The Justice Department, FBI, Naval Criminal Investigative Service, and Departments of State and the Treasury announced today their coordinated efforts to disrupt and deter the malicious cyber activities of 12 Chinese nationals, including two officers of China Ministry of Public Security, employees of an ostensibly private PRC company, Anxun Information Technology Co. Ltd. (安洵信息技术有限公司) also known as “i-Soon,” and members of Advanced Persistent Threat 27 (APT27).
These malicious cyber actors, acting as freelancers or as employees of i-Soon, conducted computer intrusions at the direction of the PRC’s MPS and Ministry of State Security (MSS) and on their own initiative.
The MPS and MSS paid handsomely for stolen data. Victims include U.S.-based critics and dissidents of the PRC, a large religious organization in the United States, the foreign ministries of multiple governments in Asia, and U.S. federal and state government agencies, including the U.S. Department of the Treasury in late 2024.
According to court documents, the MPS and MSS employed an extensive network of private companies and contractors in China to hack and steal information in a manner that obscured the PRC government’s involvement. In some cases, the MPS and MSS paid private hackers in China to exploit specific victims.
In many other cases, the hackers targeted victims speculatively. Operating from their safe haven and motivated by profit, this network of private companies and contractors in China cast a wide net to identify vulnerable computers, exploit those computers, and then identify information that it could sell directly or indirectly to the PRC government.
The result of this largely indiscriminate approach was more worldwide computer intrusion victims, more systems worldwide left vulnerable to future exploitation by third parties, and more stolen information, often of no interest to the PRC government and, therefore, sold to other third parties.
Additional information regarding the indictments and the PRC’s hacker-for-hire ecosystem is available in Public Service Announcements published by the FBI today.
U.S. v. Wu Haibo et al., Southern District of New York
Wednesday, a federal court in Manhattan unsealed an indictment charging eight i-Soon employees and two MPS officers for their involvement, from at least in or around 2016 through in or around 2023, in the numerous and widespread hacking of email accounts, cell phones, servers, and websites. On Wednesday, the Department also announced the court-authorized seizure of the primary internet domain used by i-Soon to advertise its business.
The defendants remain at large and are wanted by the FBI. Concurrent with today’s announcement, the U.S. Department of State’s Rewards for Justice (RFJ) program, administered by the Diplomatic Security Service, announced a reward of up to $10 million for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, engages in certain malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act.
The reward is offered for Wu Haibo (吴海波), Chief Executive Officer; Chen Cheng (陈诚), Chief Operating Officer; Wang Zhe (王哲), Sales Director; Liang Guodong (梁国栋), Technical Staff; Ma Li (马丽), Technical Staff; Wang Yan (王堰), Technical Staff; Xu Liang (徐梁), Technical Staff; Zhou Weiwei (周伟伟), Technical Staff; Wang Liyu (王立宇), MPS Officer; and Sheng Jing (盛晶), MPS Officer who are alleged to have worked in various capacities to direct or carry out i-Soon’s malicious cyber activity.
i-Soon and its employees, including the defendants, generated tens of millions of dollars in revenue as a key player in the PRC’s hacker-for-hire ecosystem. In some instances, i-Soon conducted computer intrusions at the request of the MSS or MPS, including cyber-enabled transnational repression at the direction of the MPS officer defendants.
In other instances, i-Soon conducted computer intrusions on its own initiative and then sold, or attempted to sell, the stolen data to at least 43 different bureaus of the MSS or MPS in at least 31 separate provinces and municipalities in China.
i-Soon charged the MSS and MPS between approximately $10,000 and $75,000 for each email inbox it successfully exploited. i-Soon also trained MPS employees how to hack independently of i-Soon and offered a variety of hacking methods for sale to its customers.
The defendants’ U.S.-located targets included a large religious organization that previously sent missionaries to China and was openly critical of the PRC government and an organization focused on promoting human rights and religious freedom in China.
In addition, the defendants targeted multiple news organizations in the United States, including those that have opposed the CCP or delivered uncensored news to audiences in Asia, including China and the New York State Assembly, one of whose representatives had communicated with members of a religious organization banned in China.
The defendants’ foreign-located targets included a religious leader and his office and a Hong Kong newspaper that i-Soon considered as being opposed to the PRC government. The defendants also targeted the foreign ministries of Taiwan, India, South Korea, and Indonesia.
