Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

US Indicts Accused APT31 Chinese Hackers for Hire

Prosecutors Say China Set Up a Wuhan Front Company for Geopolitical Hacks
US Indicts Accused APT31 Chinese Hackers for Hire
A view of the Yellow Crane Tower in Wuhan, China (Image: Shutterstock)

U.S. federal prosecutors indicted seven Chinese nationals they accuse of hacking for a Beijing economic and intelligence espionage group whose operations reacted to geopolitical trends.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

The seven suspects allegedly served as contractors for a front company set up by a provincial government arm of the Ministry of State Security, China's civilian intelligence agency, shows a redacted indictment. The Hubei State Security Department set up Wuhan Xiaoruizhi Science & Technology in the city of Wuhan in 2010. The threat actor, known as APT31 and Violet Typhoon, also contracted with another company, Wuhan Liuhe Tiangong Science & Technology. Its owner, Sun Xiaohui, is one of the seven men indicted in the Eastern District of New York.

The U.S. Department of the Treasury on Monday sanctioned Wuhan Xiaoruizhi Science & Technology and two contractors, Zhao Guangzong and Ni Gaobin.

The United States has had a strategy since 2014 of indicting Chinese hackers despite the high probability that none of the accused individuals will see the inside of an American courthouse. Officials initially thought the indictments, replete with names and details of the hacking methodology, would pressure China into tamping down malicious cyber activity, but that doesn't seem to have materialized. The strategy has come under criticism for ineffectiveness and for emboldening Chinese hacking, since the indictments appear to have little concrete effect.

Other cyber analysts have defended the strategy, arguing the indictments cause Chinese hackers to retool and reorganize, slowing down their tempo of operations. The indictments also may act as building blocks in an effort to convince the private sector and allied countries of the seriousness of the Chinese threat while creating a basis for "defend forward" operations.

"This case serves as a reminder of the ends to which the Chinese government is willing to go to target and intimidate its critics, including launching malicious cyber operations aimed at threatening the national security of the United States and our allies," said Attorney General Merrick Garland.

The indictment accuses APT31 of harvesting technical details from targets through thousands of tracking emails, apparently from prominent American journalists, that contain malicious links that extract data such as network schematics and end user devices. "The conspirators used this method to enable more direct and sophisticated targeting of recipients' home routers and other electronic devices, including those of high-ranking U.S. government officials and politicians and election campaign staff from both major U.S. political parties," the indictment states.

Since at least 2017, the group's activities have responded to geopolitical events, such as then-President Donald Trump's March 2018 imposition of tariffs on imported steel. Within hours of the announcement, APT31 registered a web domain impersonating an international steel trade association that hackers used to communicate with malware installed on the network of an unidentified American steel company.

After the Department of State in July 2020 rejected Chinese territorial claims in the South China Sea, APT31 hackers used an Estonian-based email account to send malicious emails to military and think tank officials focused on the Asia-Pacific region. The emails contained a malware dropper.

APT31 also conducted "widescale hacking activities" targeting activists associated with pro-democracy protests in Hong Kong during 2019, including Hong Kong lawmakers. They hacked a Norwegian multinational IT services provider and the Oslo government after U.S. lawmakers in 2018 nominated Hong Kong activists for that year's Nobel Peace Prize.

"Actors like APT31 turn to political organizations to find the geopolitical intelligence that they're tasked with collecting," said John Hultquist, chief analyst at Mandiant Intelligence. "Politicians, parties and elections organizations are rich sources of intelligence that offer collectors everything from rare geopolitical insights to enormous troves of data." Unlike with Russian state hacking operations, the information stolen by Chinese state actors "is not necessarily destined to be used in active interference," Hultquist added.

The Department of Justice in a statement said the indictment "does not allege that the hacking furthered any Chinese government influence operations against the U.S." But it also warned that Beijing may attempt to influence American elections this year, whether to sideline China critics or magnify U.S. societal divisions.

The threat group, unlike Volt Typhoon - another Chinese hacking group recently in the spotlight of U.S. "name and shame efforts" - uses malware. The indictment lists Rawdoor, Trochilus, EvilOSX and DropDoor/DropCat as the group's tools. APT31 has also used a cracked version of Cobalt Strike Beacon.

APT31's hacking activities have included exploitation of a zero-day vulnerability. Prosecutors say the group used one during late 2016 to penetrate a defense contractor and built on the initial access through an SQL injection attack to create a new account on the network of a subsidiary of the contractor.

Managed service providers have been a favorite target. The indictment says APT31 targeted seven of them from 2017 through 2019 as a way of gaining access to customers' data.

About the Author

David Perera

David Perera

Editorial Director, News, ISMG

Perera is editorial director for news at Information Security Media Group. He previously covered privacy and data security for outlets including MLex and Politico.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.