WASHINGTON—Federal prosecutors unsealed charges on Wednesday against five Chinese citizens that officials say appear linked to Chinese intelligence, accusing them of hacking more than 100 companies in the U.S. and overseas, including social-media firms, universities and telecommunications providers.
Two Malaysian businessmen were arrested Monday in Malaysia and accused of conspiring with some of the Chinese hackers to profit from intrusions into the videogame industry, Justice Department officials said.
The charges, laid out in three separate indictments, build on several other cases brought against accused Chinese hackers during the Trump administration, which has characterized Beijing’s cyber-enabled theft of intellectual property as a grave national and economic security threat.
U.S. law enforcement agencies rarely succeed in arresting foreign hackers, and officials called the arrests in Malaysia a victory for international cooperation.
“The Department of Justice has used every tool available to disrupt the illegal computer intrusions and cyberattacks by these Chinese citizens,” Deputy Attorney General Jeffrey Rosen said. “Regrettably, the Chinese Communist Party has chosen a different path of making China safe for cybercriminals so long as they attack computers outside China and steal intellectual property helpful to China.”
The indictments don’t state that the alleged hackers worked directly for China’s intelligence service. But the Justice Department officials said that the nature of some of the attacks, including the targeting of pro-democracy politicians and activists in Hong Kong, and other circumstantial evidence bore the hallmarks of state espionage. One of the Chinese nationals allegedly boasted of having connections to the Ministry of State Security, according to one of the indictments.
The Chinese Embassy in Washington didn’t immediately respond to a request for comment. China has previously denied U.S. accusations of malicious cyber activity.
The alleged hacking campaign was described by Justice Department officials as the handiwork of Advanced Persistent Threat 41, or APT 41, a Chinese cyber squad that U.S.-based cyber firm FireEye has identified and linked to a range of malicious cyber activity against targets in sectors including finance, health care, real estate and the U.S. defense industrial base. FireEye on Wednesday said that APT 41 was currently the most prolific Chinese hacking group it tracked.
Microsoft Corp., Facebook Inc., Alphabet Inc.’s Google and Verizon Communications Inc., among other technology companies, assisted in the investigation and helped neutralize some of the computer infrastructure used by China, which aided in the protection of some victims, Justice Department officials said. Officials declined to state whether the companies were among those targeted.
China and Hacking
- U.S. Accuses Two Hackers of Stealing Secrets From American Firms for China (July 21)
- U.S. Says Chinese, Iranian Hackers Seek to Steal Coronavirus Research (May 14)
- Ghosts in the Clouds: Inside China’s Major Corporate Hack (Dec. 30, 2019)
- Chinese Hackers Target Universities in Pursuit of Maritime Military Secrets (March 5, 2019)
- U.S. Formally Begins Probe of China Technology Transfer (Aug. 18, 2017)
A Microsoft spokeswoman said the company “developed and implemented technical measures to block this threat actor from accessing victims’ computer systems.” The company declined to say if it had been targeted. Representatives from the other companies didn’t immediately comment.
The indictments were handed down in August 2020 and August 2019. One of the two indictments brought last month charged Chinese nationals Jiang Lizhi, Qian Chuan and Fu Qiang with a computer intrusion racketeering conspiracy affecting over 100 companies, organizations and people in the U.S. and around the world, including in Australia, Brazil, Chile, Hong Kong, India, Indonesia, Japan, Malaysia, Pakistan, Singapore, South Korea, Taiwan, Thailand and Vietnam.
The defendants, while working at the Chinese firm Chengdu 404 Network Technology, also compromised government computer networks in India and Vietnam, and targeted but didn’t successfully breach U.K. government networks, according to the indictment. Chengdu 404 and its indicted employees couldn’t immediately be reached for comment.
Between about May 2014 and August 2020, the Chengdu 404 defendants targeted hospitality, videogame, technology and telecommunications companies, research universities and nongovernmental organizations in pursuit of their own financial gain, the indictment alleges. They used sophisticated techniques to conduct operations such as supply chain attacks, in which they compromised software providers and modified their code to hack their customers, it says.
Chengdu 404’s website touted the firm’s “patriotic spirit” and said its customers include public security, military, and military enterprises, according to prosecutors. One of the defendants, Mr. Jiang, and an unidentified associate at one point discussed how the defendant’s working relationship with a Chinese intelligence organization—the Ministry of State Security—provided him protection, the indictment said, citing alleged communications between the two.
The accused Chengdu 404 employees also developed a product, SonarX, to serve as a searchable repository for social media data they collected. In November 2018, one of the defendants, Mr. Qian, saved records of a SonarX query for people linked to Hong Kong democracy movements including current and former members of the Hong Kong Legislative Council, a founding member of the Hong Kong Civic Party, and a pro-democracy activist currently wanted by the Hong Kong police under a new national security law, the indictment alleges, without identifying the individuals. Leaders in the U.S. and other countries have said the law in Hong Kong, a Chinese territory that Beijing had promised special freedoms, is repressive, which Beijing denies.
In December 2018, Mr. Qian saved records from a SonarX query for a U.S. phone number linked to a U.S. government-funded nonprofit broadcasting corporation that has documented news about the predominantly Muslim Uighur minority living in China’s Xinjiang region, according to the indictment. Human-rights groups have accused Beijing of committing widespread abuses in the area, which Chinese officials deny.
The two arrested Malaysian citizens, Wong Ong Hua and Ling Yang Ching, who operated a website that sold videogame currencies and other products used in the games, were charged in another August 2020 indictment in Washington with racketeering and computer crimes.
The pair worked from 2014 through 2018 with two of the other alleged hackers from China to breach the networks of nine videogame companies based in the U.S., South Korea and elsewhere, through malware, spear phishing emails, and other methods, the indictment said. They would create their own videogame accounts and illegally access the credentials of administrators to fraudulently increase the in-game currency and other digital goods in their own accounts, the indictment said. The pair would then sell those products themselves and pocket the proceeds, it said.
In 2014, for example, one of the videogame company victims received an email that appeared to be from a former employee of the company with a résumé attached, but which really contained malware, the indictment said. That malware gave the Malaysians access to the network of that company, according to the indictment, which didn’t identify the company by name.
In February 2018, Mr. Wong discussed with an unnamed computer hacker the possibility of traveling internationally to obtain a private bank account for their proceeds. The hacker responded that American authorities “have stuff on us,” the indictment alleged. Messrs. Wong and Ling couldn’t be reached for comment.
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8