The U.S. Department of Justice (DoJ) on Wednesday charged 12 Chinese nationals for allegedly engaging in extensive cyber espionage operations on behalf of Chinaโs Ministry of Public Security (MPS) and Ministry of State Security (MSS), for targeting over 100 U.S. organizations, including the Department of the Treasury.
The suspects include two MPS officers, eight employees of an ostensibly private Peopleโs Republic of Chinaโsย (PRC) company, Anxun Information Technology Co. Ltd. (??????????) also known as โi-Soon,โ and two members of the cyber espionage group Advanced Persistent Threat 27 (APT27), also known as Silk Typhoon.
The accused individuals include high-ranking officials such as Wu Haibo (CEO of i-Soon), Chen Cheng (COO of i-Soon), Wang Liyu and Sheng Jing (MPS officers), and prominent APT27 hackers like Yin Kecheng (aka “YKC”) and Zhou Shuai (aka “Coldface”).
According to the DoJ, these threat actors conducted cyber intrusions at the direction of the Chinese government and, at times, on their own accord.
Their operations involved stealing sensitive data, targeting critics and dissidents of the Chinese Communist Party (CCP), and suppressing free speech on a global scale.
“These malicious cyber actors, acting as freelancers or as employees of i-Soon, conducted computer intrusions at the direction of the PRC’s MPS and Ministry of State Security (MSS) and on their own initiative.
The MPS and MSS paid handsomely for stolen data,” the DoJย said in a press release on Wednesday.
โVictims include U.S.-based critics and dissidents of the PRC, a large religious organization in the United States, the foreign ministries of multiple governments in Asia, and U.S. federal and state government agencies, including the U.S. Department of the Treasury (Treasury) in late 2024.โ
Chinaโs State-Backed Hacking Network
According to court documents, the MPS and MSS used i-Soon and other private companies as a front to conduct large-scale hacking operations to hack and steal information.
By employing these hackers-for-hire, the PRC government obscured its direct involvement and allowed them to profit by committing additional computer intrusions worldwide.
The indictment alleges that i-Soon, under Wu’s leadership, generated tens of millions of dollars in revenue as a key player in the PRCโs hacker-for-hire ecosystem by hacking email accounts, cell phones, servers, and websites of various organizations from at least 2016 through 2023.
In other instances, i-Soon allegedly acted independently, selling stolen data to at least 43 different bureaus of the MSS or MPS across 31 provinces and municipalities in China.
The company purportedly charged the MSS and MPS between approximately $10,000 and $75,000 for each email inbox it successfully exploited.
In a separate indictment, a federal court accused APT27 hackers, Yin Kecheng and Zhou Shuai, of participating in sophisticated hacking conspiracies since 2011.
They allegedly breached U.S. companies, municipalities, and organizations for profit computer intrusion campaigns, maintaining persistent access via the PlugX malware and selling stolen data to customers with connections to the PRC government and military.
Monetary Rewards and Seizures
As part of the crackdown, the DoJ has seized four domains linked to i-Soon and APT27:
ecoatmosphere.org
newyorker.cloud
heidrickjobs.com
maddmail.site
The U.S. Department of State’s Rewards for Justice (RFJ) program has announced a reward of up to $10 million for information leading to identifying or locating any person involved in malicious cyber activities against U.S. critical infrastructure on behalf of a foreign government.
Additionally, a $2 million reward has been offered for information leading to Shuai and Kecheng’s arrests and/or convictions.
Conclusion
While the Chinese government has denied these allegations, dismissing them as hypocritical, the charges against these 12 individuals highlight the U.S. governmentโs efforts to disrupt and deter cyber espionage activities linked to the PRC, and hold foreign cybercriminals accountable.
“The charges announced today expose the PRC’s continued attempts to spy on and silence anyone it deems threatening to the Chinese Communist Party,” said Acting Assistant Director Leslie R. Backschies while summing up the case.
