US indicts 12 Chinese nationals for vast espionage attack spree
The Justice Department on Wednesday indicted 12 Chinese nationals for their alleged involvement in an extensive nation-state-backed espionage campaign that included a spree of attacks on U.S. federal and state agencies, including the late 2024 attack targeting the Treasury Department.
Officials accused the Chinese individuals, including two officers of China’s Ministry of Public Security, eight i-Soon employees and two members of the Chinese state-backed threat group APT27 or Silk Typhoon, of breaching numerous networks globally to steal and sell data to China’s intelligence and security services. Some of the alleged attacks date back to 2011, officials said.
The indictments reveal China’s alleged well-coordinated effort to use a hacker-for-hire ecosystem to conduct espionage while obscuring the government’s direct involvement. The pool of victims impacted by the alleged co-conspirators is immense, including U.S.-based critics and dissidents of China, a large U.S.-based religious organization and foreign ministries of multiple governments in Asia.
“Today, we are exposing the Chinese government agents directing and fostering indiscriminate and reckless attacks against computers and networks worldwide, as well as the enabling companies and individual hackers that they have unleashed,” Sue J. Bai, head of the Justice Department’s National Security Division, said in a statement.
China’s Ministries of Public Security and State Security assembled a broad network of private companies and contractors to hack numerous email accounts, cellphones, servers and websites, prosecutors allege in an indictment unsealed in the U.S. District Court for the Southern District of New York.
One of those companies, Anxun Information Technology Co. Ltd., also known as i-Soon, generated tens of millions of dollars selling stolen data to at least 43 bureaus of China’s Ministries of Public Security and State Security between 2016 and 2023, according to the indictment.
i-Soon’s alleged victims include the U.S. Defense Intelligence Agency, the U.S. Department of Commerce and International Trade Administration, two New York-based newspapers, a U.S. government-funded news service, and the New York State Assembly, among others.
The company and its employees are accused of conducting attacks at the request of China’s government and also targeting victims speculatively on their own initiative. i-Soon allegedly charged China’s intelligence and security services $10,000 to $75,000 for each email box it intruded.
“Today’s announcements reveal that the Chinese Ministry of Public Security has been paying hackers-for-hire to inflict digital harm on Americans who criticize the Chinese Communist Party,” Bryan Vorndran, assistant director of the FBI’s Cyber Division, said in a statement. “To those who choose to aid the CCP in its unlawful cyber activities, these charges should demonstrate that we will use all available tools to identify you, indict you, and expose your malicious activity for all the world to see.”
The officers of China’s Ministry of Public Security and i-Soon staffers indicted by federal prosecutors include: Wang Liyu, Sheng Jing, Wu Haibo, Chen Cheng, Wang Zhe, Liang Guodong, Ma Li, Wang Yan, Xu Liang and Zhou Weiwei. The defendants remain at large and are wanted by the FBI.
Concurrently, the State Department announced an award for up to $10 million for information leading to the identification or location of any person participating in malicious cyber activities against U.S. critical infrastructure at the direction or under the control of a foreign government.
The U.S. Attorney’s Office for the District of Columbia also unsealed indictments Wednesday charging APT27 members Yin Kecheng and Zhou Shuai with participating in an attack spree targeting U.S.-based victims from 2011 to as recently as late 2024. The State Department announced rewards of up to $2 million each for information leading to the arrest or conviction of Yin and Zhou.
The Treasury Department announced sanctions against Zhou Shuai and his company, Shanghai Heiying Information Technology Co. Ltd. Yin and Sichuan Juxinhe Network Technology Co. Ltd. were previously sanctioned for their alleged direct involvement in the Salt Typhoon attacks on U.S. telecom networks and the recent attack on the Treasury Department.
The Justice Department said domains linked to Yin and a virtual private server linked to Zhou Shuai were seized as part of its ongoing investigation.
“The defendants in these cases have been hacking for the Chinese government for years, and these indictments lay out the strong evidence showing their criminal wrongdoing,” U.S. Attorney Edward R. Martin Jr. said in a statement. “We, again, demand that the Chinese government put a stop to these brazen cybercriminals who are targeting victims across the globe and then monetizing the data they have stolen by selling it across China.”
