Chinese Ministry of State Security Officials Charged by U.S. in Global Hacking Campaign

The charges come amid attribution by U.S. and Western allies of malicious Chinese cyber activity

By Samuel Rubenfeld

Monday, July 19, 2021

The U.S. Justice Department on Monday announced charges against four Chinese nationals for their roles in an alleged campaign to hack into the computer systems of dozens of companies, universities and government agencies in the U.S. and abroad.

Three of the individuals charged were officers of the Hainan State Security Department (HSSD), a provincial arm of China’s Ministry of State Security (MSS), prosecutors said. They and HSSD set up a front company, the now-disbanded Hainan Xiandun Technology Development Co., Ltd., to obfuscate the government’s role in the hacking campaign, according to prosecutors. The fourth defendant was a computer hacker who, as part of his duties at Hainan Xiandun, created malware, hacked into computer systems and supervised other hackers, prosecutors said.

“This indictment alleges a worldwide hacking and economic espionage campaign led by the government of China,” said Acting U.S. Attorney Randy Grossman for the Southern District of California.

The MSS officers charged in the case coordinated with staff and professors at various universities in Hainan and elsewhere to further the conspiracy’s goals, including by identifying and recruiting hackers and linguists, prosecutors said. Personnel at one Hainan-based university also helped support and manage Hainan Xiandun, including through payroll, benefits and a mailing address, prosecutors said. 

The attacks cited in the case occurred between 2011 and 2018, targeting victims across the world, including actors in the aviation, defense, education, government, health care, biopharmaceutical and maritime industries, according to prosecutors. Their activity had been previously identified by private sector security researchers, prosecutors noted, providing a litany of names for the hacking group, including the moniker “APT 40.”

Alongside the charges, the U.S. released a cybersecurity advisory highlighting tactics, techniques and procedures used by the hackers to help practitioners remediate their moves. 

The charges came alongside attribution on Monday by the U.S., European Union, U.K., Canada, the North Atlantic Treaty Organization (NATO) and others of malicious cyber activity by China, including espionage operations that exploited vulnerabilities in the Microsoft Exchange server disclosed in March. MSS-affiliated cyber operators compromised tens of thousands of computers and networks in that operation, according to a statement from the White House. It marked the first time NATO condemned Chinese cyber activity, senior officials told reporters in a briefing.

“[China’s] unwillingness to address criminal activity by contract hackers harms governments, businesses, and critical infrastructure operators through billions of dollars in lost intellectual property, proprietary information, ransom payments, and mitigation efforts,” the White House said.

Asked about the announcements on Monday, President Joe Biden said the Chinese government is not necessarily conducting the cyber operations itself, but rather is protecting those involved and potentially accommodating them, in a similar manner as Russia.

Monday’s announcement isn’t the first time the U.S. has charged Chinese hackers associated with the MSS, however. The MSS is responsible for China’s national intelligence and anti-espionage missions, and secures the country’s overseas interests, according to a report by Global Times, a state media outlet. The country’s hackers have become more aggressive since 2015, when China transferred control of its cyber operations from the People’s Liberation Army (PLA) to the MSS, Wired Magazine reported Monday. MSS regional departments recruit Chinese criminals to conduct offensive cyber operations for the state, according to Intrusion Truth, a group that has exposed Chinese cyber espionage operations, including APT 40

Seven individuals were charged for their roles in computer intrusions in September 2020, including one who boasted of connections to the MSS. Months earlier, two Chinese nationals who worked with the Guangdong State Security Department (GSSD) of the MSS were charged over a hacking campaign that, in some instances, was for their personal gain and benefited Chinese government agencies in others. 

In December 2018, two Chinese hackers acting with the Tianjin State Security Bureau of the MSS were charged for engaging in hacking activities for more than a decade. They worked for a Chinese company called Huaying Haitai Science and Technology Development Company, prosecutors said; the firm was sanctioned in July 2020 by the EU, along with one of the defendants in the case.