US government agencies announced Wednesday criminal charges against alleged members of China’s Silk Typhoon gang, plus internet domain seizures linked to a long-term Chinese espionage campaign that saw Beijing hire miscreants to compromise US government agencies and other major orgs.
“For years, the PRC government [People’s Republic of China] – in particular, its Ministries of State and Public Security – have encouraged, supported and relied on private contractors and Chinese technology companies to hack and steal information in a manner that hides the government’s involvement, essentially providing it the form of plausible deniability,” a Justice Department official said on a call with reporters attended by The Register earlier today.
A representative of the FBI also spoke on the call, which covered matters including freshly unsealed indictments that name 12 Chinese nationals charged for their suspected roles in a Chinese government operation to compromise computers and steal data from high-profile targets, including the US Treasury.
Two of these individuals are alleged to be officers at China’s Ministry of Public Security (MPS). We’re told the other ten named suspects are employees of a private firm, Anxun Information Technology, better known as i-Soon, and members of China’s APT27, aka Silk Typhoon.
“Each of these defendants played a critical role in the PRC government hacker-for-hire ecosystem, which by any measure, has gotten out of control,” a Justice Department official said on the call.
The digital snoops broke into victims’ computers at the direction of China’s MPS and its Ministry of State Security (MSS). Sometimes they attacked when working for i-Soon, it is claimed. On other occasions they acted alone, “motivated by profit,” according to the DOJ official on the call.
This scheme netted millions for i-Soon and China’s freelance infosec warriors, American prosecutors say.
“i-Soon charged the MSS and MPS between approximately $10,000 and $75,000 per email inbox hacked,” the FBI official said. “i-Soon then charged the MSS and MPS additional fees to analyze the stolen data.”
While we don’t have specific details about which email inboxes scored the biggest payouts, it’s safe to say they weren’t your average Gmail accounts because Silk Typhoon is the same crew behind the 2021 Microsoft Exchange Server zero-day exploits that targeted Western governments’ intelligence and defense agencies (Microsoft used to track this group as Hafnium.)
The Justice Department today also announced the court-authorized seizure [PDF] of i-Soon internet domains, which the Feds tied to the December 2024 Treasury Department network intrusions and other digital break-ins.
The seizure warrant names Yin KeCheng and Zhou Shuai, who were both indicted in 2023, as having “facilitated and profited from some of the most significant Chinese-based computer network exploitation schemes against US victims.” Both men, according to the Feds, are members of Silk Typhoon and part of the larger Chinese hacker-for-hire ecosystem. Two indictments [PDF], unsealed today, formally charge Yin and Zhou for their alleged involvement in for-profit computer intrusion campaigns that date back to 2013.
Their US victims, according to the court documents, included:
- A technology and defense contractor whose customers include the Department of Defense, Department of Homeland Security, and government intelligence agencies;
- A major US law firm;
- A managed communications firm that provided, among other services, hosted Microsoft Exchange email services;
- A county government;
- A university healthcare system that operates multiple hospitals;
- A tech and research org; and a defense policy think tank.
A third indictment [PDF] charges the other 10 people: Wu Haibo, chief executive officer of i-Soon; Chen Cheng, its chief operating officer; sales boss Wang Zhe; and technical staff Liang Guodong, Ma Li, Wang Yan, Xu Liang, and Zhou Weiwei; and what’s said to be MPS officers Wang Liyu and Sheng Jing.
Today’s disclosures from the Feds echo a Microsoft report, also released on Wednesday, that blamed Silk Typhoon for ongoing attacks against IT companies and government agencies.
There’s little chance that the Chinese government will allow US authorities to arrest any of those named today. The State Department has offered bounties of up to $2 million for information leading to the arrest and/or conviction of alleged Silk Typhoon members KeCheng and Shai.
The criminal charges and domain seizures follow a series of US government alerts over the past year about Chinese snoops burrowing into American networks.
“You look at Volt Typhoon, Flax Typhoon, Salt Typhoon, Silk Typhoon — all this activity demonstrates persistent targeting of US interests by the [Chinese Communist Party] CCP,” the Justice Department official said on the briefing call. ®