US charges Chinese nationals with cyber-spying on pretty much everyone for Beijing

The United States on Monday accused seven Chinese men of breaking into computer networks, email accounts, and cloud storage belonging to numerous critical infrastructure organizations, companies, and individuals, including US businesses, politicians, and their political parties.

According to American prosecutors, the suspected spies are members of APT31, a cyber-espionage group said to be run by China’s Ministry of State Security (MSS) out of Wuhan and otherwise known as Zirconium, Violet Typhoon, Judgment Panda, and Altaire.

And according to the UK government today, that’s the same crew responsible for the attempted compromise of British politicians’ email accounts in 2021.

Both the UK and the US sanctioned Wuhan Xiaoruizhi Science and Technology, said to be a front company for the MSS and its computer-intrusion activities, and two of the seven Chinese nationals for their alleged roles in that espionage. The UK also separately disclosed today that it believes its Electoral Commission was compromised between 2021 and 2022 by Chinese agents, who stole email data, and data from the Electoral Register.

The seven suspected members of APT31 charged by the United States on Monday are: Ni Gaobin, 38; Weng Ming, 37; Cheng Feng, 34; Peng Yaowen, 38; Sun Xiaohui, 38; Xiong Wang, 35; and Zhao Guangzong, 38. Gaobin and Guangzong were the pair sanctioned by the UK and US regarding Wuhan Xiaoruizhi.

All are believed to reside in the People’s Republic of China, so there’s a slim-to-zero chance of them being arrested and extradited to stand trial in the US, at least, for their alleged crimes.

That said, perhaps money will change all that. Uncle Sam offered a reward of up to $10 million for information on the seven individuals in the hope that someone will snitch and assist the Feds in bringing the alleged spies to justice. Or it could just be fancy posturing; what does the NSA and CIA, and MI6 and GCHQ, do all day, one doesn’t have to wonder.

According to the indictment [PDF] against the men in the US, the seven defendants worked with dozens of other MSS intel officers, contractors, and support personnel to compromise and spy on computer networks and online accounts that were of interest to Beijing.

‘Thousands’ targeted, ‘millions’ potentially affected

Since at least 2010, the alleged gang conducted massive globe-spanning campaigns targeting “thousands” of US and foreign individuals and companies, with a particular emphasis on journalists; pro-democracy activists; foreign policy experts; academics; workers in IT, telecoms, manufacturing and trade, finance, consulting, law, and research; and government officials, politicians, and candidates who have been critical of the Chinese government. We’re told that trade secrets as well as personal data were pilfered.

“These computer network intrusion activities resulted in the confirmed and potential compromise of work and personal email accounts, cloud storage accounts and telephone call records belonging to millions of Americans, including at least some information that could be released in support of malign influence targeting democratic processes and institutions, and economic plans, intellectual property, and trade secrets belonging to American businesses, and contributed to the estimated billions of dollars lost every year as a result of the PRC’s state-sponsored apparatus to transfer US technology to the PRC,” the indictment thundered.

For instance, the Chinese g-men, it is claimed, sent “thousands” of crafty email messages to personal and professional accounts belonging to politicians and their family members, purporting to be from prominent American journalists. These messages contained malicious links that, when opened, disclosed the recipient’s physical location and IP addresses as well as information about their networks and specific devices used to access the emails.

“The conspirators used this method to enable more direct and sophisticated targeting of recipients’ home routers and other electronic devices, including those of high-ranking US government officials and politicians and election campaign staff from both major US political parties,” according to the indictment.

Some of APT31’s targets allegedly included individuals at the White House; and the US Departments of Justice, Commerce, Treasury, State, Labor and Transportation, as well as members of Congress and the spouses of a high-ranking Department of Justice official, high-ranking White House officials, and multiple US senators. 

Outside of the United States, some of the gang’s targets, according to prosecutors, included members of the Inter-Parliamentary Alliance on China (IPAC), a group founded in 2020 on the anniversary of the 1989 Tiananmen Square protests and massacre, plus dissidents and academics critical of the PRC, and 43 UK parliamentary IT accounts.

In addition to sending phishing emails, the crew also used “sophisticated types of custom malware such as RAWDOOR, Trochilus, EvilOSX, DropDoor/DropCat and others” to backdoor victims’ machines, execute payloads, and steal sensitive data, it is claimed.

The indictment described one alleged intrusion in late 2016 during which a zero-day privilege-escalation exploit was used to drill into a US defense contractor with offices in Long Island, New York. This is just one of the “multiple” contractors providing products and services to the American military that the crew snooped on, it is claimed.

After exploiting the zero-day vulnerability, the alleged spies created a new account within the corporate network with admin privileges, uploaded a web shell for remote access and to establish a connection with APT31-controlled infrastructure, and then snooped around the defense contractor’s systems and files.

In another example, between 2017 and 2019, it’s claimed the crew broke into the networks of seven IT managed-services providers (MSPs) in New York, California, Massachusetts, Colorado, Idaho, and overseas. They then used this access to infiltrate servers belonging to the MSPs’ customers, we’re told. 

From the California MSP alone the snoops gained access to at least 15 servers on seven remote networks, it is claimed. Affected customers included a financial business, a nuclear power engineering company, an enterprise-resources planning outfit, and three additional IT managed-service providers.

Other victim organizations include “a leading provider of 5G network equipment in the United States,” a steel company, a New York-based apparel manufacturer, a California engineering company, an energy firm in Texas, and “many others.” ®

READ MORE HERE