US Charges 12 Alleged Spies in China’s Freewheeling Hacker-for-Hire Ecosystem
Credit to Author: Andy Greenberg| Date: Wed, 05 Mar 2025 17:12:56 +0000
Only rarely does the West get a glimpse inside the vast hacker-for-hire contractor ecosystem that enables China's digital intrusion campaigns worldwide. Now a new set of criminal charges against a dozen Chinese nationals, including two government officials, accuses them of a vast espionage campaign that included breaching the US Treasury, and goes as far as revealing the internal communications of some of those alleged hackers, their tools, and their business relationships.
The US Department of Justice on Wednesday announced the indictment of 12 Chinese individuals accused of more than a decade of hacker intrusions around the world, including eight staffers for the contractor i-Soon, two officials at China's Ministry of Public Security who allegedly worked with them, and two other alleged hackers who are said to be part of the Chinese hacker group APT27, or Silk Typhoon, which prosecutors say was involved in the US Treasury breach late last year.
“Today, we are exposing the Chinese government agents directing and fostering indiscriminate and reckless attacks against computers and networks worldwide, as well as the enabling companies and individual hackers that they have unleashed." Sue Bai, who leads the Justice Department’s National Security Division, wrote in a statement, “The Department of Justice will relentlessly pursue those who threaten our cybersecurity by stealing from our government and our people.”
According to prosecutors, the group as a whole has targeted US state and federal agencies, foreign ministries of countries across Asia, Chinese dissidents, US-based media outlets that have criticized the Chinese government, and most recently the US Treasury, which was breached between September and December of last year. An internal Treasury report obtained by Bloomberg News found that hackers had penetrated at least 400 of the agency’s PCs and stole more than 3,000 files in that intrusion.
The indictments highlight how, in some cases, the hackers operated with a surprising degree of autonomy, even choosing targets on their own before selling stolen information to Chinese government clients. The indictment against Yin Kecheng, who was previously sanctioned by the Treasury Department in January for his involvement in the Treasury breach, quotes from his communications with a colleague in which he notes his personal preference for hacking American targets and how he’s seeking to "break into a big target," which he hoped would allow him to make enough money to buy a car.
At one point, Yin notes that “anything within the top 100” of defense contractors would be a preferable target, according to the indictment. When his colleague suggests that he look for victims beyond the US, he replies, “I just like the Americans, nothing else is as good.”
In some cases, Yin and the other alleged hackers sold stolen information directly to Chinese government agencies, according to US officials, while in others they brokered the sale through secondary firms. The hackers’ independence in choosing targets reveals just how loose China’s hacker-for-hire ecosystem can be in some cases, according to one senior DOJ official who asked to remain unnamed because they were only authorized to speak on background.
“The contractors and companies will hack more or less speculatively, motivated by profit to cast a wide net,” the DOJ official says. China, the official says, “is fostering reckless and indiscriminate targeting of vulnerable computers worldwide, even if it doesn’t task or obtain the fruits of those hacks. This leads to a less secure and more vulnerable environment.”
Shanghai-based firm i-Soon, a contractor to China’s Ministry of State Security (MSS) and Ministry of Public Security (MPS) that the DOJ says employed eight of the alleged hackers, charged its Chinese government customers in some cases based on how many email inboxes it was able to breach, earning between $10,000 and $75,000 per inbox, according to prosecutors. The company, which has over 100 employees, earned tens of millions of dollars in revenue in some years, and its executives projected it would have revenue of about $75 million by 2025, according to the indictment. Prosecutors also note that the company worked with 43 different bureaus of the MSS and MPS across 31 provinces of China, which operated independently and often purchased the same products from i-Soon.
i-Soon, whose alleged hacker-for-hire operations were previously revealed in a leak of its internal documents and communications last year, offered its clients a “zero-day vulnerability arsenal” of unpatched, hackable flaws, according to the indictment. It also allegedly sold password-cracking tools and euphemistically named “penetration testing” products—which were, prosecutors says, in fact intended to be used on unwitting victims—which allegedly included targeted phishing tool kits as well as tools for embedding malware in file attachments.
The company also allegedly carried out its own targeting of victims, which the DOJ says included specific media outlets, dissidents, religious leaders, and researchers who had been critical of the Chinese government, as well as the New York State Assembly, one of whose representatives had received an email from members of an unnamed religious group that is banned in China.
Yin Kecheng and Zhou Shuai, an alleged associate in the APT27, or Silk Typhoon, group, are accused of hacking a wide variety of defense contractors, think tanks, a law firm, a managed communications service provider company, and other victims. In December, software contractor firm BeyondTrust alerted the US Treasury that the department had been breached due to an intrusion on BeyondTrust’s network—an operation that was later attributed to Silk Typhoon. In conjunction with the Justice Department’s charges today, Microsoft also released a guide to Silk Typhoon’s operating techniques, highlighting how it seeks to exploit the IT supply chain.
In Yin’s communications with a colleague included in the indictment against him, the colleague suggests that rather than go after large victim organizations directly, they target their subsidiaries, noting that “they are the same and easier to attack.” Yin responds, agreeing that strategy is “correct.”
All of the 12 Chinese nationals charged in the indictments remain at large—and, chances are, will never see the inside of a US courtroom. But the State Department announced rewards for information leading to their arrest between $2 million and $10 million each.
“To those who choose to aid the CCP in its unlawful cyber activities,” Bryan Vorndran, assistant director of the FBI’s Cyber Division, writes in a statement, using the term CCP to refer to the Chinese Communist Party, “these charges should demonstrate that we will use all available tools to identify you, indict you, and expose your malicious activity for all the world to see.”