The Department of Justice has unsealed an indictment that alleges four Chinese nationals, three of whom are state intelligence officers, have conducted broad cyberespionage campaigns that targeted companies in more than a dozen countries. The men are allegedly part of he threat group known as APT40, which is known for targeting companies in the defense and engineering industries, among others.
The indictments against Ding Xiaoyang, Cheng Qingmin, Zhu Yunmin and Wu Shurong are part of a broader set of actions the federal government took on Monday to expose cyberespionage and ransomware activities that White House officials say are sponsored and encouraged by the Chinese government. Xiaoyang, Qingmin, and Yunmin are members of the Hainan State Security Department, and Shurong worked at Hainan Xiandun Technology Development, which the Justice Department alleged was a front company for Chinese state security.
“This indictment alleges a worldwide hacking and economic espionage campaign led by the government of China,” said Acting U.S. Attorney Randy Grossman for the Southern District of California. “The defendants include foreign intelligence officials who orchestrated the alleged offenses, and the indictment demonstrates how China’s government made a deliberate choice to cheat and steal instead of innovate. These offenses threaten our economy and national security, and this prosecution reflects the Department of Justice’s commitment and ability to hold individuals and nations accountable for stealing the ideas and intellectual achievements of our nation’s best and brightest people.”
As part of these actions, the White House publicly attributed to the Chinese Ministry of State Security the exploitation activity that targeted the four Microsoft Exchange zero days that were disclosed in March. Those attacks were widespread and affected organizations in a wide range of industries. The White House said it had a “high degree of confidence” that actors affiliated with the MSS were exploiting the flaws.
“Before Microsoft released its security updates, MSS-affiliated cyber operators exploited these vulnerabilities to compromise tens of thousands of computers and networks worldwide in a massive operation that resulted in significant remediation costs for its mostly private sector victims,” the White House statement says.
“We have raised our concerns about both this incident and the PRC’s broader malicious cyber activity with senior PRC Government officials, making clear that the PRC’s actions threaten security, confidence, and stability in cyberspace.”
The White House also said that some actors working on behalf of the Chinese government have run ransomware operations for the benefit of the government.
“In some cases, we are aware that PRC government-affiliated cyber operators have conducted ransomware operations against private companies that have included ransom demands of millions of dollars. The PRC’s unwillingness to address criminal activity by contract hackers harms governments, businesses, and critical infrastructure operators through billions of dollars in lost intellectual property, proprietary information, ransom payments, and mitigation efforts,” the White House statement says.
APT40 has been operating for close to a decade and a lot of the group’s activities focus on obtaining intellectual property and information to support China’s military and modernization efforts. The Biden administration’s exposure of the group’s activities was done in coordination with the European Union, NATO, and the UK government.