MSP Cyberattacks Part Of US Accusations Against Chinese Group

Each of the seven face a count of conspiracy to commit computer intrusions and wire fraud conspiracy, according to the court documents.

Attacks on MSPs were part of an alleged 14-year campaign revealed Monday in unsealed charges against seven Chinese nationals in United States District Court – with the U.S. also putting out a reward of up to $10 million for information on the alleged hackers.

As part of the campaign, the group of alleged cyber attackers targeted and gained access to the networks of seven unnamed MSPs in New York, California, Massachusetts, Colorado, Idaho and overseas, according to the documents filed in the Eastern District of New York in January.

Each of the seven defendants face a count of conspiracy to commit computer intrusions and wire fraud conspiracy, according to the court documents.

The group’s actions potentially compromised “work and personal email accounts, cloud storage accounts and telephone call records belonging to millions of Americans” and “contributed to the estimated billions of dollars lost every year as a result of the PRC’s (People’s Republic of China) state-sponsored apparatus to transfer U.S. technology to the PRC,” according to the documents.

US Charges Chinese Nationals With MSP Attacks

CRN has reached out to the U.S. Department of Justice; the U.S. Department of Treasury and the U.K. Foreign, Commonwealth & Development Office (FCDO) for comment.

In a statement to CRN, Chinese Embassy spokesperson Liu Pengyu said the U.S. accusations against the Chinese government are “without valid evidence.”

“The US jumped to an unwarranted conclusion and made groundless accusations against China,” the spokesperson said. “It is extremely irresponsible and is a complete distortion of facts. China opposes illegal and unilateral sanctions and will firmly safeguard its lawful rights and interests.”

The spokesperson said that “China firmly opposes and cracks down on all forms of cyberattacks in accordance with law” and called the U.S. “the origin and the biggest perpetrator of cyberattacks,” including alleged attacks against China’s critical infrastructure.

“China is a major victim of cyberattacks,” according to the statement. “We have firmly fought and stopped all kinds of malicious cyber activities in accordance with the law, and advocated joint response from all countries through dialogue and cooperation. …We urge the US to stop its worldwide cyber espionage and cyberattacks, and stop smearing other countries under the excuse of cyber security.”

In a statement, U.S. Attorney General Merrick Garland said that “the Justice Department will not tolerate efforts by the Chinese government to intimidate Americans who serve the public, silence the dissidents who are protected by American laws, or steal from American businesses.”

“This case serves as a reminder of the ends to which the Chinese government is willing to go to target and intimidate its critics, including launching malicious cyber operations aimed at threatening the national security of the United States and our allies,” he said.

The U.S. also seeks forfeiture of “any property constituting, or derived from, proceeds obtained directly or indirectly” for each count if the group is convicted, according to the documents. A reward of up to $10 million for information on the defendants was posted to X, formerly known as Twitter, by the official account of the U.S. Department of State’s Rewards for Justice program.

U.S. Attorney Breon Peace for the Eastern District of New York, who signed the indictment, said in a statement that “these allegations pull back the curtain on China’s vast illegal hacking operation that targeted sensitive data from U.S. elected and government officials, journalists, and academics; valuable information from American companies; and political dissidents in America and abroad.”

“Their sinister scheme victimized thousands of people and entities across the world, and lasted for well over a decade,” Peace said. “America’s sovereignty extends to its cyberspace. Today’s charges demonstrate my office’s commitment to upholding and protecting that jurisdiction, and to putting an end to malicious nation state cyber activity.”

The Defendants

The defendants, all residents of China, are:

Ni Gaobin (倪高彬), 38, an alleged hacker working for the foreign intelligence and economic espionage efforts of China’s Ministry of State Security (MSS) and targeting Hong Kong democracy activists and members of the Uygher minority group
Weng Ming (翁明), 37, an alleged MSS hacker focused on foreign intelligence and economic espionage
Cheng Feng (程锋), 34, an alleged hacker for Wuhan Xiaoruizhi Science & Technology Co. (Wuhan XRZ), an alleged front company of the provincial Hubei State Security Department (HSSD)
Peng Yaowen (彭耀文), 38, another alleged Wuhan XRZ hacker
Sun Xiaohui (孙小辉), 38, the alleged owner of private company Wuhan Liuhe Tiangong Science & Technology Co. (Wuhan Liuthe), which allegedly supported the MSS
Xiong Wang (熊旺), 34 or 35, another alleged Wuhan XRZ hacker
Zhao Guangzong (赵光宗), 38, another alleged Wuhan XRZ hacker

The documents also accuse “known and unknown” conspirators with at least aiding the attacks. The documents include photos of the defendants and says that their group is known in cybersecurity research circles by the names “Advanced Persistent Threat 31,” “APT 31,” “Zirconium,” “Violet Typhoon,” “Judgment Panda” and “Altaire.”

Along with the criminal charges, the U.S. The Department of Treasury sanctioned Wuhan XRZ and added Zhao and Ni to a list of “Specially Designated Nationals” with blocked assets and banned from dealing with Americans.

The United Kingdom also sanctioned Wuhan XRZ, Zhao and Ni and blamed the group “for 2 malicious cyber campaigns targeting democratic institutions and parliamentarians.”

The court documents allege that the campaign against the MSPs took place around 2017 to 2019, although the group’s efforts date back to at least 2010.

California MSP Attack

The documents go into more details about attacks on a California-based MSP and a Norwegian MSP.

In one MSP breach around May 2017, the group accessed a California-based MSP’s backup server and went on to reaching customer servers, according to the documents.

“Using malicious files hidden in network security programs, the Conspirators gained access to at least 35 devices on the California MSP’s network and exploited the California MSP’s access to customer networks to spread malware to at least 15 servers on as many as seven remote customer networks,” according to the court documents.

“The affected California MSP customers included a financial company, a nuclear power engineering company, an enterprise-resources planning company and three additional IT managed service providers.”

Norwegian MSP Attack

The documents allege that one attack on an unnamed Norwegian MSP and the Norwegian government came following the February 2018 nomination of Hong Kong activists by U.S lawmakers for the Nobel Peace Prize. The prize is decided by the Norwegian Nobel Committee, a five-member committee appointed by the Norwegian Parliament.

The attack was done through DropDoor/DropCat malware, which “forced the compromised computer to download and process commands that the Conspirators stored in an account on an online file storage platform and encrypted and uploaded stolen data from the compromised network to that same account,” according to the documents.

Around April 2018, the group allegedly deployed the malware into the Norwegian MSP’s network, obtained data from the MSP and in July 2018 “began accessing the website of the Nobel Prize Committee, including identifying the members who served on the committee.”

The wide-ranging list of unnamed organizations the group gained access to between 2010 and 2023 includes:

defense contractors
aerospace research firms
Global law firms throughout the U.S.
Research hospitals in New York and Massachusetts
“a leading global provider of wireless technology based in Illinois”
“a software company servicing the industrial controls industry based in California”
“a multi-factor authentication company”
“an IT services and spatial processing company based in Colorado”
“a leading provider of 5G network equipment in the United States”
“an IT solutions and 5G integration service company based in Idaho”
“an apparel company based in New York”
“an energy company based in Texas”
“an American multi-national management consulting company with offices in Washington, D.C. and elsewhere”
“a financial ratings company based in New York”
“an advertising agency based in New York”

The UK said its “Electoral Commission systems were highly likely compromised by a Chinese state-affiliated entity between 2021 and 2022” and said “it is almost certain” that this group “conducted reconnaissance activity against UK parliamentarians during a separate campaign in 2021.”

“No parliamentary accounts were successfully compromised,” according to a statement from the UK on Monday.

Along with the MSPs, other alleged targets by the group include senior staff members of an unnamed 2020 presidential campaign, every European Union (EU) member of the Inter-Parliamentary Alliance on China (IPAC), United Kingdom parliament members.

The group’s efforts even included sending “more than 10,000 malicious email messages to professional and personal email addresses belonging to high-ranking U.S. government officials and their advisors, including officials involved in international policy and foreign trade issues,” according to the documents.

That effort lasted from around June 2018 to September 2018 with targeted individuals in the White House, several U.S. departments, Democratic and Republican members of the U.S. Congress and the spouses of officials, according to the documents.