The U.S. Treasury Department has sanctioned a Wuhan-based company used by the Chinese Ministry of State Security (MSS) as cover in attacks against U.S. critical infrastructure organizations.
The Office of Foreign Assets Control (OFAC) has also designated two Chinese nationals (Zhao Guangzong and Ni Gaobin) linked to the APT31 Chinese state-backed hacking group and who worked as contractors for the Wuhan Xiaoruizhi Science and Technology Company, Limited (Wuhan XRZ) MSS front company for their involvement in the same attacks and “endangering U.S. national security.”
This action was part of a joint effort with the U.S. Department of Justice, Federal Bureau of Investigation (FBI), Department of State, and the United Kingdom Foreign, Commonwealth & Development Office (FCDO).
“Zhao Guangzong was behind the 2020 APT 31 spear phishing operation against the United States Naval Academy and the United States Naval War College’s China Maritime Studies Institute,” the Treasury Department said.
“Ni Gaobin assisted Zhao Guangzong in many of his most high profile malicious cyber activities while Zhao Guangzong was a contractor at Wuhan XRZ, including the 2020 spear phishing operation against the United States Naval Academy and United States Naval War College’s China Maritime Studies Institute.”
The United Kingdom also sanctioned Wuhan XRZ and the two APT31 operatives for targeting UK parliamentarians, hacking the GCHQ intelligence agency, and breaching the UK’s Electoral Commission systems.
“The UK can reveal today that the National Cyber Security Centre (NCSC) – a part of GCHQ – assesses that the UK Electoral Commission systems were highly likely compromised by a Chinese state-affiliated entity between 2021 and 2022,” a press release issued today says.
“Between late-2021 and October 2022 the Electoral Commission’s systems were compromised by a China state-affiliated cyber actor. [..] NCSC assesses it is highly likely that the China state-affiliated cyber actor APT31 conducted reconnaissance activity against UK parliamentarians during a separate campaign in 2021.”
Today, the Justice Department also unsealed indictments charging Zhao Guangzong, Ni Gaobin, and five other defendants (i.e., Weng Ming, Cheng Feng, Peng Yaowen, Sun Xiaohui, Xiong Wang) for their involvement in malicious operations coordinated by Wuhan XRZ over a span of roughly 14 years.
These operations targeted U.S. critical infrastructure, as well as U.S. businesses and politicians, in support of China’s foreign intelligence and economic espionage objectives.
“Over 10,000 malicious emails, impacting thousands of victims, across multiple continents. As alleged in today’s indictment, this prolific global hacking operation – backed by the PRC government – targeted journalists, political officials, and companies to repress critics of the Chinese regime, compromise government institutions, and steal trade secrets,” said Deputy Attorney General Lisa Monaco on Monday.
“These allegations pull back the curtain on China’s vast illegal hacking operation that targeted sensitive data from U.S. elected and government officials, journalists, and academics; valuable information from American companies; and political dissidents in America and abroad,” added U.S. Attorney Breon Peace.
The State Department is now also offering rewards of up to $10 million for information on Wuhan XRZ, APT31, or any of the seven Chinese MSS hackers.
As a result of today’s sanctions, all assets and interests in the United States linked to designated individuals and entities are frozen.
Entities at least 50% owned by blocked persons are also subject to freeze, and transactions involving blocked persons’ assets are prohibited unless authorized by OFAC. Financial institutions and parties that deal with sanctioned entities and individuals risk exposure to sanctions or enforcement actions.
In July 2021, the U.S. and its allies, including the European Union, the United Kingdom, and NATO, also officially blamed the MSS-linked Chinese state-backed APT40 and APT31 threat groups for a widespread Microsoft Exchange hacking campaign.
One year earlier, in July 2020, the Council of the European Union announced sanctions against Huaying Haitai, a company linked to the Chinese-backed APT10 threat group, and two of its employees, Gao Qiang and Zhang Shilong, for their involvement in the ‘Operation Cloud Hopper’ cyber-espionage campaign.