U.S. accuses Chinese hackers of a 14-year campaign targeting government officials

The Justice Department on Monday unsealed charges against seven hackers tied to Beijing, alleging they targeted U.S. government officials across multiple agencies and Congress on behalf of China’s Ministry of State Security over a 14-year period.

The individuals — Ni Gaobin, Weng Ming, Cheng Feng,  Peng Yaowen, Sun Xiaohui, Xiong Wang and Zhao Guangzong — are tied to APT31, a hacking group believed to be backed by the Chinese government’s MSS that’s carried out extensive hacking campaigns against foreign government targets and private companies around the world, according to the indictment.

Some of their hacking activities “resulted in successful compromises of the targets’ networks, email accounts, cloud storage accounts, and telephone call records, with some surveillance of compromised email accounts lasting many years,” the Justice Department said in a statement.

Those targets included officials in the White House, the Departments of Justice, Commerce, Treasury and State Department, as well as congressional lawmakers from both sides of the political aisle, the U.S. claims. The hackers, in some cases, allegedly targeted spouses of high-ranking Justice Department and White House officials, alongside the spouses of several U.S. senators.

The operatives are also accused of trying to exploit Republican and Democrat campaign staff ahead of the 2020 presidential election. A joint DOJ and DHS analysis from 2021 shows the allegations are consistent with efforts to influence those election outcomes, DOJ argues, though it does peg the hacking attempts directly on the defendants.

Across the Atlantic, the MSS-linked collective also carried out targeted cyberattacks against every member of the European Union’s Inter-Parliamentary Alliance on China, as well as 43 United Kingdom parliamentary accounts, the indictment alleged in coordination with British security officials.

Some 10,000 malicious emails were allegedly deployed by the defendants on behalf of the APT31 group, containing tracking links disguised as communications from journalists and well-known news outlets. Once opened by the victim, the hackers gained access to the recipients' locations, IP addresses, devices and other underlying data that allowed them to carry out more sophisticated hacking attempts, including breaches into their home internet routers and other electronics, DOJ said.

The group leveraged exploits unknown to software manufacturers, known as zero-days, which resulted in the theft of intellectual property and trade secrets belonging to U.S. businesses and contributed to some estimated billions of dollars lost every year as a result of the undercover intelligence transfers to China.

The State Department is also offering a reward of up to $10 million for any additional information about the defendants and APT31.

“[The indictments] serve as a reminder that cyber adversaries who seek to compromise our nation’s systems and target US officials cannot rely on the cloak of anonymity and will face consequences for their actions,” said FBI Cyber Division Assistant Director Bryan Vorndran in a written statement.

The Chinese embassy in Washington, D.C. denied the accusations.

“China firmly opposes and cracks down on all forms of cyberattacks in accordance with law. Without valid evidence, the U.S. jumped to an unwarranted conclusion and made groundless accusations against China. It is extremely irresponsible and is a complete distortion of facts,” embassy spokesperson Liu Pengyu told Nextgov/FCW.

“China is a major victim of cyberattacks. We have firmly fought and stopped all kinds of malicious cyber activities in accordance with the law, and advocated joint response from all countries through dialogue and cooperation,” Pengyu added, arguing that the U.S. government is a major perpetrator of cyber activity and urging Washington to “stop its worldwide cyber espionage … and stop smearing other countries under the excuse of cyber security.”

The charges, which were coupled with a sweeping round of Treasury sanctions aimed at Chinese firm Wuhan Xiaoruizhi Science and Technology Company for its role as an MSS-linked front that intruded into U.S. critical infrastructure, have underscored vast concerns from U.S. intelligence officials about the breadth and scale of China-backed cyber activity that has sounded alarms in lawmakers’ offices for at least the past decade.

China has become America’s top cyber adversary, law enforcement officials say, arguing the nation congregates cyberspies and hackers at a scale which outnumbers the resources available in the U.S. to defend networks and go on the offensive against hackers.

The intelligence community is still doing cleanup following an extensive Chinese hacking campaign that targeted American and allied infrastructure, an NSA official recently said.

A leak of documents from Chinese company i-Soon last month revealed the intricacies of the relationship between China’s central government and its ability to contract hacking services to private firms. A Mandiant analyst told Nextgov/FCW that U.S. government agencies appeared to be among victims that i-Soon had previously targeted, and the leaks have shown the firm was directed to target telecommunications systems across Asia.

A recent U.S. intelligence report says that China will continue to pull out all stops against the U.S. in cyberspace and “may attempt to influence the U.S. elections in 2024 at some level because of its desire to sideline critics of China and magnify U.S. societal divisions.”

The Commerce Department and State Department became the subject of cyber news headlines last year when China-linked hackers broke into agency officials’ email accounts. The indictment does not specify if APT31 or the accused hackers were directly responsible for that attack, and only alleges that the email tracking links sent to the agencies were deployed on or around March 2022.