The Department of the Treasury is levying sanctions against two Chinese nationals and a Chinese company that the agency alleges are key parts of the APT31 team, a Chinese government-backed threat group that has targeted U.S. government personnel and agencies for many years.
The sanctions come through the department’s Office of Foreign Asset Control (OFAC) and is the latest in a string of such moves targeting known foreign threat groups, as well as the makers of commercial spyware tools. Earlier this month, OFAC announced similar sanctions against Intellexa Consortium, which develops and sells the Predator suite of spyware tools. The new sanctions against the Chinese entities are also part of a broader push by the U.S. government to deter and disrupt the activities of Chinese government-backed threat groups.
As part of Monday’s moves, the Department of Justice also unsealed indictments against seven Chinese nationals whom the department alleges are actively involved in intrusions against U.S. companies and individuals. The indictments allege that the seven people are part of APT31’s widespread efforts to gain access to U.S. government and critical infrastructure organizations over the last few years. The seven indicted individuals are Ni Gaobin , Weng Ming, Cheng Feng, Peng Yaowen, Sun Xiaohui, Xiong Wang, and Zhao Guangzong.
“This case serves as a reminder of the ends to which the Chinese government is willing to go to target and intimidate its critics, including launching malicious cyber operations aimed at threatening the national security of the United States and our allies,” Attorney General Merrick Garland said.
The OFAC sanctions are directed at Wuhan Xiaoruizhi Science and Technology Company, Limited, a company that the department says is a front for offensive cyber operations conducted by the Ministry of State Security, and Zhao Guangzong and Ni Gaobin, two people affiliated with the company. OFAC alleges that the two men ran several malicious operations against U.S. organizations, including a 2020 campaign against the U.S. Naval Academy.
“The United States is focused on both disrupting the dangerous and irresponsible actions of malicious cyber actors, as well as protecting our citizens and our critical infrastructure,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian Nelson. “Through our whole-of-government approach and in close coordination with our British partners, Treasury will continue to leverage our tools to expose these networks and protect against these threats.”
“These computer network intrusion activities resulted in the confirmed and potential compromise of work and personal email accounts, cloud storage accounts and telephone call records belonging to millions of Americans."
The indictments allege that the APT31 threat actors targeted people inside the White House, Departments of Justice, Commerce, and Treasury, as well as members of both the Senate and House of Representatives.
“These defendants were part of a Chinese government sponsored hacking group, targeting U.S. businesses and U.S. political officials for intrusion for over a decade as part of a larger, malicious global campaign. These charges are yet another example of hostile actions taken by the PRC to attack not only American businesses and infrastructure, but the security of our nation,” said FBI Assistant Director-in-Charge James Smith.
The indictments also allege that the defendants were involved in attacks against private companies in the U.S., including government contractors, technology companies, and service providers.
“These computer network intrusion activities resulted in the confirmed and potential compromise of work and personal email accounts, cloud storage accounts and telephone call records belonging to millions of Americans, including at least some information that could be released in support of malign influence targeting democratic processes and institutions, and economic plans, intellectual property, and trade secrets belonging to American businesses, and contributed to the estimated billions of dollars lost every year as a result of the PRC’s state-sponsored apparatus to transfer U.S. technology to the PRC,” the indictment says.
The sanctions and indictments are continuations of the U.S. government’s efforts to disrupt China’s offensive cyber operations targeting U.S. organizations and people. Chinese state-backed threat groups are among the more active and proficient on the threat landscape and often focus their efforts on cyber espionage and influence operations.
"We are no longer in the era of brazen, loud intrusions against wide swaths of the economy. The activity we see now is far more narrowly focused and far better than it once was. Chinese cyber espionage is stealthier and more advanced than before. They have invested in better tactics, and those investments are paying off," said John Hultquist, chief analyst, Mandiant Intelligence-Google Cloud.