The United States has sanctioned China-based hackers for allegedly targeting U.S. critical infrastructure, the Treasury Department announced Monday.
The U.S., along with the United Kingdom, sanctioned some representatives of Wuhan Xiaoruizhi Science and Technology Company Ltd. (Wuhan XRZ), a Wuhan, China-based Ministry of State Security (MSS) front company that the Treasury Department alleges has served as cover for multiple malicious cyber operations.
Wuhan XRZ and its contractors were behind some of the most malicious cyber operations, including the 2020 spear phishing operation against the U.S. Naval Academy and the U.S. Naval War College’s China Maritime Studies Institute, according to the Treasury Department.
National security leaders have consistently warned that Chinese state-affiliated actors were carrying out cyber operations in the U.S.
In addition to the sanctions, the Justice Department on Monday indicted Zhao Guangzong, Ni Gaobin and five other defendants on charges stemming from their alleged involvement in Wuhan XRZ.
“The Justice Department will not tolerate efforts by the Chinese government to intimidate Americans who serve the public, silence the dissidents who are protected by American laws, or steal from American businesses,” Attorney General Merrick Garland said in a statement. “This case serves as a reminder of the ends to which the Chinese government is willing to go to target and intimidate its critics, including launching malicious cyber operations aimed at threatening the national security of the United States and our allies.”
Over the course of three presidential administrations, Ni Gaobi, 38; Weng Ming, 37; Cheng Feng, 34; Peng Yaowen, 38; Sun Xiaohui, 38; Xiong Wang, 35, and Zhao Guangzong, 38, are alleged to have targeted U.S. government officials — including individuals working in the White House, at the departments of Justice, Commerce, Treasury and State; and U.S. senators and representatives of both political parties on behalf of the shell company Wuhan XRZ, the Treasury Department said.
They are also alleged to have targeted U.S. critical infrastructure when there were perceived anti-China policies and when tensions between the U.S. and China were high, according to an indictment unsealed in New York.
“These computer network intrusion activities resulted in the confirmed and potential compromise of work and personal email accounts, cloud storage accounts and telephone call records belonging to millions of Americans, including at least some information that could be released in support of malign influence targeting democratic processes and institutions, and economic plans, intellectual property and trade secrets belonging to American businesses, and contributed to the estimated billions of dollars lost every year as a result of the PRC’s [People’s Republic of China] state-sponsored apparatus to transfer U.S. technology to the PRC,” the indictment states.
The group, which was also known as APT 31, operated from at least 2010 up until this year, according to the Justice Department.
They were able to target politicians and other prominent U.S. officials by purportedly posing as journalists and would install a “tracking link” on an email that purported to be an example of the work of the journalist they were pretending to be, according to court documents.
“If the recipient activated the tracking link by opening the email, information about the recipient, including the recipient’s location, IP addresses, network schematics and specific devices used to access the pertinent email accounts, was transmitted to a server controlled by the Conspirators,” the court document states. “The Conspirators used this method to enable more direct and sophisticated targeting of recipients’ home routers and other electronic devices, including those of high-ranking U.S. government officials and politicians and election campaign staff from both major U.S. political parties.”
In 2020, the group allegedly targeted a presidential campaign and in 2022 sent emails to officials in the Senate, State Department and Commerce Department, according to court documents.
Commerce Secretary Gina Raimondo had her emails targeted just before her visit to China last year.
The group also allegedly hacked into economic and defense companies using “sophisticated” means, according to the Justice Department. When there were tensions between the U.S. and China, they also allegedly carried out cyberattacks, according to the court documents.
“Since at least 2017, the Conspirators engaged in computer network intrusion activity in response to geopolitical events affecting the PRC, including economic tensions between the U.S. and the PRC, the Hong Kong democracy movement and a U.S. government statement regarding the PRC’s maritime claims in the South China Sea,” the court documents state.
In one example, the hackers allegedly targeted the Norwegian government after they awarded the Nobel Peace Prize to activists in the Hong Kong democracy movement. In another, the group allegedly targeted the U.S. Naval Academy and the U.S. Naval War College’s China Maritime Studies Institute after a top State Department official called China’s actions in the South China Sea in 2020 “completely unlawful,” according to the court documents.