,000 email servers, including around 7,000 in the UK.
Victims of the attacks included the European Banking Authority and the Norwegian Parliament, with the NCSC claiming that the hack “enabled large-scale espionage”.
Cyber experts have described the group as “highly skilled and sophisticated”.
On Monday, the Foreign Office said it had authorized a front company representing APT 31, as well as two people involved in the group, without naming them.
This would restrict any assets based in the UK and deny the individuals entry into Britain.