DOJ charges four members of Chinese government hacking group

The unsealed indictments accuse three state security officers of working with a hacker to attack companies across the world.
Written by Jonathan Greig, Contributor

The Justice Department announced charges against four Chinese nationals on Monday, accusing the men of being part of a hacking group that attacked "companies, universities, and government entities in the United States and abroad between 2011 and 2018."

According to a release from the DOJ, a San Diego federal grand jury returned the indictment of all four in May and it was unsealed on Friday.

The indictment says Ding Xiaoyang, Cheng Qingmin and Zhu Yunmin were members of the Hainan State Security Department working covertly within a front company called Hainan Xiandun Technology Development Co., Ltd.

The goal of the operation, according to the Justice Department, was to steal information from companies that would help enterprises in China. The DOJ said the hackers were specifically looking for "information that would allow the circumvention of lengthy and resource-intensive research and development processes."

Operating out of Haikou, Hainan Province, the three are accused of "coordinating, facilitating, and managing computer hackers and linguists at Hainan Xiandun and other MSS front companies." 

Wu Shurong was also indicted for his role as a hacker who created malware, assisted the other three in breaking into computer systems, and allegedly supervised other Hainan Xiandun hackers.

The DOJ noted that the group attacked companies across the US, Indonesia, Malaysia, Norway, Saudi Arabia, South Africa, Switzerland, UK, Austria, Cambodia, Canada, and Germany. Most of the attacks targeted companies working in the defense, education, healthcare, biopharmaceutical, and aviation sectors. 

"Stolen trade secrets and confidential business information included, among other things, sensitive technologies used for submersibles and autonomous vehicles, specialty chemical formulas, commercial aircraft servicing, proprietary genetic-sequencing technology and data, and foreign information to support China's efforts to secure contracts for state-owned enterprises within the targeted country (e.g., large-scale high-speed railway development projects)," the Justice Department statement said.  

"At research institutes and universities, the conspiracy targeted infectious-disease research related to Ebola, MERS, HIV/AIDS, Marburg, and tularemia." 

The indictment also accuses educators at universities in Hainan and across China of working with the country's Ministry of State Security to help with the attacks. 

Deputy Attorney General Lisa Monaco said the charges highlight that China continues to use cyber-enabled attacks to steal what other countries make, calling the government's actions representative of a "flagrant disregard of its bilateral and multilateral commitments."

"The breadth and duration of China's hacking campaigns, including these efforts targeting a dozen countries across sectors ranging from healthcare and biomedical research to aviation and defense, remind us that no country or industry is safe," Monaco said. 

The DOJ noted that multiple cybersecurity firms have chronicled the group's activities, giving them a variety of names over the years including Advanced Persistent Threat (APT) 40, BRONZE, MOHAWK, FEVERDREAM, G0065, Gadolinium, GreenCrash, Hellsing, Kryptonite Panda, Leviathan, Mudcarp, Periscope, Temp.Periscope, and Temp.Jumper. 

The indictment lists the variety of hacking methods used to break into companies' systems, detailing how the group used spearphishing emails, hijacked credentials, and more. 

"The conspiracy also used multiple and evolving sets of sophisticated malware, including both publicly available and customized malware, to obtain, expand, and maintain unauthorized access to victim computers and networks," the indictment said. 

"The conspiracy's malware included those identified by security researchers as BADFLICK, aka GreenCrash; PHOTO, aka Derusbi; MURKYTOP, aka mt.exe; and HOMEFRY, aka dp.dll. Such malware allowed for initial and continued intrusions into victim systems, lateral movement within a system, and theft of credentials, including administrator passwords."

The indictment notes that the hackers used anonymizer services, Dropbox Application Programming Interface (API) keys, and even GitHub during their attacks. 

All four defendants have been charged with one count of conspiracy to commit computer fraud and one count of conspiracy to commit economic espionage. Combined, the two charges carry a maximum sentence of 20 years in prison. 

Acting US Attorney Randy Grossman tied the indictment to the larger announcements that came out on Monday, where dozens of countries accused China of a widespread hacking campaign.  

Grossman said the indictment "demonstrates how China's government made a deliberate choice to cheat and steal instead of innovate," while also claiming the actions threaten the US economy and national security.

The FBI and CISA released an advisory designed to help organizations defend against some of the tactics deployed by the four hackers indicted. The Joint Cybersecurity Advisory has "technical details, indicators of compromise, and mitigation measures."

"The charges outlined today demonstrate China's continued, persistent computer intrusion efforts, which will not be tolerated here or abroad," said Special Agent in Charge Suzanne Turner of the FBI's San Diego Field Office. 

"We stand steadfast with our law enforcement partners in the United States and around the world and will continue to hold accountable those who commit economic espionage and theft of intellectual property."

Editorial standards