US charges Chinese hackers linked to critical infrastructure breaches

The US Justice Department has charged Chinese state security officers along with APT27 and i-Soon hackers for network breaches and cyberattacks that have targeted victims globally since 2011.

Their victim list includes US federal and state government agencies, foreign ministries of multiple governments in Asia, U.S.-based dissidents, as well as a prominent religious organization in the United States.

"These malicious cyber actors, acting as freelancers or as employees of i-Soon, conducted computer intrusions at the direction of the PRC's MPS and Ministry of State Security (MSS) and on their own initiative. The MPS and MSS paid handsomely for stolen data," the Justice Department said today.

Today, the DOJ charged two MPS officers and eight employees of Anxun Information Technology (also known as i-Soon) with involvement in these attacks and seized the domain used by i-Soon to advertise its hacker-for-hire services.

The State Department is also offering a reward of up to $10 million through its Rewards for Justice (RFJ) program for information that could help locate or identify the following defendants:

• Wu Haibo (吴海波), Chief Executive Officer
• Chen Cheng (陈诚), Chief Operating Officer
• Wang Zhe (王哲), Sales Director
• Liang Guodong (梁国栋), Technical Staff
• Ma Li (马丽), Technical Staff
• Wang Yan (王堰), Technical Staff
• Xu Liang (徐梁), Technical Staff
• Zhou Weiwei (周伟伟), Technical Staff
• Wang Liyu (王立宇), MPS Officer
• Sheng Jing (盛晶), MPS Officer

Indictments unsealed today reveal that i-Soon hackers conducted computer intrusions at the MSS's request. They also independently hacked targets and attempted to sell stolen data to at least 43 MSS or MPS bureaus across 31 Chinese provinces and municipalities.

i-Soon charged the MSS and MPS between $10,000 and $75,000 for every compromised email inbox and also trained MPS employees.

China-based hackers Yin Kecheng (aka YKCAI) and Zhou Shuai (aka Coldface), linked to the state-backed APT27 hacking group, were also charged today for their involvement in this global hacking campaign.

While they're both still at large, the Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned them,while the State Department announced rewards of up to $2 million for information leading to their arrests and convictions.

"As alleged in court documents, between August 2013 and December 2024, Yin, Zhou, and their co-conspirators exploited vulnerabilities in victim networks, conducted reconnaissance once inside those networks, and installed malware, such as PlugX malware, that provided persistent access," the DOJ said on Wednesday.

"The defendants and their co-conspirators then identified and stole data from the compromised networks by exfiltrating it to servers under their control. Next, they brokered stolen data for sale and provided it to various customers, only some of whom had connections to the PRC government and military.

"Between them, Yin and Zhou sought to profit from the hacking of numerous U.S.-based technology companies, think tanks, law firms, defense contractors, local governments, health care systems, and universities, leaving behind them a wake of millions of dollars in damages."

Today's indictments and sanctions are part of a broader effort to combat cyberattacks coordinated by Chinese cybercriminals and state-sponsored hackers.

In December, OFAC sanctioned Sichuan Silence and one of its employees for involvement in Ragnarok ransomware attacks targeting US critical infrastructure.

One month later, it also targeted Chinese cybersecurity company Integrity Tech for its involvement in cyberattacks linked to the Chinese state-sponsored Flax Typhoon hacking group and sanctioned Yin Kecheng for his role in last year's breach of the Treasury Department's network.