US charges 12 Chinese nationals for hacks into government systems
filo/Getty Images
Some of the people have ties to i-Soon, the Chinese tech firm whose hacking-for-hire activities were exposed in a leak last year. Others are linked to Silk Typhoon, a hacking unit that recently breached the Treasury Department.
The Justice Department on Wednesday unsealed sweeping charges against 12 Chinese nationals for their roles in hacking activities that have targeted U.S. federal and state systems on behalf of Beijing’s intelligence services over the past several years.
Eight of the people are employees of i-Soon, a Chinese cybersecurity firm that made headlines a year ago after a leak of documents posted to Github revealed the extensive efforts the company went through to break into foreign governments’ computer systems at the direction of the Chinese government. Two other people charged in connection with i-Soon are officers in Beijing’s Ministry of Public Security, according to the Justice Department’s allegations.
A separate pair among those charged is affiliated with Silk Typhoon, a group recently found to have infiltrated Treasury Department networks and compromised some of the agency’s most sensitive systems. One of those people, Yin Kecheng, was sanctioned in January.
Several of i-Soon’s victims included the Defense Intelligence Agency and Department of Commerce, targeted in 2017 and 2018, respectively, according to court documents.
One other agency targeted in 2019 and 2022 is described as a DC-based “news service funded by the United States government that delivers uncensored domestic news to audiences in Asian countries, including China.” It’s unclear which news service the documents refer to, though two housed under the U.S. Agency for Global Media — Voice of America and Radio Free Asia — have China branches.
Other i-Soon victims listed include the foreign ministries of Taiwan, South Korea, Indonesia and India, as well as several U.S.-based organizations. A court-authorized seizure of the website domains used to advertise i-Soon’s services was issued Tuesday, documents show.
The Silk Typhoon unit accessed Treasury systems late last year, including its sanctioning and assets control offices, as well as the Committee on Foreign Investment in the U.S. and former Treasury Secretary Janet Yellen’s computer. As part of the unsealing, the Department announced the seizure of internet domains connected to Kecheng, as well as the seizure of a virtual private server used by co-conspirator Zhou Shuai.
Across the board, the hackers compromised email accounts, cell phones, servers, websites and IT supply chains to steal sensitive data from targets, the allegations say.
They exploited unknown vulnerabilities, deployed malware and stole credentials through phishing schemes. Once inside a network, the cyberspies conducted reconnaissance, moved laterally and exfiltrated data to sell, often to Chinese government agencies. For instance, i-Soon would charge between $10,000 and $75,000 for each successfully hacked email account, DOJ says.
“Today, we are exposing the Chinese government agents directing and fostering indiscriminate and reckless attacks against computers and networks worldwide, as well as the enabling companies and individual hackers that they have unleashed,” said Sue Bai, who heads DOJ’s National Security Division. “We will continue to fight to dismantle this ecosystem of cyber mercenaries and protect our national security.”
Entities like i-Soon make up a vast nexus of contracted hacking firms employed by the Chinese government. China has been largely deemed the top U.S. cyber adversary by current and former officials.
A separate hacking unit tied to Beijing’s Ministry of State Security, dubbed Salt Typhoon, was found last year to have breached at least nine U.S. telecom providers and dozens of others worldwide. Sichuan Juxinhe Network Technology Co. operated alongside the Chinese government to carry out those hacks, according to previous Treasury sanctions.