The U.S. Department of Justice (DoJ) on Monday unsealed indictments against seven Chinese nationals for their involvement in a hacking group that targeted U.S. and foreign critics, journalists, businesses, and political officials for about 14 years.

The defendants include Ni Gaobin (倪高彬), Weng Ming (翁明), Cheng Feng (程锋), Peng Yaowen (彭耀文), Sun Xiaohui (孙小辉), Xiong Wang (熊旺), and Zhao Guangzong (赵光宗).

The suspected cyber spies have been charged with conspiracy to commit computer intrusions and conspiracy to commit wire fraud in connection with a state-sponsored threat group tracked as APT31, which is also known as Altaire, Bronze Vinewood, Judgement Panda, and Violet Typhoon (formerly Zirconium). The hacking collective has been active since at least 2010.

Specifically, their responsibilities entail testing and exploiting the malware used to conduct the intrusions, managing the attack infrastructure, and conducting surveillance of specific U.S. entities, federal prosecutors noted, adding the campaigns are designed to advance China’s economic espionage and foreign intelligence objectives.

Both Gaobin and Guangzong are alleged to be linked to Wuhan Xiaoruizhi Science and Technology Company, Limited (Wuhan XRZ), a front company that’s believed to have conducted several malicious cyber operations for the Ministry of State Security (MSS).

Intrusion Truth, in a report published in May 2023, characterized Wuhan XRZ as a “sketchy-looking company in Wuhan looking for vulnerability-miners and foreign language experts.”

As well as announcing a reward of up to $10 million for information that could lead to identification or whereabouts of people associated with APT31, the U.K. and the U.S. have also levied sanctions against the Gaobin, Guangzong, and Wuhan XRZ for endangering national security and for targeting parliamentarians across the world.

“These allegations pull back the curtain on China’s vast illegal hacking operation that targeted sensitive data from U.S. elected and government officials, journalists and academics; valuable information from American companies; and political dissidents in America and abroad,” stated U.S. Attorney Breon Peace.

“Their sinister scheme victimized thousands of people and entities across the world, and lasted for well over a decade.”

The sprawling hacking operation involved the defendants and other members of APT31 sending more than 10,000 emails to targets of interest that came with hidden tracking links that exfiltrated the victims’ location, internet protocol (IP) addresses, network schematics, and the devices used to access the email accounts simply upon opening the messages.

This information subsequently enabled the threat actors to conduct more targeted attacks tailored to specific individuals, including by compromising the recipients’ home routers and other electronic devices.

The threat actors are also said to have leveraged zero-day exploits to maintain persistent access to victim computer networks, resulting in the confirmed and potential theft of telephone call records, cloud storage accounts, personal emails, economic plans, intellectual property, and trade secrets associated with U.S. businesses.

Other spear-phishing campaigns orchestrated by APT31 have further been found to target U.S. government officials working in the White House, at the Departments of Justice, Commerce, Treasury and State, and U.S. Senators, Representatives, and election campaign staff of both political parties.

The attacks were facilitated by means of custom malware such as RAWDOOR, Trochilus, EvilOSX, DropDoor/DropCat, and others that established secure connections with adversary-controlled servers to receive and execute commands on the victim machines. Also put to use was a cracked version of Cobalt Strike Beacon to conduct post-exploitation activities.

Some of the prominent sectors targeted by the group are defense, information technology, telecommunications, manufacturing and trade, finance, consulting, and legal and research industries. APT31 also singled out dissidents around the world and others who were perceived to be supporting them.

“APT31 is a collection of Chinese state-sponsored intelligence officers, contract hackers, and support staff that conduct malicious cyber operations on behalf of the Hubei State Security Department (HSSD),” the Treasury said.

“In 2010, the HSSD established Wuhan XRZ as a front company to carry out cyber operations. This malicious cyber activity resulted in the surveillance of U.S. and foreign politicians, foreign policy experts, academics, journalists, and pro-democracy activists, as well as persons and companies operating in areas of national importance.”

“Chinese state-sponsored cyber espionage is not a new threat and the DoJ’s unsealed indictment today showcases the full gambit of their cyber operations in order to advance the People’s Republic of China (PRC) agenda. While this is not a new threat, the scope of the espionage and the tactics deployed are concerning,” Alex Rose, director of government partnerships at Secureworks Counter Threat Unit, said.

“The Chinese have evolved their typical MO in the last couple of years to evade detection and make it harder to attribute specific cyber-attacks to them. This is part of a broader strategic effort that China is able to execute on. The skills, resources and tactics at the disposal of the PRC make them an ongoing high and persistent threat to governments, businesses, and organizations around the world.”

The charges come after the U.K. government pointed fingers at APT31 for “malicious cyber campaigns” aimed at the country’s Electoral Commission and politicians. The breach of the Electoral Commission led to the unauthorized access of voter data belonging to 40 million people.

The incident was disclosed by the regulator in August 2023, although there is evidence that the threat actors accessed the systems two years prior to it.

China, however, has rejected the accusations, describing them as “completely fabricated” and amounting to “malicious slanders.” A spokesperson for the Chinese embassy in Washington D.C. told the BBC News the countries have “made groundless accusations.”

“The origin-tracing of cyberattacks is highly complex and sensitive. When investigating and determining the nature of cyber cases, one needs to have adequate and objective evidence, instead of smearing other countries when facts do not exist, still less politicize cybersecurity issues,” Foreign Ministry Spokesperson Lin Jian said.

“We hope relevant parties will stop spreading disinformation, take a responsible attitude and jointly safeguard peace and security in the cyberspace. China opposes illegal and unilateral sanctions and will firmly safeguard its lawful rights and interests.”

Dec 18, 2023NewsroomCryptocurrency / Online Scam

Four U.S. nationals have been charged for participating in an illicit scheme that earned them more than $80 million via cryptocurrency investment scams.

The defendants – Lu Zhang, 36, of Alhambra, California; Justin Walker, 31, of Cypress, California; Joseph Wong, 32, Rosemead, California; and Hailong Zhu, 40, Naperville, Illinois – have been charged with conspiracy to commit money laundering, concealment money laundering, and international money laundering.

The U.S. Department of Justice (DoJ), which announced the arrests of both Zhang and Walker in connection with the fraudulent operation, said the quartet opened shell companies and bank accounts to carry out pig butchering scams, transferring the ill-gotten funds to domestic and international financial entities.

If convicted, Zhang and Walker face a maximum penalty of 20 years in prison. Their alleged co-conspirators remain at large.

“The overall fraud scheme in the related pig-butchering syndicate involved at least 284 transactions and resulted in more than $80 million in victim losses,” the DoJ said. “More than $20 million in victim funds were directly deposited into bank accounts associated with the defendants.”

The enforcement action comes as a Nigerian national named Eze Harrison Arinze was sentenced to three years in prison for his role in conducting pig butchering scams and defrauding 34 victims in 13 countries, leading to $592,000 in losses.

Late last month, the U.S. DoJ also announced the seizure of nearly $9 million worth of Tether that were traced to cryptocurrency addresses allegedly associated with a Southeast Asia based organization that exploited over 70 victims through pig butchering scams.

Pig butchering falls under the category of so-called romance-investment scams, wherein people are targeted via dating apps under fictitious identities to gain their trust and dupe them into investing their money in seemingly legitimate and profitable ventures, typically promising high investment returns within a short span of time.

“After persuading the victim to invest, the scammers collect the funds, often using digital payment platforms or cryptocurrencies to make tracking more difficult,” Trend Micro said in a report detailing the scam.

“Once they have received a substantial sum from their victims, or once the victims try to withdraw funds from the account, the scammers will suddenly become unreachable, or the brokerage platform will have trouble transferring funds. Scammers could also delete their online presence or create new identities, making it difficult for victims to recover their lost funds.”

One of the emerging trends in the space involves the use of group chats, indicating that the cyber criminals are adapting and refining their strategies to make them more effective.

In these cases, prospective victims are added to a fake investment chat group under their control. Should the target express interest in investing in cryptocurrencies, the conversation is moved to a one-to-one chat, where they are introduced to a bogus brokerage platform and persuaded to transfer their funds to the service.

According to the Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3) report, cryptocurrency investment scams have led to unprecedented losses totaling $2.57 billion in 2022, registering a 183% increase from 2021.

“A significant portion of these phone numbers can be traced back to leaked databases containing personal information,” the cybersecurity firm said. “More than half of the numbers added to the fake group chats have been found in such databases, indicating that scammers could be using leaked information to find their next victims.”