US sanctions alleged Chinese state hackers for attacks on critical infrastructure

The U.S. sanctioned a Wuhan-based company believed to be a front for China’s Ministry of State Security on Monday following dozens of attacks on critical infrastructure. 

The Justice and Treasury Departments accused Wuhan Xiaoruizhi Science and Technology Company of being a cover for APT31 — a notorious China-based hacking group known for previously targeting “a wide range of high-ranking U.S. government officials and their advisors” including staff at the White House, members of Congress from both parties and several U.S. departments.

The Treasury Department said attacks by APT31 have also involved a Texas energy company, a California managed service provider and several aerospace contractors with the U.S. military in Alabama and Tennessee. 

The sanctions include two Chinese nationals — Zhao Guangzong and Ni Gaobin, both 38 — who are accused of working for the company and launching attacks against U.S. critical infrastructure. 

Alongside the sanctions, the Justice Department unsealed indictments of Zhao, Ni and five others for their work within APT31. 

READ MORE: UK says China aimed 'malicious cyber targeting' at democratic institutions

Deputy Attorney General Lisa Monaco said the group’s campaign involved more than 10,000 malicious emails that impacted thousands of victims across multiple continents. 

“As alleged in today’s indictment, this prolific global hacking operation — backed by the PRC government — targeted journalists, political officials, and companies to repress critics of the Chinese regime, compromise government institutions, and steal trade secrets,” Monaco said.

The State Department added the seven to the Rewards for Justice program, offering money for any information on their whereabouts. They are all believed to be in China. 

The investigation into the company was led by the Justice Department, FBI and the government of the United Kingdom. On Monday, Britain also announced sanctions against the company, Zhao and Ni, for targeting British parliamentarians. 

APT31 schemes

APT31 is a notorious collection of Chinese state-sponsored intelligence officers, contract hackers, and support staff that conducts malicious cyber operations on behalf of the Hubei State Security Department (HSSD), the Justice Department said.

The group has a long history of high-profile attacks on governments around the world and was accused of working with another Chinese APT group to launch the headline-grabbing Microsoft Exchange attacks. 

Zhao and Ni are specifically accused of being behind the 2020 spearphishing operations targeting the United States Naval Academy and the United States Naval War College’s China Maritime Studies Institute, as well as other attacks on Hong Kong-based legislators and democracy advocates.

HSSD allegedly created Wuhan Xiaoruizhi Science and Technology Company in 2010 as a front for operations involving the “surveillance of U.S. and foreign politicians, foreign policy experts, academics, journalists, and pro-democracy activists, as well as persons and companies operating in areas of national importance,” according to the Justice Department.

The group was successful in breaching victim networks, email accounts, cloud storage platforms and telephone call records — in some cases harnessing the ability to surveil compromised email accounts for years. 

“These allegations pull back the curtain on China’s vast illegal hacking operation that targeted sensitive data from U.S. elected and government officials, journalists, and academics; valuable information from American companies; and political dissidents in America and abroad,” said U.S. Attorney Breon Peace. 

“Their sinister scheme victimized thousands of people and entities across the world, and lasted for well over a decade.”

The Justice Department explained that the hackers typically pretended to send emails on behalf of prominent news outlets or journalists, allowing them to attach tracking tools to links to legitimate news articles. 

Just by opening the email, the hackers were able to get information about where the recipient was located, their IP address, the devices they used and more. With that information, the hackers could conduct more targeted attacks on specific people, often compromising a victim’s home router or other devices. 

In one specific campaign outlined in the indictment, the hackers allegedly targeted people who are part of the Inter-Parliamentary Alliance on China (IPAC), a group of international parliamentarians from democratic countries focused on relations with China.

“The targets included every European Union member of IPAC, and 43 United Kingdom parliamentary accounts, most of whom were members of IPAC or had been outspoken on topics relating to the PRC government,” the Justice Department said. 

APT31 also targeted dozens of people working in the White House and in the Departments of Justice, State, Treasury and Commerce — going after both work and private email accounts. In some cases the hackers targeted the spouses of high-ranking White House officials and multiple U.S. Senators. 

They attempted to hack campaign staff members working for both Democrats and Republicans ahead of the 2020 election as well, according to the indictment.

The indictment lists dozens of other cyberattacks by APT31 aimed at breaching multiple managed service providers, a 5G equipment provider and other companies. 

The group also made a point of going after activists involved in Hong Kong’s Umbrella Movement that were nominated for a Nobel Peace Prize in 2018. Alongside those attacks were others aimed at the government of Norway and technology companies in the country. 

Attorney General Merrick Garland said the Justice Department “will not tolerate efforts by the Chinese government to intimidate Americans who serve the public, silence the dissidents who are protected by American laws, or steal from American businesses.”

“This case serves as a reminder of the ends to which the Chinese government is willing to go to target and intimidate its critics, including launching malicious cyber operations aimed at threatening the national security of the United States and our allies,” he added.