US Indicts 10 ‘Professional Hackers’ Accused of Working with the Chinese Government

Ten Chinese nationals have been charged with large-scale hacking of US and international victims at the direction of the Chinese government.

The US Justice Department has unsealed a two-count criminal indictment charging the defendants in connection with a years-long hacking scheme directed by the People’s Republic of China (PRC) through a “software company” identified as i-Soon.

The company’s employees were allegedly instructed to hack prominent overseas critics of the PRC government, people who the PRC government considered a threat to the rule of the Chinese Communist Party, among others.

Hacking at the direction of PRC

To acquire information of interest to the Chinese government while obscuring their involvement, the PRC’s Ministry of State Security (MSS) and Ministry of Public Security (MPS) used an extensive network of private companies and contractors in China to conduct unauthorized computer intrusions in the US and elsewhere, the DOJ says.

One of those companies was Anxun Information Technology, a Shanghai-based firm also known as i-Soon that specializes in “software.”

“As part of its core business, i-Soon hacks into U.S. e-mail accounts, cellphones, and websites to steal data on behalf of the PRC,” the DOJ says.

“From approximately 2016 through 2023, i-Soon and its personnel engaged in the numerous and widespread hacking of email accounts, cell phones, servers, and websites at the direction of, and in close coordination with, the PRC’s MSS and MPS,” according to the press release. “i-Soon generated tens of millions of dollars in revenue and at times had over 100 employees.”

The firm’s primary customers were PRC government agencies, including at least 43 MSS or MPS bureaus that paid i-Soon from $10,000 to $75,000 for each email inbox it successfully hacked.

Victims included New York news outlets, the US Defense Intelligence Agency, the US Department of Commerce and the International Trade Administration, the New York State Assembly, a research university in the US, the foreign ministries of several Asian countries, and others.

Some of the victims caught the interest of the PRC for criticizing the Chinese government. In other instances, such as when hacking foreign ministries, the reason was simply because those ministries were in communication with the US.

While i-Soon conducted much of its hacking at the direct request of the MSS or MPS, it sometimes also carried out its own agenda, making opportunistic breaches and selling the resulting information to the MSS or MPS for additional profits.

Specialized hacking software

i-Soon also made money by training MPS employees to hack independently of i-Soon, offering a variety of specialized hacking tools advertised as “industry-leading offensive and defensive technology.”

One product was called the “Automated Penetration Testing Platform,” which i-Soon advertised as capable of automating email phishing attacks, creating data-stealing malware, and cloning websites for phishing.

Another tool, called the “Divine Mathematician Password Cracking Platform,” was designed to crack passwords.

Yet another one, named “Public Opinion Guidance and Control Platform (Overseas),” was designed to take over accounts on a variety of social networks, apps and devices, with i-Soon saying it can bypass the unique defenses of the targeted systems.

“With respect to Twitter, i-Soon sold software with the capability to send a victim a spear phishing link and then to obtain access to and control over the victim’s Twitter account,” according to the DOJ. “The software had the ability to access Twitter even without the victim’s password and to bypass multi-factor authentication.”

The DOJ announcement includes screenshots of the tools in question (reproduced below).

Screenshot of i-Soon’s ‘Automated Penetration Testing Platform’ in action

Source: justice.gov

Screenshot of i-Soon’s ‘Divine Mathematician Password Cracking Platform’ in action

Source: justice.gov

Screenshot of ‘Public Opinion Guidance and Control Platform (Overseas)’ in action

Source: justice.gov

Innocent until proven guilty

The 10 defendants accused of working in various capacities for i-Soon’s malicious cyber activity are identified as:

• WU Haibo (吴海波), Chief Executive Officer
• CHEN Cheng (陈诚), Chief Operating Officer
• WANG Zhe (王哲), Sales Director
• LIANG Guodong (梁国栋), Technical Staff
• MA Li (马丽), Technical Staff
• WANG Yan (王堰), Technical Staff
• XU Liang (徐梁), Technical Staff
• ZHOU Weiwei (周伟伟), Technical Staff
• WANG Liyu (王立宇), MPS officer
• SHENG Jing (盛晶), MPS officer

They are charged with conspiracy to commit computer intrusions, which carries a maximum sentence of five years, and conspiracy to commit wire fraud, which carries a maximum of 20 years.

Any sentencing will be ultimately determined by a judge. The defendants are presumed innocent unless proven guilty.

Anyone with information leading to the identification or location of any of the defendants is urged to contact the Department of State at rewardsforjustice.net.

The 10 defendants remain at large.

The United States recently sanctioned several Chinese actors (hackers) for their alleged involvement in high-profile hacks on US organizations, including an attack on the Treasury Department.