“The contractors and companies will hack more or less speculatively, motivated by profit to cast a wide net,” the DOJ official says. China, the official says, “is fostering reckless and indiscriminate targeting of vulnerable computers worldwide, even if it doesn’t task or obtain the fruits of those hacks. This leads to a less secure and more vulnerable environment.”
Shanghai-based firm i-Soon, a contractor to China’s Ministry of State Security (MSS) and Ministry of Public Security (MPS) that the DOJ says employed eight of the alleged hackers, charged its Chinese government customers in some cases based on how many email inboxes it was able to breach, earning between $10,000 and $75,000 per inbox, according to prosecutors. The company, which has over 100 employees, earned tens of millions of dollars in revenue in some years, and its executives projected it would have revenue of about $75 million by 2025, according to the indictment. Prosecutors also note that the company worked with 43 different bureaus of the MSS and MPS across 31 provinces of China, which operated independently and often purchased the same products from i-Soon.
i-Soon, whose alleged hacker-for-hire operations were previously revealed in a leak of its internal documents and communications last year, offered its clients a “zero-day vulnerability arsenal” of unpatched, hackable flaws, according to the indictment. It also allegedly sold password-cracking tools and euphemistically named “penetration testing” products—which were, prosecutors says, in fact intended to be used on unwitting victims—which allegedly included targeted phishing tool kits as well as tools for embedding malware in file attachments.
The company also allegedly carried out its own targeting of victims, which the DOJ says included specific media outlets, dissidents, religious leaders, and researchers who had been critical of the Chinese government, as well as the New York State Assembly, one of whose representatives had received an email from members of an unnamed religious group that is banned in China.
Yin Kecheng and Zhou Shuai, an alleged associate in the APT27, or Silk Typhoon, group, are accused of hacking a wide variety of defense contractors, think tanks, a law firm, a managed communications service provider company, and other victims. In December, software contractor firm BeyondTrust alerted the US Treasury that the department had been breached due to an intrusion on BeyondTrust’s network—an operation that was later attributed to Silk Typhoon. In conjunction with the Justice Department’s charges today, Microsoft also released a guide to Silk Typhoon’s operating techniques, highlighting how it seeks to exploit the IT supply chain.
In Yin’s communications with a colleague included in the indictment against him, the colleague suggests that rather than go after large victim organizations directly, they target their subsidiaries, noting that “they are the same and easier to attack.” Yin responds, agreeing that strategy is “correct.”
All of the 12 Chinese nationals charged in the indictments remain at large—and, chances are, will never see the inside of a US courtroom. But the State Department announced rewards for information leading to their arrest between $2 million and $10 million each.
“To those who choose to aid the CCP in its unlawful cyber activities,” Bryan Vorndran, assistant director of the FBI’s Cyber Division, writes in a statement, using the term CCP to refer to the Chinese Communist Party, “these charges should demonstrate that we will use all available tools to identify you, indict you, and expose your malicious activity for all the world to see.”
