U.S. Charges 12 Chinese Nationals in State-Backed Hacking Operations
Summary:
The U.S. Department of Justice has charged 12 Chinese nationals for their involvement in a far-reaching cyberespionage campaign aimed at stealing sensitive data and suppressing free speech worldwide. The individuals include two officers from China’s Ministry of Public Security, eight employees of Anxun Information Technology Co. Ltd., also known as i-Soon, and members of the advanced persistent threat group APT27, which is also referred to as Budworm, Bronze Union, and Emissary Panda. According to the Department of Justice, these individuals were engaged in cyber intrusions directed by China’s Ministry of Public Security and Ministry of State Security, while some also operated as freelance hackers, profiting from stolen data.
Court documents reveal that from at least 2016 to 2023, i-Soon employees, working in coordination with public security officers, executed extensive cyber operations to compromise email accounts, cell phones, servers, and websites. Their targets included U.S. government agencies, state legislative bodies, religious organizations, foreign ministries across Asia, and media outlets. The Federal Bureau of Investigation linked i-Soon’s cyber activities to Aquatic Panda, also known as RedHotel, a threat actor that has been active in cyber espionage. Meanwhile, APT27’s operations overlapped with Silk Typhoon, UNC5221, and UTA0178, further demonstrating the extensive reach of China’s state-sponsored hacking activities.
The cyber intrusions followed a pattern of highly sophisticated tactics, including spear-phishing campaigns, exploiting zero-day vulnerabilities, and deploying customized malware for persistent access. The group was particularly focused on gaining access to high-value networks and extracting confidential information. Once inside a system, attackers used advanced malware such as PlugX to maintain long-term access and exfiltrate sensitive data. The stolen information was either used for intelligence purposes by Chinese government agencies or sold on underground markets. Shuai, one of the accused hackers, allegedly acted as a data broker, selling stolen information to customers linked to the Chinese government and military for financial profit.
Security Officer Comments:
In response to these threats, the U.S. State Department’s Rewards for Justice program has announced a reward of up to 10 million dollars for information leading to the identification or arrest of individuals engaging in cyber operations against U.S. critical infrastructure on behalf of foreign governments. Additionally, a two million dollar bounty has been placed on Shuai and Kecheng, both accused of conducting years-long cyber espionage campaigns targeting U.S. corporations, municipalities, and organizations. The Department of Justice has also seized four domains associated with i-Soon and APT27, which were being used as command-and-control infrastructure to facilitate cyberattacks. These domains were part of a larger network that helped the hackers maintain persistence in compromised systems and conduct further intrusions.
The Department of Justice emphasized that these charges expose China’s ongoing efforts to use private companies as proxies for state-sponsored cyber operations. The charges mark a significant escalation in efforts to hold China accountable for its cyber activities and reinforce the need for stronger international collaboration to counter state-backed cyber threats.
Link(s):
https://thehackernews.com/2025/03/us-charges-12-chinese-nationals-in.html
The U.S. Department of Justice has charged 12 Chinese nationals for their involvement in a far-reaching cyberespionage campaign aimed at stealing sensitive data and suppressing free speech worldwide. The individuals include two officers from China’s Ministry of Public Security, eight employees of Anxun Information Technology Co. Ltd., also known as i-Soon, and members of the advanced persistent threat group APT27, which is also referred to as Budworm, Bronze Union, and Emissary Panda. According to the Department of Justice, these individuals were engaged in cyber intrusions directed by China’s Ministry of Public Security and Ministry of State Security, while some also operated as freelance hackers, profiting from stolen data.
Court documents reveal that from at least 2016 to 2023, i-Soon employees, working in coordination with public security officers, executed extensive cyber operations to compromise email accounts, cell phones, servers, and websites. Their targets included U.S. government agencies, state legislative bodies, religious organizations, foreign ministries across Asia, and media outlets. The Federal Bureau of Investigation linked i-Soon’s cyber activities to Aquatic Panda, also known as RedHotel, a threat actor that has been active in cyber espionage. Meanwhile, APT27’s operations overlapped with Silk Typhoon, UNC5221, and UTA0178, further demonstrating the extensive reach of China’s state-sponsored hacking activities.
The cyber intrusions followed a pattern of highly sophisticated tactics, including spear-phishing campaigns, exploiting zero-day vulnerabilities, and deploying customized malware for persistent access. The group was particularly focused on gaining access to high-value networks and extracting confidential information. Once inside a system, attackers used advanced malware such as PlugX to maintain long-term access and exfiltrate sensitive data. The stolen information was either used for intelligence purposes by Chinese government agencies or sold on underground markets. Shuai, one of the accused hackers, allegedly acted as a data broker, selling stolen information to customers linked to the Chinese government and military for financial profit.
Security Officer Comments:
In response to these threats, the U.S. State Department’s Rewards for Justice program has announced a reward of up to 10 million dollars for information leading to the identification or arrest of individuals engaging in cyber operations against U.S. critical infrastructure on behalf of foreign governments. Additionally, a two million dollar bounty has been placed on Shuai and Kecheng, both accused of conducting years-long cyber espionage campaigns targeting U.S. corporations, municipalities, and organizations. The Department of Justice has also seized four domains associated with i-Soon and APT27, which were being used as command-and-control infrastructure to facilitate cyberattacks. These domains were part of a larger network that helped the hackers maintain persistence in compromised systems and conduct further intrusions.
The Department of Justice emphasized that these charges expose China’s ongoing efforts to use private companies as proxies for state-sponsored cyber operations. The charges mark a significant escalation in efforts to hold China accountable for its cyber activities and reinforce the need for stronger international collaboration to counter state-backed cyber threats.
Link(s):
https://thehackernews.com/2025/03/us-charges-12-chinese-nationals-in.html