The Justice Department has charged five Chinese nationals in separate global hacking schemes targeting more than 100 video game firms, universities and other victims, officials said Wednesday while also accusing Beijing of tolerating their crimes because they work on behalf of the country’s spy services as well.
The Chinese defendants belong to a highly prolific hacking group industry analysts call Wicked Panda, or APT41, which is linked to the Chinese Ministry of State Security, a civilian spy agency responsible for counterintelligence, foreign intelligence and domestic political security. One is accused of boasting to a colleague that he was “very close” to the MSS and would be protected “unless something very big happens,” Deputy Attorney General Jeffrey Rosen said at a news conference to announce the development.
Taken together, the charges outlined in three grand jury indictments represent the latest salvo by the Justice Department aimed at disrupting malign Chinese behavior in cyberspace. It is part of a broader Trump administration campaign to call out Beijing for its long-running efforts to spy on the West to advance its economy.
Less than two months ago, the Justice Department charged two alleged hackers with working not only to enrich themselves but also on behalf of the MSS — what prosecutors characterize as a “blended threat.” Then as now, officials accused the Chinese government of turning a blind eye to the defendants’ criminal activities — in that instance, they were accused of targeting American biotech firms — because they also worked for the state.
“No country can be respected as a global leader while paying only lip service to the rule of law and without taking steps to disrupt brazen criminal acts like these,” Rosen said.
The alleged hacks were “turbocharged” by a sophisticated technique known as a supply-chain attack, in which the defendants compromised software vendors around the world and modified their code to create “back doors” that enabled further hacks against the vendors’ clients, officials said.
In the alleged video game scheme, the Malaysian business executives, Wong Ong Hua and Ling Yang Ching, teamed up with Chinese suspects Zhang Haoran and Tan Dailin to hack into popular video game companies and sell the in-game currency or player profiles on a website for gamers, according to the indictments, which did not identify any of the companies targeted. The scheme began in 2014, the indictments said.
In-game currency is a fast-growing part of video games, in which players can earn or buy add-ons to enhance their play. For some games, it is simpler to buy a new player profile using such currency already in the account.
Wong and Ling were arrested Monday by Malaysian authorities, and U.S. officials said they will seek their extradition for trial.
Three other Chinese defendants, Jiang Lizhi, Qian Chuan and Fu Qiang, were running a sophisticated campaign to hack more than 100 companies in the United States, Britain, Australia and a dozen Asian countries, according to their indictment. The firms spanned the hotel, video game, technology and telecommunications industries, plus research universities and nongovernmental organizations.
In their alleged scheme, which ran from 2014 through last month, the trio were after source code, customer account data and money, prosecutors said. They obtained money in some cases by encrypting data on victims’ computers and demanding payments to unlock the information — extortion via what is known as ransomware, the indictment says. They also raised funds through a “crypto-jacking” scheme, prosecutors said, in which they hacked thousands of computers at a time, then hijacked their computing power to illegally generate cryptocurrency, prosecutors said.
The alleged hackers, who worked for a firm called Chengdu 404 Network Technology, carried off their supply-chain attack by hacking a European electronic communication service — probably a cloud provider — that develops and sells software to clients, the indictment said. They then modified the software to enable them to gain access to the clients, which included a U.S. manufacturer and a U.S. medical provider, it said. Neither firm was identified.
They also penetrated more than a dozen prominent universities in the United States, Hong Kong and Taiwan, officials said. In one case, they hacked a university in Indiana, targeting the departments of computer science, veterinary science and pharmacy, prosecutors said.
The Chengdu 404 defendants also compromised prominent electronic communications and telecommunications providers in the United States and Asia, the indictment said.
APT41 is the earliest known MSS contractor group, industry analysts say. It is technically sophisticated, hitting almost every industry over the past decade.
Its criminal operations appear to predate work for the state, and it may have been co-opted by MSS, which would have significant leverage over it, said John Hultquist, director of intelligence analysis at FireEye, a cybersecurity firm.
“In situations such as this, a bargain can be reached between the security service and the operators wherein the operators enjoy protection in return for offering high-end talent to the service” while allowing the government to deny involvement, he said.
The group has consistently expanded its targeting scope as well as its tool suite while shifting from criminally focused operations to state-sponsored, targeted intrusions that often align with Chinese Communist Party objectives, said Adam Meyers, senior vice president of intelligence at the cyber firm CrowdStrike. Those objectives focus on making China a leader in 10 high-tech industries by 2025, he said.