A dozen Chinese nationals are indicted by the US Department of Justice (DoJ) on Wednesday for a years-long hacking campaign targeting US critical infrastructure – including the US Treasury – and then selling the data, all with the backing of the Chinese government.
In the first of Wednesday’s multiple announcements, DoJ officials say the two men, a hacker-for-hire and a local data broker, began their decade long espionage campaign for the Chinese governemnt in 2011, causing millions of dollars’ worth of damages targetng a “multitude” of governent agencies, private companies, and non-profit organizations, all based in the US.
Facing a slew of charges in two separate indictments, and further sanctioned by the US Tresaury’s Office of Foreign Assets Control (OFAC), 38-year-old Yin Kecheng, aka “YKC,” and 45-year-old Zhou Shuai, aka “Coldface,” are accused of illegally acquiring data from highly sensitive US critical infrastructure networks, and then selling the sensitive data through Chinese data brokers.
Zhou allegedly sold data stolen by Yin through i-Soon, a company whose primary customers included the PRC Ministry of State Security (MSS) and the Ministry of Public Safety (MPS), the DoJ said.
The DoJ charged an additional twelve Chinese nationals on Wednesday, including two officers of the MPS, contract employees of “i-Soon,” and members of the Chinese Advanced Persistent Threat known as APT27.
DoJ officials say Beijing’s law enforcement and intelligence services “leveraged China’s reckless and indiscriminate hacker-for-hire ecosystem, including APT 27,” to not only steal data from organizations in the US and elsewhere, but “to suppress free speech and dissent worldwide.”
Beijing's hacker-for-hire operations disrupted
From August 2013 to December 2024, the main duo Zhou and Yin hid their connections to Beijing through several now-sanctioned Chinese companies and with the help of their co-conspirators.
The hackers were said to have exploited zero-day vulnerabilities in the victims' networks, installed backdoor malware, such as PlugX and other remote access trojans (RATs), and used stolen credentials and malicious domains to maintain persistent access to the networks.
Utilizing intermediary servers or “hop points” and malicious domains, the two threat actors were said to remotely access and exfiltrate victim computer data to Command and Control (CC) servers.
Exfiltrated data included that from numerous US technology companies, think tanks, defense contractors, government municipalities, and universities, the DoJ said. Types of data sold included “telecommunications data, border crossing data, data on personnel in religious research, data on media industry personnel, and data on public servants,” it said.
“Today, we are exposing the Chinese government agents directing and fostering indiscriminate and reckless attacks against computers and networks worldwide, as well as the enabling companies and individual hackers that they have unleashed. We will continue to fight to dismantle this ecosystem of cyber mercenaries and protect our national security,” said Sue Bai, head of the Justice Department’s National Security Division (NSA).
One of the companies sanctioned, the Shanghai Heiying Information Technology Company, was founded by Zhou in 2010 and is said to have employed, over the years, numerous known China-backed malicious cyber actors, including Yin.
Yin, additionally linked to the Chinese Salt Typhoon threat group, was also sanctioned by OFAC on January 17 for his involvement in the December 2024 hack of the US Treasury Department which compromised the laptops of multiple senior US officials.
The virtual private server (VSP) account seized by the feds – allegedly used in the US Treasury hack – was also used by Zhou to establish a virtual private network (VPN) to mask the threat actors' true location, create other accounts and IP addresses, and communicate with interested data brokers.
Yin and Zhou are further charged with laundering the money made from selling access to the stolen data using cryptocurrency payments from locations outside of the US.
Last known to reside in Shanghai, the US State Department is offering a $2 million reward for information leading to the arrest and/or conviction of both Zhou and Yin.
The 19-count indictments for both men include charges of conspiracy to commit wire fraud; obtaining information by unauthorized access to protected computers; intentionally causing damage to protected computers; aggravated identity theft; and money laundering.
Your email address will not be published. Required fields are markedmarked