The U.S. Department of Justice (DOJ) unsealed indictments today against 12 Chinese nationals linked to state-sponsored cyber espionage campaigns targeting the U.S. Treasury Department, religious organizations, media outlets, and critical infrastructure.
The charges reveal an extensive, decade-long operation leveraging advanced malware like PlugX and HyperBro, exploitation of vulnerabilities such as CVE-2017-0213, and collaboration with Chinese security agencies to suppress dissent and steal sensitive data.
The defendants include two officers from China’s Ministry of Public Security (MPS), eight employees of Chengdu-based i-Soon Information Technology, and two members of the APT27 threat group (also known as Silk Typhoon or Emissary Panda).
APT27, active since at least 2010, has been linked to cyber espionage targeting defense, aerospace, and government sectors using custom tools like PlugX and QuarkBandit.
According to court documents, i-Soon operated as a “hacker-for-hire” entity, charging the MPS and Ministry of State Security (MSS) between $10,000 and $75,000 per compromised email inbox.
The group used DLL side-loading with a legitimate Google Updater executable (goopdate.dll) to deploy PlugX and Clambling malware while leveraging Mimikatz for credential harvesting and CVE-2017-0213 for privilege escalation.
APT27: Wide-Scale Cyber Espionage
The attacks employed multi-stage intrusion chains, including the use of ASPXSpy web shells for lateral movement and BitLocker encryption to lock victims out of critical systems.
In one incident, APT27 actors exploited ProxyShell vulnerabilities (CVE-2021-26855, CVE-2021-34473) in Microsoft Exchange servers to deploy HyperBro, a memory-resident backdoor enabling remote command execution.
Notable victims included:
- U.S. Treasury Department: Breached between September and December 2024 via compromised virtual private servers (VPS) leased by APT27.
- Foreign Ministries: Targets in Taiwan, India, South Korea, and Indonesia had diplomatic communications exfiltrated.
- Religious Organizations: A U.S.-based group critical of China’s policies suffered data theft and surveillance.
The DOJ estimates damages in the millions of dollars, citing ransomware deployments and intellectual property theft from defense contractors and universities.
U.S. Response and Sanctions
In collaboration with Microsoft’s Threat Intelligence Center (MSTIC), the FBI disrupted the operations by seizing i-Soon’s primary domain and APT27-controlled VPS infrastructure.
The State Department announced $10 million rewards for information on i-Soon operatives and $2 million for APT27 members Zhou Shuai (“Coldface”) and Yin Kecheng.
Concurrently, the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Shanghai Heiying Information Technology, a front company for Zhou Shuai, and blocked assets linked to the hacking campaigns.
“The Department of Justice will relentlessly pursue those who threaten our cybersecurity by stealing from our government and our people,” said Sue J. Bai, head of the DOJ’s National Security Division.
“Today, we are exposing the Chinese government agents directing and fostering indiscriminate and reckless attacks against computers and networks worldwide, as well as the enabling companies and individual hackers that they have unleashed.”
The Chinese Embassy dismissed the allegations as “groundless smears,” reiterating Beijing’s opposition to cybercrime.
However, leaked i-Soon marketing materials revealed contracts with over 43 Chinese security bureaus, underscoring the blurred lines between state and private-sector hackers.
The indictments coincide with heightened U.S. efforts to counter Chinese cyber threats, including a House Select Committee hearing on bolstering critical infrastructure defenses.
The case highlights the PRC’s reliance on “patriotic hackers” to conduct deniable operations, a strategy first observed in the 2015 Office of Personnel Management (OPM) breach.
Experts warn that espionage and criminal motivations are merging as APT27 now employs ransomware tactics, as demonstrated in the NailaoLocker attacks.
“Today’s announcements reveal that the Chinese Ministry of Public Security has been paying hackers-for-hire to inflict digital harm on Americans who criticize the Chinese Communist Party (CCP),” FBI Cyber Division Assistant Director Bryan Vorndran.
“To those who choose to aid the CCP in its unlawful cyber activities, these charges should demonstrate that we will use all available tools to identify you, indict you, and expose your malicious activity for all the world to see.”
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free