Pierluigi Paganini
March 26, 2024
The US government announced sanctions against a pair of Chinese hackers (Zhao Guangzong and Ni Gaobin), alleged members of the China-linked APT31 group, who are responsible for “malicious cyber operations targeting U.S. entities that operate within U.S. critical infrastructure sectors.”
The U.S. Treasury Department has sanctioned a tech company based in Wuhan, the Wuhan Xiaoruizhi Science and Technology Company, Limited (Wuhan XRZ), used by the Chinese Ministry of State Security (MSS) as a front in attacks against organizations in the U.S. critical infrastructure sector.
“Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Wuhan Xiaoruizhi Science and Technology Company, Limited (Wuhan XRZ), a Wuhan, China-based Ministry of State Security (MSS) front company that has served as cover for multiple malicious cyber operations. OFAC is also designating Zhao Guangzong and Ni Gaobin, two Chinese nationals affiliated with Wuhan XRZ, for their roles in malicious cyber operations targeting U.S. entities that operate within U.S. critical infrastructure sectors, directly endangering U.S. national security.” reads the press release published by the U.S. Treasury Department. “This action is part of a collaborative effort with the U.S. Department of Justice, Federal Bureau of Investigation (FBI), Department of State, and the United Kingdom Foreign, Commonwealth & Development Office (FCDO).”
The U.S. Treasury Department states that China-linked APT groups continue to be one of the greatest and most persistent threats to U.S. national security.
The US Department of Justice unsealed an indictment against 7 Chinese nationals, including the two members of the APT31 group.
The indictment charged seven Chinese nationals with conspiracy to commit computer intrusions and conspiracy to commit wire fraud for their involvement in the APT31 China-based hacking group.
For around 14 years, the group has targeted critics, businesses, and political officials in the United States and abroad as part of China’s economic espionage and foreign intelligence goals.
The defendants are Ni Gaobin (倪高彬), 38; Weng Ming (翁明), 37; Cheng Feng (程锋), 34; Peng Yaowen (彭耀文), 38; Sun Xiaohui (孙小辉), 38; Xiong Wang (熊旺), 35; and Zhao Guangzong (赵光宗), 38. All are believed to reside in the PRC.
China-linked cybereaspionage group APT31 (aka Zirconium, Judgment Panda, and Red Keres) was involved in multiple cyber espionage operations, it made the headlines in 2022 after the Check Point Research team discovered that the group used a tool dubbed Jian, which is a clone of NSA Equation Group ‘s “EpMe” hacking tool, years before it was leaked online by Shadow Brokers hackers.
In July 2021, the French national cyber-security agency ANSSI warned of ongoing attacks against a large number of French organizations conducted by the Chine-linked APT31 cyberespionage group. The state-sponsored hackers were hijacking home routers to set up a proxy mesh of compromised devices to conceal its attack infrastructure.
The cyberespionage group targeted entities in EU, the United States, Canada in previous campaigns. In August 2021, the APT31 group employed a new strain of malware in attacks aimed at entities in Mongolia, Belarus, Canada, the US, and Russia.
“The APT31 Group was part of a cyberespionage program run by the MSS’s Hubei State Security Department, located in the city of Wuhan. Through their involvement with the APT31 Group, since at least 2010, the defendants conducted global campaigns of computer hacking targeting political dissidents and perceived supporters located inside and outside of China, government and political officials, candidates, and campaign personnel in the United States and elsewhere and American companies.” reads the press release published by DoJ. “The defendants and others in the APT31 Group targeted thousands of U.S. and foreign individuals and companies. Some of this activity resulted in successful compromises of the targets’ networks, email accounts, cloud storage accounts, and telephone call records, with some surveillance of compromised email accounts lasting many years.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, APT31)
