12 Chinese hackers charged with US Treasury breach — and much, much more

The Department of Justice (DOJ) announced today it has criminally charged 12 Chinese nationals it says are behind attacks that hit more than 100 US organizations, including the Treasury, in a string of attacks going as far back as 2013.

The DOJ accuses the people of carrying out their attacks either on their own or at the behest of the Ministry of Public Security (MPS) and China’s Ministry of State Security (MSS). It says two are officers of the MPS, while eight others are employees of an “ostensibly private” Chinese company called i-Soon, which allegedly had the capability to hack Gmail and Microsoft Outlook inboxes, as well as Twitter and X, using the latter to help the Chinese government monitor public opinion overseas. It called that last tool the “Public Opinion Guidance and Control Platform,” according to the government’s indictment.

The last two are members of a group called APT27, or Silk Typhoon, which has been behind hacks of organizations like healthcare systems and universities, according to the DOJ. The group has more recently focused on IT systems that include management software, recent Microsoft research concluded. Such software was the target of the Treasury hack reported in late December.

The DOJ says the hackers were motivated by money, as the “MPS and MSS paid handsomely for stolen data.” Of the i-Soon group:

i-Soon and its employees, to include the defendants, generated tens of millions of dollars in revenue as a key player in the PRC’s hacker-for-hire ecosystem. In some instances, i-Soon conducted computer intrusions at the request of the MSS or MPS, including cyber-enabled transnational repression at the direction of the MPS officer defendants. In other instances, i-Soon conducted computer intrusions on its own initiative and then sold, or attempted to sell, the stolen data to at least 43 different bureaus of the MSS or MPS in at least 31 separate provinces and municipalities in China. i-Soon charged the MSS and MPS between approximately $10,000 and $75,000 for each email inbox it successfully exploited. i-Soon also trained MPS employees how to hack independently of i-Soon and offered a variety of hacking methods for sale to its customers.

And of Silk Typhoon:

The defendants’ motivations were financial and, because they were profit-driven, they targeted broadly, rendering victim systems vulnerable well beyond their pilfering of data and other information that they could sell. Between them, Yin and Zhou sought to profit from the hacking of numerous U.S.-based technology companies, think tanks, law firms, defense contractors, local governments, health care systems, and universities, leaving behind them a wake of millions of dollars in damages.

Other victims of hacks from i-Soon include two New York newspapers, the US Department of Commerce, the Defense Intelligence Agency, and more. 

None of the defendants is in custody, the DOJ says. The US government is offering as much as $10 million for information that helps it identify any of those accused of directing or carrying out “i-Soon’s malicious cyber activity.” It’s also offering “up to $2 million each for information leading to the arrests and convictions, in any country, of malicious cyber actors Yin Kecheng and Zhou Shuai,” the two Silk Typhoon members.