“The scope and sophistication of the crimes alleged in these three indictments … are really unprecedented,” Michael Sherwin, the acting U.S. attorney for the District of Columbia, said at a press conference.
Two of the defendants, Zhang Haoran and Tan Dailin, allegedly began hacking video game companies in November 2014 and modifying game systems to fill up their accounts with digital goods. They also targeted “high-technology and similar organizations” in the U.S. and other countries.
The other three hackers, Jiang Lizhi, Qian Chuan and Fu Qiang, allegedly conducted a much broader campaign of intrusions into businesses, universities and human rights groups through their firm Chengdu 404. Their “sprawling array” of intrusions, which began in May 2014, included breaches of nongovernmental organizations and hospitality, technology and telecom companies.
Jiang and Qiang allegedly participated in hacking activities that researchers have attributed to a group called APT41 and “Wicked Panda.”
To accompany the charges, the FBI issued an alert to its private-sector partners with details about APT41’s techniques and capabilities.
Wednesday’s announcement reflects what U.S. officials say is China’s unmatched campaign of digital espionage against the U.S., from ravenous intellectual property theft to mass breaches of sensitive personal data for counterintelligence purposes.
Prosecutors did not allege that the Chinese government directed any of the cyberattacks described in the new indictments. But Jiang allegedly bragged that he was “very close” with China’s Ministry of State Security, and at one point, according to an indictment, he suggested that a fellow hacker not target Chinese infrastructure lest the authorities finally crack down on them.
Jiang and his colleague “agreed that Jiang’s working relationship with the Ministry of State Security provided Jiang protection,” according to the indictment.
Prosecutors also pointed to the hackers’ alleged targeting of human rights groups and other familiar adversaries of the Chinese government. Sherwin said those victims would not be of interest to “people that were hacking for profit.”
Deputy Attorney General Jeffrey Rosen called those details “a breadcrumb that shows that these individuals … also were proxies … for the Chinese government.”
Beijing, like other major cyber powers, has increasingly turned to criminal hacker groups to further its objectives in what law enforcement officials call a “blended threat.” These government-directed but privately conducted operations are designed to give the regime plausible deniability while still letting the security services control the process.
Rosen criticized the Chinese government for refusing to cooperate with U.S. investigations.
“No country can be respected as a global leader while paying only lip service to the rule of law and without taking steps to disrupt brazen criminal acts like these,” Rosen said.
It is reasonable to conclude, he said, that “the Chinese Government has made a deliberate choice to allow its citizens to commit computer intrusions and attacks around the world because these actors will also help the PRC.”
In addition to the two indictments covering the hackers, a federal grand jury in Washington also indicted two Malaysian businessmen, Wong Ong Hua and Ling Yang Ching, who allegedly worked with Zhang and Tan, the video game hackers, and profited from the digital goods they stole.
According to prosecutors, Wong and Lin used their online marketplace Sea Gamer Mall to sell video game accounts that Zhang and Tan had loaded up with in-game items and currency by hacking into the game-makers’ systems.
Malaysian authorities arrested both men on Monday.
The indictments describe a series of cyberattacks that combined low-effort, garden-variety hacking with sophisticated intrusion techniques capable of felling even well-prepared victims.
On the rudimentary end of the spectrum, the hackers allegedly peppered targets with spearphishing emails designed to trick their targets into handing over their account credentials. They also used malware designed to exploit vulnerabilities that have been known and patchable for a significant amount of time. On Monday, CISA and the FBI warned companies to patch these kinds of flaws because Chinese government hackers frequently exploited them.
On the other hand, the defendants also allegedly hacked into businesses that provide services to other companies and planted malicious code in these businesses’ software. When the victims’ clients updated their software, the infected code opened the door for the hackers, and the clients became victims themselves. This type of supply-chain attack, while sometimes detectable, is harder to prevent.
Around the middle of 2015, Jiang, Qian and Fu allegedly hacked a European software provider and planted malware that gave them access to several of the companies’ clients, including a U.S. manufacturer and a U.S. medical provider.
Zhang and Tan used a supply chain attack in November 2018 to compromise a video game company that installed software from a hacked provider, according to an indictment.
Zhang and Tan’s victims allegedly included gaming companies in the U.S., France, South Korea, Japan and Singapore. Using their access to these companies’ networks, the hackers were able to monitor and circumvent the companies’ fraud-detection efforts and even sabotage other criminal hackers who were lurking on the servers.
In February 2018, according to an indictment, the two men discussed potentially traveling abroad to open a bank account to store the proceeds from their gaming-related hacks. One of the men “expressed fear that ‘the Americans are after me’ and that the Americans ‘have stuff on us.’”
Jiang, Qian and Fu, meanwhile, did not simply steal proprietary business data from their victims. According to prosecutors, they also used their access to companies’ networks to mine cryptocurrency and deploy ransomware.
In March, the men allegedly conducted a ransomware attack on a global NGO that focused on alleviating poverty. Two months later, according to the indictment, they froze the computer network of a Taiwanese energy company, crippling some of its operations, and demanded a ransom payment.
In unraveling the alleged hackers’ activities, investigators worked closely with threat intelligence researchers at Microsoft, Google, Facebook and Verizon. Working with these companies, authorities seized accounts, malware and infrastructure belonging to the defendants.
“The Department of Justice,” Rosen said, “will do everything it can to disrupt these crimes.”