The Justice Department has announced charges against five alleged Chinese citizens, accused of hacking over 100 companies in the United States, including tech companies, game makers, universities and think tanks.
Zhang Haoran and Tan Dailin were charged in August 2019 with over two dozen counts of conspiracy, wire fraud, identity theft and charges related to computer hacking. Prosecutors also added nine additional charges against Jiang Lizhi, Qian Chuan, and Fu Qiang last month.
Prosecutors also charged two businessmen, who were arrested in Malaysia, for their role in trying to profit from the group’s intrusions into game companies to steal and sell digital goods and virtual currency.
“Today’s charges, the related arrests, seizures of malware and other infrastructure used to conduct intrusions, and coordinated private sector protective actions reveal yet again the department’s determination to use all of the tools at its disposal and to collaborate with the private sector and nations who support the rule of law in cyberspace,” said Assistant Attorney General John C. Demers.
“This is the only way to neutralize malicious nation-state cyber activity,” he said.
The hackers are accused of being members of the China-backed APT41 hacking group, also known as “Barium,” to steal source code, customer data and other valuable business information from businesses in the U.S., Australia, Brazil, Hong Kong, South Korea and other countries.
The indictments said that the hackers worked for a front company, Chengdu 404, which purports to be a network security company but prosecutors say was a cover for the hackers. The alleged hackers used a number of known security vulnerabilities to break into companies and launch attacks against a company’s supply chains, allowing the hackers to break into other companies. The indictments confirm earlier research from security firm FireEye that said APT41 hackers used vulnerabilities against networking gear to break into their victims’ networks.
The hackers also allegedly stole code-signing certificates, which can be used to trick computers into thinking malware is from a legitimate source and safe to run. Last year, APT41 was blamed for a supply chain attack at computer maker Asus, which saw the attackers push a backdoor to at least hundreds of thousands of computers using the company’s own servers.
Prosecutors said the hackers tried to make money by launching ransomware attacks and cryptojacking schemes, which hijack computers with malware to mine cryptocurrency.
John Hultquist, senior director of analysis at Mandiant, said APT41 has been the “most prolific” Chinese threat group it’s tracked over the last year.
“This is a unique actor, who carries out global cyber espionage while simultaneously pursuing a criminal venture. Their activity traces back to 2012 when individual members of APT41 conducted primarily financially motivated operations focused on the video game industry before expanding into traditional espionage, most likely directed by the state. APT41’s ability to successfully blend their criminal and espionage operations is remarkable,” said Hultquist.
After the indictments were filed, prosecutors said they obtained warrants to seize websites, domains and servers associated with the group’s operations, effectively shutting them down and hindering their operations.
The alleged hackers are still believed to be in China, but the allegations serve as a “name and shame” effort employed by the Justice Department in recent years against state-backed cyber attackers.