Four Chinese Nationals Working with the Ministry of State Security Charged with Global Computer Intrusion Targeting Intellectual Property and Confidential Business Information - updated
Indictment Alleges Three Defendants Were Officers in the Hainan State Security Department (HSSD), a provincial arm of China’s Ministry of State Security (MSS)
...returned an indictment in May charging four nationals and residents of the People’s Republic of China with a campaign to hack into the computer systems of dozens of victim companies, universities and government entities in the United States and abroad between 2011 and 2018.
The indictment, which was unsealed on Friday, alleges that much of the conspiracy’s theft was focused on information that was of significant economic benefit to China’s companies and commercial sectors, including information that would allow the circumvention of lengthy and resource-intensive research and development processes. The defendants and their Hainan State Security Department (HSSD) conspirators sought to obfuscate the Chinese government’s role in such theft by establishing a front company, Hainan Xiandun Technology Development Co., Ltd. (海南仙盾) (Hainan Xiandun), since disbanded, to operate out of Haikou, Hainan Province.
the USAO-SDCA should be lauded for their investigation
One of the Defendants was awarded by the Chinese Government -
“…award for young leaders from China’s Ministry of State Security in May 2018 while he and other MSS intelligence officers were allegedly hacking and stealing sensitive intellectual property from around the world.”
Maximum penalty: Fifteen years in prison and $5 million fine
Criminal Forfeiture – Title 18, U.S.C., Sec. 982(a)(l) and (b)(l)
Target Vectors & Victims:
Includes the following Countries Targeted: United States, Austria, Cambodia, Canada, Germany, Indonesia, Malaysia, Norway (see June 20th Article), Saudi Arabia, South Africa, Switzerland and the United Kingdom. Also notice the absence of which Countries were not targeted …because that matters too
Targeted industries (include but not limited to)
…aviation, defense, education, government, health care, biopharmaceutical and maritime. The scheme was to steal trade “trade secrets and confidential business information” 1 pertaining to; sensitive technologies used for
submersibles and autonomous vehicles,
specialty chemical formulas,
commercial aircraft servicing,
proprietary genetic-sequencing technology and data,
and foreign information to support China’s efforts to secure contracts for state-owned enterprises within the targeted country (e.g., large-scale high-speed railway development projects).
research institutes and universities, the conspiracy targeted infectious-disease research related to Ebola, MERS, HIV/AIDS, Marburg and tularemia.
Thus giving the Chinese Government leverage by unlawfully purloining such information. This is textbook economic espionage and it’s something China tends to gravitate towards. Why spend billions in research and development when you can simply steal the intellectual property.
Defendants previously identified:
Private Sector Cyber Security companies have previously identified this groups under the monikers of:
see CISA’s Alert (AA21-200A) for the following bad actors and previous campaigns; MOHAWK, FEVERDREAM, G0065, Gadolinium, GreenCrash, Hellsing, Kryptonite Panda, Leviathan, Mudcarp, Periscope, Temp.Periscope and Temp.Jumper
On July 19, 2021 a joint FBI and CISA alert was published. Alert (AA21-200A) -
Addressing the; Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department
CISA and FBI released an advisory to help network defenders identify and remediate APT40 intrusions and established footholds. See the July 19, 2021, Department of Justice press release.
Joint Cybersecurity Advisory: Chinese Observed TTPs: CISA, NSA, and FBI released an advisory describing Chinese cyber threat behavior and trends and provides mitigations to help protect the Federal Government; state, local, tribal, and territorial governments; critical infrastructure, defense industrial base, and private industry organizations.
CISA Insights: Chinese Cyber Threat Overview for Leaders - CISA, NSA, and FBI released a joint CISA Insights to help leaders understand this threat and how to reduce their organization's risk of falling victim to cyber espionage and data theft.
Also See FireEye’s recent Double DragonAPT41, a dual espionage andcyber crime operation - Yes I’m saying you should read up on Double Dragon - because last month I think I did a decent job of walking you through Norway’s recent disclosure and pinning their near catastrophic cyber attack on China. and honestly it’s not my job to force you to read what I’m writing but if I tell you XYZ is important —there’s a strong likelihood that it is…
Beijing sees increasingly competitive US-China relations as part of an epochal geopolitical shift and views Washington’s economic measures against Beijing since 2018 as part of a broader US effort to contain China’s rise.China is touting its success containing the COVID-19 pandemic as evidence of the superiority of its system.
Beijing is increasingly combining its growing military power with its economic, technological, and diplomatic clout to preserve the CCP, secure what it views as its territory and regional preeminence, and pursue international cooperation at Washington’s expense.
I dunno maybe you should rake the time to read the April 2021 ODNI - but I’m not the boss of you and I can’t force you to read the reports or facts. All I can do is redline and provide you with access to this publicly available information
NATO Joint Statement
Statement by the North Atlantic Council in solidarity with those affected by recent malicious cyber activities including the Microsoft Exchange Server compromise - see bulletpoint # 3 -that’s a pretty bold of a statement as they come see NATO full Press Release accusing China of “destabilizing behaviors”
Indictment and overt acts
Again you can read the full 30 page (newly) unsealed Indictment via the DOJ-OPA Press Release. One of the biggest events occurred in March 2021 when China attacked Microsoft Exchange Servers located throughout the World.
Just soak Count One in:
…Stolen trade secrets and confidential business information included, among other things, sensitive technologies used for submersibles and autonomous vehicles, specialty chemical formulas, commercial aircraft servicing, proprietary genetic-sequencing technology and data, and foreign information to support China’s efforts to secure contracts for state-owned enterprises within the targeted country (e.g., large-scale high-speed railway development projects).
At the direction of…hackers…
You might think the “at the direction of” isn’t an important disclosure - I can assure you that it’s pretty damn important. Because the further you read into the indictment the more you’ll understand the countless Twitter threads because years ago some of us actually said “China’ Thousand Talents Program was the single most damaging espionage campaign” that directly impacted American Universities and countless Federal Agencies. Spoiled of course it was/is
…the charged MSS officers coordinated with staff and professors at various universities in Hainan and elsewhere in China to further the conspiracy’s goals. Not only did such universities assist the MSS in identifying and recruiting hackers and linguists to penetrate and steal from the computer networks of targeted entities, including peers at many foreign universities, but personnel at one identified Hainan-based university also helped support and manage Hainan Xiandun as a front company, including through payroll, benefits and a mailing address….
And while it remains unlikely the Defendants will ever appear in Federal District Court - that’s not the intent of unsealing the indictment - the intent is to publicly name and shame them
No really ask yourself why unseal this indictment —simple because this is America supporting our Allies and NATO. By publicly releasing photos of the Chinese Hackers - that’s why
I’m serious give the wayback a few minutes to fully populate the following archived Twitter threads (LOLs you thought all my research was flushed down the Twitter shithole - LOLs nope - I now refer you to pages 6 thru 8 of the indictment
Yes do you still think those long lost twitter threads of mine are malarkey -I mean if your only criticism is typos - spelling errors than your intellectually capacity is far more demonic I mean diminished than previously thought… but then again it must suck to be that insufferable and bitter that you can’t get past a spelling error. This is me 😂laughing😂 and slow👏🏻 clapping👏🏻at your mendacity and otherwise incompetent intellectually stunted bullshart.
Read it - for nearly a decade China sent (sorry if this offends you) spies masquerading as Students, Researchers etc to infiltrate our Universities and Colleges that spend years and countless funds in research and development
HomeFry say WHAT to Steganograpghy & GitHub…
The conspiracy often used anonymizer services, such as The Onion Router (TOR), to access malware on victim networks and manage their hacking infrastructure, including servers, domains and email accounts. The conspiracy further attempted to obscure its hacking activities through other third-party services. For example, the conspiracy used GitHub to both store malware and stolen data, which was concealed using steganography.
The conspiracy also used Dropbox Application Programming Interface (API) keys in commands to upload stolen data directly to conspiracy-controlled Dropbox accounts to make it appear to network defenders that such data exfiltration was an employee’s legitimate use of the Dropbox service.
Come to our University and we’ll train you to be an excellent hacker…
…MSS officers coordinated with staff and professors at various universities in Hainan and elsewhere in China to further the conspiracy’s goals. Not only did such universities assist the MSS in identifying and recruiting hackers and linguists to penetrate and steal from the computer networks of targeted entities, including peers at many foreign universities, but personnel at one identified Hainan-based university also helped support and manage Hainan Xiandun as a front company, including through payroll, benefits and a mailing address.
What. Fresh. Hell. Is. This. Madness
Yes so GitHub was used by this group on a prolific level and once again steganography by way of these two images. Yes the Chinese hackers used steganography to “spirit away” their stolen data.
Conspiracy to Commit Economic Espionage
Because well duh this indictment is textbook economic espionage but meh whadda I know. Me canz readsz goodly-ish - writing meh the jury is out because my god the typos - clutches my invisible pearls but mainly laughs
That said it is surprising the Biden Administration isn’t levying sanctions but apparently they “are leave that option on the table” —I suppose only time will tell in the interim it seems like commonsense that perhaps Colleges and Universities and other Government agencies should go back and closely scrutinize who they granted Student Visas to and perhaps an internal audit of the aforementioned network infrastructure is well warranted. For now the Biden Administration appears to be standing with our Allies and I think that’s a good thing.
Updated July 19, 20q1 at 8:45PM EST because I inadvertently overlooked the White House’s statement and felt my readers/followers should also have access to the Biden White House’s statement - which reads in part:
The United States, Joined by Allies and Partners, Attributes Malicious Cyber Activity and Irresponsible State Behavior to the People’s Republic of China:
Exposing the PRC’s use of criminal contract hackers to conduct unsanctioned cyber operations globally, including for their own personal profit.
The United States is deeply concerned that the PRC has fostered an intelligence enterprise that includes contract hackers who also conduct unsanctioned cyber operations worldwide, including for their own personal profit. As detailed in public charging documents unsealed in October 2018 and July and September 2020, hackers with a history of working for the PRC Ministry of State Security (MSS) have engaged in ransomware attacks, cyber enabled extortion, crypto-jacking, and rank theft from victims around the world, all for financial gain.
Remember how I stated that the Biden White House left the options of economic sanctions on the table. And that the notion of “naming and shaming” can have an immediate and direct impact - granted I’d prefer that China just hand over the Cyber Criminals. But I’m also okay with America standing shoulder to shoulder with NATO and our Allies putting China on a “Global Public Blast” and now I can actually point to this relevant subsection of the White House Statement as far as statements go, between the NATO, DOJ NSA & CISA and now the Biden White House these are pretty forceful statements…
[United States Department of Justice] imposing costs and announcing criminal charges against four MSS hackers.
The US Department of Justice is announcing criminal charges against four MSS hackers addressing activities concerning a multiyear campaign targeting foreign governments and entities in key sectors, including maritime, aviation, defense, education, and healthcare in a least a dozen countries. DOJ documents outline how MSS hackers pursued the theft of Ebola virus vaccine research and demonstrate that the PRC’s theft of intellectual property, trade secrets, and confidential business information extends to critical public health information. Much of the MSS activity alleged in the Department of Justice’s charges stands in stark contrast to the PRC’s bilateral and multilateral commitments to refrain from engaging in cyber-enabled theft of intellectual property for commercial advantage.
Under rated but important aspects of the White House Cyber Statement:
Look it’s easy to fall into the QANON-for-the-left screaming goats of disinformation and misinformation but I personally think facts matter more than some random person online trafficking in some insane conspiracy theories. Just give me the facts, directly from the White House Information hose and then there won’t be any issues
The U.S. Government announced and operated under a new model for cyber incident response by including private companies in the Cyber Unified Coordination Group (UCG) to address the Exchange Server vulnerabilities.The UCG is a whole-of-government coordination element stood up in response to a significant cyber incident. We credit those companies for being willing to collaborate with the United States Government in the face of a significant cyber incident that could have been substantially worse without key partnership of the private sector. We will build on this model to bolster public-private collaboration and information sharing between the United States Government and the private sector on cybersecurity.
Today, the National Security Agency, the Cybersecurity and Infrastructure Agency, and the Federal Bureau of Investigation released a cybersecurity advisory to detail additional PRC state-sponsored cyber techniques used to target U.S. and allied networks, including those used when targeting the Exchange Server vulnerabilities.
By exposing these techniques and providing actionable guidance to mitigate them, the U.S. Government continues to empower network defenders around the world to take action against cybersecurity threats. We will continue to provide such advisories to ensure companies and government agencies have actionable information to quickly defend their networks and protect their data.
“China increasingly is a near-peer competitor, challenging the United States in multiple arenas—especially economically, militarily, and technologically—and is pushing to change global norms”
While we import their cheap crap and export our jobs, they are stealing intelligence from all over the world and manipulating their currency. Jerks! (The government, I mean, not the people).
While we import their cheap crap and export our jobs, they are stealing intelligence from all over the world and manipulating their currency. Jerks! (The government, I mean, not the people).