{ "id": "9fe59acc-ef3e-443e-846f-743cfe236019", "created_at": "2026-04-06T00:11:01.813151Z", "updated_at": "2026-04-10T13:13:08.965301Z", "deleted_at": null, "sha1_hash": "08b620119cf71690231c96f2a0c075f00da89ffc", "title": "Seven Hackers Associated with Chinese Government Charged with Computer Intrusions Targeting Perceived Critics of China and U.S. Businesses and Politicians", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 84057, "plain_text": "Seven Hackers Associated with Chinese Government Charged with\r\nComputer Intrusions Targeting Perceived Critics of China and\r\nU.S. Businesses and Politicians\r\nPublished: 2024-03-25 · Archived: 2026-04-05 18:03:49 UTC\r\nNote: Concurrent with this announcement, the U.S. Department of the Treasury imposed sanctions\r\nagainst two of the defendants, and the U.S. Department of State announced a Reward for Justice up to $10 million\r\nfor information on these individuals, their organization, and associated entities.\r\nhttps://www.justice.gov/opa/pr/seven-hackers-associated-chinese-government-charged-computer-intrusions-targeting-perceived\r\nPage 1 of 7\n\nSee also the UK Government attribution statement\r\n; the National Cyber Security Centre statement\r\n; and the U.S. State Department's diplomatic statement\r\nhttps://www.justice.gov/opa/pr/seven-hackers-associated-chinese-government-charged-computer-intrusions-targeting-perceived\r\nPage 2 of 7\n\nfrom the Office of the Spokesperson.\r\nAn indictment was unsealed today charging seven nationals of the People’s Republic of China (PRC) with\r\nconspiracy to commit computer intrusions and conspiracy to commit wire fraud for their involvement in a PRC-based hacking group that spent approximately 14 years targeting U.S. and foreign critics, businesses, and political\r\nofficials in furtherance of the PRC’s economic espionage and foreign intelligence objectives.\r\nThe defendants are Ni Gaobin (倪高彬), 38; Weng Ming (翁明), 37; Cheng Feng (程锋), 34; Peng Yaowen (彭耀\r\n文), 38; Sun Xiaohui (孙小辉), 38; Xiong Wang (熊旺), 35; and Zhao Guangzong (赵光宗), 38. All are believed\r\nto reside in the PRC.\r\n“The Justice Department will not tolerate efforts by the Chinese government to intimidate Americans who serve\r\nthe public, silence the dissidents who are protected by American laws, or steal from American businesses,” said\r\nAttorney General Merrick B. Garland. “This case serves as a reminder of the ends to which the Chinese\r\ngovernment is willing to go to target and intimidate its critics, including launching malicious cyber operations\r\naimed at threatening the national security of the United States and our allies.”\r\n“Over 10,000 malicious emails, impacting thousands of victims, across multiple continents. As alleged in today’s\r\nindictment, this prolific global hacking operation – backed by the PRC government – targeted journalists, political\r\nofficials, and companies to repress critics of the Chinese regime, compromise government institutions, and steal\r\ntrade secrets,” said Deputy Attorney General Lisa Monaco. “The Department of Justice will relentlessly pursue,\r\nexpose, and hold accountable cyber criminals who would undermine democracies and threaten our national\r\nsecurity.” \r\n\"Today's announcement exposes China's continuous and brash efforts to undermine our nation's cybersecurity and\r\ntarget Americans and our innovation,” said FBI Director Christopher Wray. \"As long as China continues to target\r\nthe US and our partners, the FBI will continue to send a clear message that cyber espionage will not be\r\ntolerated, and we will tirelessly pursue those who threaten our nation’s security and prosperity. This indictment\r\nhttps://www.justice.gov/opa/pr/seven-hackers-associated-chinese-government-charged-computer-intrusions-targeting-perceived\r\nPage 3 of 7\n\nunderscores our unwavering commitment to disrupt and deter malicious cyber activity, and safeguard our citizens,\r\nbusinesses, and critical infrastructure from threats in cyberspace.\"\r\n“The indictment unsealed today, together with statements from our foreign partners regarding related activity, shed\r\nfurther light on the PRC Ministry of State Security’s aggressive cyber espionage and transnational repression\r\nactivities worldwide,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National\r\nSecurity Division. “Today’s announcements underscore the need to remain vigilant to cybersecurity threats and\r\nthe potential for cyber-enabled foreign malign influence efforts, especially as we approach the 2024 election cycle.\r\nThe Department of Justice will continue to leverage all tools to disrupt malicious cyber actors who threaten our\r\nnational security and aim to repress fundamental freedoms worldwide.”\r\n“These allegations pull back the curtain on China’s vast illegal hacking operation that targeted sensitive data from\r\nU.S. elected and government officials, journalists, and academics; valuable information from American\r\ncompanies; and political dissidents in America and abroad. Their sinister scheme victimized thousands of people\r\nand entities across the world, and lasted for well over a decade,” said U.S. Attorney Breon Peace for the Eastern\r\nDistrict of New York. “America’s sovereignty extends to its cyberspace. Today’s charges demonstrate my office’s\r\ncommitment to upholding and protecting that jurisdiction, and to putting an end to malicious nation state cyber\r\nactivity.”\r\n“The recent indictments against the Chinese actors reaffirm the FBI’s relentless dedication to combating cyber\r\nthreats,” said Assistant Director Bryan Vorndran of the FBI Cyber Division. “They serve as a reminder that cyber\r\nadversaries who seek to compromise our nation’s systems and target US officials cannot rely on the cloak of\r\nanonymity and will face consequences for their actions.”\r\n“APT31 Group’s practices further demonstrate the size and scope of the PRC’s state-sponsored hacking\r\napparatus,” said Special Agent in Charge Robert W. “Wes” Wheeler Jr. of the FBI Chicago Field Office. “FBI\r\nChicago worked tirelessly to uncover this complex web of alleged foreign intelligence and economic espionage\r\ncrimes. Thanks to these efforts, as well as our partnerships with the U.S. Attorneys’ Offices and fellow Field\r\nOffices, the FBI continues to be successful in holding groups accountable and protecting national security.”\r\nOverview\r\nAs alleged in the indictment and court filings, the defendants, along with dozens of identified PRC Ministry of\r\nState Security (MSS) intelligence officers, contractor hackers, and support personnel, were members of a hacking\r\ngroup operating in the PRC and known within the cybersecurity community as Advanced Persistent Threat 31 (the\r\nAPT31 Group). The APT31 Group was part of a cyberespionage program run by the MSS’s Hubei State Security\r\nDepartment, located in the city of Wuhan. Through their involvement with the APT31 Group, since at least 2010,\r\nthe defendants conducted global campaigns of computer hacking targeting political dissidents and perceived\r\nsupporters located inside and outside of China, government and political officials, candidates, and campaign\r\npersonnel in the United States and elsewhere and American companies.\r\nThe defendants and others in the APT31 Group targeted thousands of U.S. and foreign individuals and companies.\r\nSome of this activity resulted in successful compromises of the targets’ networks, email accounts, cloud storage\r\naccounts, and telephone call records, with some surveillance of compromised email accounts lasting many years.\r\nhttps://www.justice.gov/opa/pr/seven-hackers-associated-chinese-government-charged-computer-intrusions-targeting-perceived\r\nPage 4 of 7\n\nHacking Scheme\r\nThe more than 10,000 malicious emails that the defendants and others in the APT31 Group sent to these targets\r\noften appeared to be from prominent news outlets or journalists and appeared to contain legitimate news articles.\r\nThe malicious emails contained hidden tracking links, such that if the recipient simply opened the email,\r\ninformation about the recipient, including the recipient’s location, internet protocol (IP) addresses, network\r\nschematics, and specific devices used to access the pertinent email accounts, was transmitted to a server controlled\r\nby the defendants and those working with them. The defendants and others in the APT31 Group then used this\r\ninformation to enable more direct and sophisticated targeted hacking, such as compromising the recipients’ home\r\nrouters and other electronic devices.\r\nThe defendants and others in the APT31 Group also sent malicious tracking-link emails to government officials\r\nacross the world who expressed criticism of the PRC government. For example, in or about 2021, the conspirators\r\ntargeted the email accounts of various foreign government individuals who were part of the Inter-Parliamentary\r\nAlliance on China (IPAC), a group founded in 2020 on the anniversary of the 1989 Tiananmen Square protests\r\nwhose stated purpose was to counter the threats posed by the Chinese Communist Party to the international order\r\nand democratic principles. The targets included every European Union member of IPAC, and 43 United Kingdom\r\nparliamentary accounts, most of whom were members of IPAC or had been outspoken on topics relating to the\r\nPRC government.\r\nTo gain and maintain access to the victim computer networks, the defendants and others in the APT31 Group\r\nemployed sophisticated hacking techniques including zero-day exploits, which are exploits that the hackers\r\nbecame aware of before the manufacturer, or the victim were able to patch or fix the vulnerability. These activities\r\nresulted in the confirmed and potential compromise of economic plans, intellectual property, and trade secrets\r\nbelonging to American businesses, and contributed to the estimated billions of dollars lost every year as a result of\r\nthe PRC’s state-sponsored apparatus to transfer U.S. technology to the PRC.\r\nTargeting of U.S. Government Officials and U.S. and Foreign Politicians and Campaigns\r\nThe targeted U.S. government officials included individuals working in the White House, at the Departments of\r\nJustice, Commerce, Treasury, and State, and U.S. Senators and Representatives of both political parties. The\r\ndefendants and others in the APT31 Group targeted these individuals at both professional and personal email\r\naddresses. Additionally in some cases, the defendants also targeted victims’ spouses, including the spouses of a\r\nhigh-ranking Department of Justice official, high-ranking White House officials, and multiple U.S. Senators.\r\nTargets also included election campaign staff from both major U.S. political parties in advance of the 2020\r\nelection.\r\nThe allegations in the indictment regarding the malicious cyber activity targeting political officials, candidates,\r\nand campaign personnel are consistent with the March 2021 Joint Report of the Department of Justice and the\r\nDepartment of Homeland Security on Foreign Interference Targeting Election Infrastructure or Political\r\nOrganization, Campaign, or Candidate Infrastructure Related to the 2020 US Federal Elections. That report cited\r\nincidents when Chinese government-affiliated actors “materially impacted the security of networks associated\r\nwith or pertaining to U.S. political organizations, candidates, and campaigns during the 2020 federal elections.”\r\nThat report also concluded that “such actors gathered at least some information they could have released in\r\nhttps://www.justice.gov/opa/pr/seven-hackers-associated-chinese-government-charged-computer-intrusions-targeting-perceived\r\nPage 5 of 7\n\ninfluence operations,” but which the Chinese actors did not ultimately deploy in such a manner. Consistent with\r\nthat conclusion, the indictment does not allege that the hacking furthered any Chinese government influence\r\noperations against the United States. The indictment’s allegations nonetheless serve to underscore the need for\r\nU.S. (and allied)\r\npolitical organizations, candidates, and campaigns to remain vigilant in their cybersecurity posture and in\r\notherwise protecting their sensitive information from foreign intelligence services, particularly in light of the U.S.\r\nIntelligence Community’s recent assessment\r\nthat “[t]he PRC may attempt to influence the U.S. elections in 2024 at some level because of its desire to sideline\r\ncritics of China and magnify U.S. societal divisions.”\r\nTargeting of U.S. Companies\r\nThe defendants and others in the APT31 Group also targeted individuals and dozens of companies operating in\r\nareas of national economic importance, including the defense, information technology, telecommunications,\r\nhttps://www.justice.gov/opa/pr/seven-hackers-associated-chinese-government-charged-computer-intrusions-targeting-perceived\r\nPage 6 of 7\n\nmanufacturing and trade, finance, consulting, legal, and research industries. The defendants and others in the\r\nAPT31 Group hacked and attempted to hack dozens of companies or entities operating in these industries,\r\nincluding multiple cleared defense contractors who provide products and services to the U.S. military, multiple\r\nmanaged service providers who managed the computer networks and security for other companies, a leading\r\nprovider of 5G network equipment, and a leading global provider of wireless technology, among many others.\r\nTargeting for Transnational Repression of Dissidents\r\nThe defendants and the APT31 Group also targeted individual dissidents around the world and other individuals\r\nwho were perceived as supporting such dissidents. For example, in 2018, after several activists who spearheaded\r\nHong Kong’s Umbrella Movement were nominated for the Nobel Peace Prize, the defendants and the APT31\r\nGroup targeted Norwegian government officials and a Norwegian managed service provider. The conspirators also\r\nsuccessfully compromised Hong Kong pro-democracy activists and their associates located in Hong Kong, the\r\nUnited States, and other foreign locations with identical malware.\r\nThe charged defendants’ roles in the conspiracy consisted of testing and exploiting the malware used to conduct\r\nthese intrusions, managing infrastructure associated with these intrusions, and conducting surveillance and\r\nintrusions against specific U.S. entities. For example:\r\nCheng Feng, Sun Xiaohui, Weng Ming, Xiong Wang, and Zhao Guangzong were involved in testing and\r\nexploiting malware, including malware used in some of these intrusions.\r\nCheng and Ni Gaobin managed infrastructure associated with some of these intrusions, including the\r\ndomain name for a command-and-control server that accessed at least 59 unique victim computers,\r\nincluding a telecommunications company that was a leading provider of 5G network equipment in the\r\nUnited States, an Alabama-based research corporation in the aerospace and defense industries, and a\r\nMaryland-based professional support services company.\r\nSun and Weng operated the infrastructure used in an intrusion into a U.S. company known for its public\r\nopinion polls. Sun and Peng Yaowen conducted research and reconnaissance on several additional U.S.\r\nentities that were later the victims of the APT31 Group’s intrusion campaigns.\r\nNi and Zhao sent emails with links to files containing malware to PRC dissidents, specifically Hong Kong\r\nlegislators and democracy advocates, as well as targeting U.S. entities focusing on PRC-related issues.\r\nAssistant U.S. Attorneys Douglas M. Pravda, Saritha Komatireddy, and Jessica Weigel for the Eastern District of\r\nNew York are prosecuting the case, with valuable assistance from Matthew Anzaldi and Matthew Chang of the\r\nNational Security Division’s National Security Cyber Section.\r\nAn indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a\r\nreasonable doubt in a court of law.\r\nSource: https://www.justice.gov/opa/pr/seven-hackers-associated-chinese-government-charged-computer-intrusions-targeting-perceived\r\nhttps://www.justice.gov/opa/pr/seven-hackers-associated-chinese-government-charged-computer-intrusions-targeting-perceived\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.justice.gov/opa/pr/seven-hackers-associated-chinese-government-charged-computer-intrusions-targeting-perceived" ], "report_names": [ "seven-hackers-associated-chinese-government-charged-computer-intrusions-targeting-perceived" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784", "created_at": "2023-01-06T13:46:38.953463Z", "updated_at": "2026-04-10T02:00:03.159523Z", "deleted_at": null, "main_name": "APT31", "aliases": [ "JUDGMENT PANDA", "BRONZE VINEWOOD", "Red keres", "Violet Typhoon", "TA412" ], "source_name": "MISPGALAXY:APT31", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9e6186dd-9334-4aac-9957-98f022cd3871", "created_at": "2022-10-25T15:50:23.357398Z", "updated_at": "2026-04-10T02:00:05.368552Z", "deleted_at": null, "main_name": "ZIRCONIUM", "aliases": [ "APT31", "Violet Typhoon" ], "source_name": "MITRE:ZIRCONIUM", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null }, { "id": "74d9dada-0106-414a-8bb9-b0d527db7756", "created_at": "2025-08-07T02:03:24.69718Z", "updated_at": "2026-04-10T02:00:03.733346Z", "deleted_at": null, "main_name": "BRONZE VINEWOOD", "aliases": [ "APT31 ", "BRONZE EXPRESS ", "Judgment Panda ", "Red Keres", "TA412", "VINEWOOD ", "Violet Typhoon ", "ZIRCONIUM " ], "source_name": "Secureworks:BRONZE VINEWOOD", "tools": [ "DropboxAES RAT", "HanaLoader", "Metasploit", "Mimikatz", "Reverse ICMP shell", "Trochilus" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434261, "ts_updated_at": 1775826788, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/08b620119cf71690231c96f2a0c075f00da89ffc.pdf", "text": "https://archive.orkl.eu/08b620119cf71690231c96f2a0c075f00da89ffc.txt", "img": "https://archive.orkl.eu/08b620119cf71690231c96f2a0c075f00da89ffc.jpg" } }