The U.S. Department of Justice (DoJ) on Monday unsealed indictments against seven Chinese nationals for their involvement in a hacking group that targeted U.S. and foreign critics, journalists, businesses, and political officials for about 14 years.

The defendants include Ni Gaobin (倪高彬), Weng Ming (翁明), Cheng Feng (程锋), Peng Yaowen (彭耀文), Sun Xiaohui (孙小辉), Xiong Wang (熊旺), and Zhao Guangzong (赵光宗).

The suspected cyber spies have been charged with conspiracy to commit computer intrusions and conspiracy to commit wire fraud in connection with a state-sponsored threat group tracked as APT31, which is also known as Altaire, Bronze Vinewood, Judgement Panda, and Violet Typhoon (formerly Zirconium). The hacking collective has been active since at least 2010.

Specifically, their responsibilities entail testing and exploiting the malware used to conduct the intrusions, managing the attack infrastructure, and conducting surveillance of specific U.S. entities, federal prosecutors noted, adding the campaigns are designed to advance China’s economic espionage and foreign intelligence objectives.

Both Gaobin and Guangzong are alleged to be linked to Wuhan Xiaoruizhi Science and Technology Company, Limited (Wuhan XRZ), a front company that’s believed to have conducted several malicious cyber operations for the Ministry of State Security (MSS).

Intrusion Truth, in a report published in May 2023, characterized Wuhan XRZ as a “sketchy-looking company in Wuhan looking for vulnerability-miners and foreign language experts.”

As well as announcing a reward of up to $10 million for information that could lead to identification or whereabouts of people associated with APT31, the U.K. and the U.S. have also levied sanctions against the Gaobin, Guangzong, and Wuhan XRZ for endangering national security and for targeting parliamentarians across the world.

“These allegations pull back the curtain on China’s vast illegal hacking operation that targeted sensitive data from U.S. elected and government officials, journalists and academics; valuable information from American companies; and political dissidents in America and abroad,” stated U.S. Attorney Breon Peace.

“Their sinister scheme victimized thousands of people and entities across the world, and lasted for well over a decade.”

The sprawling hacking operation involved the defendants and other members of APT31 sending more than 10,000 emails to targets of interest that came with hidden tracking links that exfiltrated the victims’ location, internet protocol (IP) addresses, network schematics, and the devices used to access the email accounts simply upon opening the messages.

This information subsequently enabled the threat actors to conduct more targeted attacks tailored to specific individuals, including by compromising the recipients’ home routers and other electronic devices.

The threat actors are also said to have leveraged zero-day exploits to maintain persistent access to victim computer networks, resulting in the confirmed and potential theft of telephone call records, cloud storage accounts, personal emails, economic plans, intellectual property, and trade secrets associated with U.S. businesses.

Other spear-phishing campaigns orchestrated by APT31 have further been found to target U.S. government officials working in the White House, at the Departments of Justice, Commerce, Treasury and State, and U.S. Senators, Representatives, and election campaign staff of both political parties.

The attacks were facilitated by means of custom malware such as RAWDOOR, Trochilus, EvilOSX, DropDoor/DropCat, and others that established secure connections with adversary-controlled servers to receive and execute commands on the victim machines. Also put to use was a cracked version of Cobalt Strike Beacon to conduct post-exploitation activities.

Some of the prominent sectors targeted by the group are defense, information technology, telecommunications, manufacturing and trade, finance, consulting, and legal and research industries. APT31 also singled out dissidents around the world and others who were perceived to be supporting them.

“APT31 is a collection of Chinese state-sponsored intelligence officers, contract hackers, and support staff that conduct malicious cyber operations on behalf of the Hubei State Security Department (HSSD),” the Treasury said.

“In 2010, the HSSD established Wuhan XRZ as a front company to carry out cyber operations. This malicious cyber activity resulted in the surveillance of U.S. and foreign politicians, foreign policy experts, academics, journalists, and pro-democracy activists, as well as persons and companies operating in areas of national importance.”

“Chinese state-sponsored cyber espionage is not a new threat and the DoJ’s unsealed indictment today showcases the full gambit of their cyber operations in order to advance the People’s Republic of China (PRC) agenda. While this is not a new threat, the scope of the espionage and the tactics deployed are concerning,” Alex Rose, director of government partnerships at Secureworks Counter Threat Unit, said.

“The Chinese have evolved their typical MO in the last couple of years to evade detection and make it harder to attribute specific cyber-attacks to them. This is part of a broader strategic effort that China is able to execute on. The skills, resources and tactics at the disposal of the PRC make them an ongoing high and persistent threat to governments, businesses, and organizations around the world.”

The charges come after the U.K. government pointed fingers at APT31 for “malicious cyber campaigns” aimed at the country’s Electoral Commission and politicians. The breach of the Electoral Commission led to the unauthorized access of voter data belonging to 40 million people.

The incident was disclosed by the regulator in August 2023, although there is evidence that the threat actors accessed the systems two years prior to it.

China, however, has rejected the accusations, describing them as “completely fabricated” and amounting to “malicious slanders.” A spokesperson for the Chinese embassy in Washington D.C. told the BBC News the countries have “made groundless accusations.”

“The origin-tracing of cyberattacks is highly complex and sensitive. When investigating and determining the nature of cyber cases, one needs to have adequate and objective evidence, instead of smearing other countries when facts do not exist, still less politicize cybersecurity issues,” Foreign Ministry Spokesperson Lin Jian said.

“We hope relevant parties will stop spreading disinformation, take a responsible attitude and jointly safeguard peace and security in the cyberspace. China opposes illegal and unilateral sanctions and will firmly safeguard its lawful rights and interests.”

Mar 12, 2024NewsroomCyber Espionage / Threat

Russia has detained a South Korean national for the first time on cyber espionage charges and transferred from Vladivostok to Moscow for further investigation.

The development was first reported by Russian news agency TASS.

“During the investigation of an espionage case, a South Korean citizen Baek Won-soon was identified and detained in Vladivostok, and put into custody under a court order,” an unnamed source was quoted as saying.

Won-soon has been accused of handing over classified “top secret” information to unnamed foreign intelligence agencies.

According to the agency, Won-soon was detained in Vladivostok earlier this year and shifted to Moscow late last month. He is said to be currently at the Lefortovo pretrial detention center. His arrest has been extended for another three months, until June 15, 2024.

The detention center is currently also the place where American journalist Evan Gershkovich is being held, awaiting trial on suspicion of espionage. Gershkovich has denied the charges.

The development comes amid burgeoning geopolitical ties between Russia and North Korea, even as state-sponsored hacking groups associated with the latter have targeted the Kremlin to pursue their strategic intelligence-gathering missions.

It also comes days after the U.S. arrested a former Google engineer for allegedly stealing proprietary information from the tech giant while covertly working for two China-based companies, including one founded by him last year prior to his resignation.

Mar 02, 2024NewsroomCybercrime / Social Engineering

The U.S. Department of Justice (DoJ) on Friday unsealed an indictment against an Iranian national for his alleged involvement in a multi-year cyber-enabled campaign designed to compromise U.S. governmental and private entities.

More than a dozen entities are said to have been targeted, including the U.S. Departments of the Treasury and State, defense contractors that support U.S. Department of Defense programs, and an accounting firm and a hospitality company, both based in New York.

Alireza Shafie Nasab, 39, claimed to be a cybersecurity specialist for a company named Mahak Rayan Afraz while participating in a persistent campaign targeting the U.S. from at least in or about 2016 through or about April 2021.

“As alleged, Alireza Shafie Nasab participated in a cyber campaign using spear-phishing and other hacking techniques to infect more than 200,000 victim devices, many of which contained sensitive or classified defense information,” said U.S. Attorney Damian Williams for the Southern District of New York.

The spear-phishing campaigns were managed via a custom application that made it possible for Nasab and his co-conspirators to organize and deploy their attacks.

In one instance, the threat actors breached an administrator email account belonging to an unnamed defense contractor, subsequently leveraging the access to create rogue accounts and send out spear-phishing emails to employees of a different defense contractor and a consulting firm.

Outside of spear-phishing attacks, the conspirators have masqueraded as other people, typically women, to obtain the confidence of victims and deploy malware onto victim computers.

Nasab, while working for the front company, is believed to be responsible for procuring infrastructure utilized in the campaign by using the stolen identity of a real person in order to register a server and email accounts.

He has been charged with one count of conspiracy to commit computer fraud, one count of conspiracy to commit wire fraud, one count of wire fraud, and one count of aggravated identity theft. If convicted on all counts, Nasab could face up to 47 years in prison.

While Nasab remains at large, the U.S. State Department has announced monetary rewards of up to $10 million for information leading to the identification or location of Nasab.

Mahak Rayan Afraz (MRA) was first outed by Meta in July 2021 as a Tehran-based firm with ties to the Islamic Revolutionary Guard Corps (IRGC), Iran’s armed force charged with defending the country’s revolutionary regime.

The activity cluster, which also overlaps with Tortoiseshell, has been previously linked to elaborate social engineering campaigns, including posing as an aerobics instructor on Facebook in an attempt to infect the machine of an employee of an aerospace defense contractor with malware.

The development comes as German law enforcement announced the takedown of Crimemarket, a German-speaking illicit trading platform with over 180,000 users that specialized in the sale of narcotics, weapons, money laundering, and other criminal services.

Six people have been arrested in connection with the operation, counting a 23-year-old considered the main suspect, with authorities also seizing mobile phones, IT equipment, one kilogram of marijuana, ecstasy tablets, and €600,000 in cash.

Jan 08, 2024NewsroomFinancial Fraud / Cybercrime

The U.S. Department of Justice (DoJ) said it charged 19 individuals worldwide in connection with the now-defunct xDedic Marketplace, which is estimated to have facilitated more than $68 million in fraud.

In wrapping up its investigation into the dark web portal, the agency said the transnational operation was the result of close cooperation with law enforcement authorities from Belgium, Germany, the Netherlands, Ukraine, and Europol.

Of the 19 defendants, three have been sentenced to 6.5 years in prison, eight have been awarded jail terms ranging from one year to five years, and one individual has been ordered to serve five years’ probation.

One among them includes Glib Oleksandr Ivanov-Tolpintsev, a Ukrainian national who was sentenced to four years in prison in May 2022 for selling compromised credentials on xDedic and making $82,648 in illegal profits.

Dariy Pankov, described by the DoJ as one of the highest sellers by volume, offered credentials of no less than 35,000 hacked servers located all over the world and obtaining more than $350,000 in illicit proceeds.

The servers were infiltrated using a custom tool named NLBrute that was capable of breaking into protected computers by decrypting login credentials.

Also of note is a Nigerian national named Allen Levinson, who was a “prolific buyer” with a particular interest in purchasing access to U.S.-based Certified Public Accounting firms in order to file bogus tax returns with the U.S. government.

Five others, who have been accused of a conspiracy to commit wire fraud, are pending sentencing.

Alongside these administrators and sellers, two buyers named Olufemi Odedeyi and Oluwaseyi Shodipe have been charged with conspiracy to commit wire fraud and aggravated identity theft. Shodipe has also been charged with making false claims and theft of government funds.

Both individuals are yet to be extradited from the U.K. If convicted, they each face a maximum penalty of 20 years in federal prison.

The marketplace, until its takedown in January 2019, allowed cybercriminals to buy or sell stolen credentials to more than 700,000 hacked computers and servers across the world and personally identifiable information of U.S. residents, such as dates of birth and Social Security numbers.

Alexandru Habasescu and Pavlo Kharmanskyi functioned as the marketplace’s administrators. Habasescu, from Moldova, was the lead developer, while Kharmanskyi, who lived in Ukraine, managed advertising, payments, and customer support to buyers.

“Once purchased, criminals used these servers to facilitate a wide range of illegal activity that included tax fraud and ransomware attacks,” the DoJ said.

Targets of these attacks comprised government infrastructure, hospitals, 911 and emergency services, call centers, major metropolitan transit authorities, accounting and law firms, pension funds, and universities.