DOJ sanctions 5 Chinese hackers operating with ‘tacit’ state support

On Wednesday, the U.S. Department of Justice unsealed two indictments charging five Chinese nationals with hacking more than 100 companies, in both the U.S. and abroad, in various campaigns dating back more than five years.

The victims include software vendors, video game companies, telecommunications providers, and hardware manufacturers, as well as a university in Taiwan, an NGO dedicated to combating global poverty, Hong Kong-based activists, and government computer networks in India and Vietnam.

As with past indictments against China-based hackers, the defendants allegedly acted both for their own financial gain and in support of China’s Ministry of State Security (MSS), an arrangement that many suspect is designed to preserve plausible deniability should the hackers get caught.

At the press conference announcing the indictments on Wednesday, U.S. officials turned that logic against Beijing, arguing that China’s unwillingness to bring domestic cyber criminals to justice demonstrated its opposition to international norms regarding cybercrime.

“Ideally, I would be thanking Chinese law enforcement authorities for their cooperation in this matter and the five Chinese hackers would now be in custody awaiting trial,” said Deputy Attorney General Jeffrey A. Rosen. “Regrettably, the Chinese Communist Party has chosen a different path of making China safe for cybercriminals so long as they attack computers outside China and steal intellectual property helpful to China.”

Wednesday’s indictments are also noteworthy because they shed light on a prolific hacking group that has long mystified security researchers.

Within the security community, the group goes by several names, including APT41, Winnti, Barium, and Wicked Panda. Despite tracking the group for years, companies within the private sector have failed to prove whether the hackers work for the CCP — in part because the group has compromised a hodgepodge of victims, some of which would be inconsistent with the objectives of a Chinese intelligence service or military affiliate.

According to the indictment, the hackers worked for a private company known as Chengdu 404 Network Technology that advertised defensive cybersecurity services to its clients. In reality, Chengdu 404 orchestrated a range of offensive cyber campaigns, from political espionage to crypto-mining, IP theft, and other forms of computer-enabled fraud.

As Jeremy Goldkorn noted on The China Project yesterday, “404 is, of course, an internet browser error message that occurs when the website or web page you are trying to reach cannot be found on the server. But in China, you most frequently get the 404 message when a web page has been deleted by censors, or because you are trying to view a website hosted outside of China that has been blocked by the Great Firewall.”

While the indictments fall short of proving any formal ties between the hackers and the government, Michael R. Sherwin, the Acting Attorney General for the District of Columbia, left little doubt about how the U.S. government views the arrangement.

“These individuals were working for private personal gain, yes, but they also were proxies — that’s a conclusion you can draw — for the Chinese government,” said Sherwin, though he was careful to distinguish inference from allegation. “There is some tacit approval, or some tacit direction that they’re getting from the Chinese government.”

The indictments focus on criminal matters and generally do not speculate on Chengdu 404’s possible links to the government. However, one of the indictments includes a suggestive piece of evidence: intercepted communications in which one of the hackers boasted that he was “very close” with the MSS, a relationship a second hacker believed would protect them from domestic law enforcement “unless something very big happens.”

Between July 2017 and January 2019, APT41 compromised three software companies and infiltrated their automatic update servers in a method that researchers refer to as a “supply chain attack.” That access allowed the hackers to deliver malicious software to millions of devices simultaneously — a capability that could have been used to wreak havoc.

Instead, the hackers used it to compromise a small subset of computers, suggesting that APT41 was pinpointing a few high-priority targets for surveillance — a move usually seen out of governments, not profit-motivated cyber criminals.

Wednesday’s indictments follow a series of actions by the U.S. federal government to more aggressively combat cyber espionage and crime from Chinese hackers.

On Tuesday, the Cybersecurity and Infrastructure Security Agency (CISA), a unit of the Department of Homeland Security that focuses on defending the nation’s critical infrastructure, released an advisory outlining steps that U.S. entities should take to fend off attacks from an unnamed Chinese cyber actor affiliated with the MSS.

The warning cited vulnerabilities and hacking techniques included in the indictments unsealed on Wednesday, although there were some notable differences.

Whereas Wednesday’s indictments detail lengthy hacking campaigns that unfolded over months or years, CISA’s warning suggested that the cyber actors in question were highly opportunistic, monitoring public databases for recent software vulnerabilities and then using those to scan government networks and identify new victims.

Finally, in June, the DOJ charged two Chinese hackers for a decade-long commercial espionage campaign that included efforts to break into U.S. companies involved in research on a COVID-19 vaccine.

Neither that indictment nor the one unsealed Tuesday are likely to affect the defendants in China because they reside outside the United States and the CCP is not expected to cooperate with the U.S. government in arranging their extradition.

However, a third indictment unsealed Wednesday did result in the arrest of two Malaysian nationals who are accused of supporting some of APT41’s money laundering efforts.