{
	"id": "a6e89107-d954-4b1e-8c6c-cea5371d7442",
	"created_at": "2026-04-06T01:29:26.156907Z",
	"updated_at": "2026-04-10T03:37:22.824482Z",
	"deleted_at": null,
	"sha1_hash": "55e870343cf7cce94cb6d2c1e0ac81bb100b0c6e",
	"title": "Treasury Sanctions China-Linked Hackers for Targeting U.S. Critical Infrastructure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 55354,
	"plain_text": "Treasury Sanctions China-Linked Hackers for Targeting U.S.\r\nCritical Infrastructure\r\nPublished: 2026-02-13 · Archived: 2026-04-06 00:51:36 UTC\r\nThe U.S. and UK take action against actors affiliated with the Chinese state-sponsored APT 31 hacking group. \r\nWASHINGTON — Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned\r\nWuhan Xiaoruizhi Science and Technology Company, Limited (Wuhan XRZ), a Wuhan, China-based\r\nMinistry of State Security (MSS) front company that has served as cover for multiple malicious cyber operations.\r\nOFAC is also designating Zhao Guangzong and Ni Gaobin, two Chinese nationals affiliated with Wuhan\r\nXRZ, for their roles in malicious cyber operations targeting U.S. entities that operate within U.S. critical\r\ninfrastructure sectors, directly endangering U.S. national security. This action is part of a collaborative effort with\r\nthe U.S. Department of Justice, Federal Bureau of Investigation (FBI), Department of State, and the United\r\nKingdom Foreign, Commonwealth \u0026 Development Office (FCDO). \r\nPeople’s Republic of China (PRC) state-sponsored malicious cyber actors continue to be one of the greatest and\r\nmost persistent threats to U.S. national security, as highlighted in the most recent Office of the Director of\r\nNational Intelligence Annual Threat Assessment.\r\n“The United States is focused on both disrupting the dangerous and irresponsible actions of malicious cyber\r\nactors, as well as protecting our citizens and our critical infrastructure,” said Under Secretary of the Treasury for\r\nTerrorism and Financial Intelligence Brian E. Nelson. “Through our whole-of-government approach and in close\r\ncoordination with our British partners, Treasury will continue to leverage our tools to expose these networks and\r\nprotect against these threats.”\r\nToday, the Department of Justice unsealed indictments of Zhao Guangzong, Ni Gaobin, and five other defendants;\r\nand the U.S. Department of State announced a Rewards for Justice offer for information on these individuals, their\r\norganization, or any associated individuals or entities; and the UK Foreign, Commonwealth \u0026 Development\r\nOffice implemented matching sanctions.\r\nAPT 31: A CHINESE MALICIOUS CYBER GROUP\r\nAn Advanced Persistent Threat (APT) is a sophisticated cyber actor or group with the capability to conduct\r\nadvanced and sustained malicious cyber activity, often with the goal of maintaining ongoing access to a victim’s\r\nnetwork. Information security researchers will categorize and name certain APTs based on observed patterns such\r\nas the location of the perpetrators, the types of victims targeted, and the techniques used in the malicious cyber\r\nactivity. APT 31 is a collection of Chinese state-sponsored intelligence officers, contract hackers, and support staff\r\nthat conduct malicious cyber operations on behalf of the Hubei State Security Department (HSSD). APT 31 has\r\ntargeted a wide range of high-ranking U.S. government officials and their advisors integral to U.S. national\r\nsecurity including staff at the White House; the Departments of Justice, Commerce, the Treasury, and State;\r\nhttps://home.treasury.gov/news/press-releases/jy2205\r\nPage 1 of 3\n\nmembers of Congress, including both Democrat and Republican Senators; the United States Naval Academy; and\r\nthe United States Naval War College’s China Maritime Studies Institute. \r\nAPT 31 has targeted victims in some of America’s most vital critical infrastructure sectors, including the Defense\r\nIndustrial Base, information technology, and energy sectors. APT 31 actors have gained unauthorized access to\r\nmultiple Defense Industrial Base victims, including a defense contractor that manufactured flight simulators for\r\nthe U.S. military, a Tennessee-based aerospace and defense contractor, and an Alabama-based aerospace and\r\ndefense research corporation. Additionally, APT 31 actors gained unauthorized access to a Texas-based energy\r\ncompany, as well as a California-based managed service provider. \r\nIn 2010, the HSSD established Wuhan XRZ as a front company to carry out cyber operations. This malicious\r\ncyber activity resulted in the surveillance of U.S. and foreign politicians, foreign policy experts, academics,\r\njournalists, and pro-democracy activists, as well as persons and companies operating in areas of national\r\nimportance. In 2018, employees of Wuhan XRZ conducted an APT 31 malicious cyber operation on a Texas-based\r\nenergy company, gaining unauthorized access. \r\nOFAC is designating Wuhan XRZ pursuant to Executive Order (E.O.) 13694, as amended by E.O. 13757 (E.O.\r\n13694, as amended), for being responsible for or complicit in, or having engaged in, directly or indirectly cyber\r\nenabled activities originating from, or directed by persons located, in whole or in substantial part, outside the\r\nUnited States that are reasonably likely to result in, or has materially contributed to, a significant threat to the\r\nnational security, foreign policy, or economic health or financial stability of the United States and that have the\r\npurpose or effect of harming, or otherwise significantly compromising the provision of services by, a computer or\r\nnetwork of computers that support one or more entities in a critical infrastructure sector. \r\nZhao Guangzong is a Chinese national who has conducted numerous malicious cyber operations against U.S.\r\nvictims as a contractor for Wuhan XRZ. Zhao Guangzong was behind the 2020 APT 31 spear phishing operation\r\nagainst the United States Naval Academy and the United States Naval War College’s China Maritime Studies\r\nInstitute. Additionally, Zhao Guangzong has conducted numerous spear phishing operations against Hong Kong\r\nlegislators and democracy advocates. \r\nOFAC is designating Zhao Guangzong pursuant to E.O. 13694, as amended, for being owned or controlled by, or\r\nhaving acted or purported to act for or on behalf of, directly or indirectly, Wuhan XRZ, an entity whose property\r\nor interest in property are blocked pursuant to E.O. 13694, as amended.\r\nNi Gaobin is a Chinese national who has conducted numerous malicious cyber operations against U.S. victims. Ni\r\nGaobin assisted Zhao Guangzong in many of his most high profile malicious cyber activities while Zhao\r\nGuangzong was a contractor at Wuhan XRZ, including the 2020 spear phishing operation against the United\r\nStates Naval Academy and United States Naval War College’s China Maritime Studies Institute. \r\nOFAC is designating Ni Gaobin pursuant to E.O. 13694, as amended, for being owned or controlled by, or having\r\nacted or purported to act for or on behalf of, directly or indirectly, Wuhan XRZ, an entity whose property or\r\ninterest in property are blocked pursuant to E.O. 13694, as amended.\r\nSANCTIONS IMPLICATIONS\r\nhttps://home.treasury.gov/news/press-releases/jy2205\r\nPage 2 of 3\n\nAs a result of today’s action, all property and interests in property of the designated persons and entity described\r\nabove that are in the United States or in the possession or control of U.S. persons are blocked and must be\r\nreported to OFAC. In addition, any entities that are owned, directly or indirectly, individually or in the aggregate,\r\n50 percent or more by one or more blocked persons are also blocked. Unless authorized by a general or specific\r\nlicense issued by OFAC, or exempt, OFAC’s regulations generally prohibit all transactions by U.S. persons or\r\nwithin (or transiting) the United States that involve any property or interests in property of designated or otherwise\r\nblocked persons. \r\nIn addition, financial institutions and other persons that engage in certain transactions or activities with the\r\nsanctioned entities and individuals may expose themselves to sanctions or be subject to an enforcement action.\r\nThe prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the\r\nbenefit of any designated person, or the receipt of any contribution or provision of funds, goods, or services from\r\nany such person. \r\nThe power and integrity of OFAC sanctions derive not only from OFAC’s ability to designate and add persons to\r\nthe SDN List, but also from its willingness to remove persons from the SDN List consistent with the law. The\r\nultimate goal of sanctions is not to punish, but to bring about a positive change in behavior. For information\r\nconcerning the process for seeking removal from an OFAC list, including the SDN List, please refer to OFAC’s\r\nFrequently Asked Question 897 here. For detailed information on the process to submit a request for removal from\r\nan OFAC sanctions list, please click here.\r\nClick here for more information on the individuals and entities designated today.\r\n###\r\nSource: https://home.treasury.gov/news/press-releases/jy2205\r\nhttps://home.treasury.gov/news/press-releases/jy2205\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://home.treasury.gov/news/press-releases/jy2205"
	],
	"report_names": [
		"jy2205"
	],
	"threat_actors": [
		{
			"id": "dc7ee503-9494-4fb6-a678-440c68fd31d8",
			"created_at": "2022-10-25T16:07:23.349177Z",
			"updated_at": "2026-04-10T02:00:04.552639Z",
			"deleted_at": null,
			"main_name": "APT 31",
			"aliases": [
				"APT 31",
				"Bronze Vinewood",
				"G0128",
				"Judgment Panda",
				"Red Keres",
				"RedBravo",
				"TA412",
				"Violet Typhoon",
				"Zirconium"
			],
			"source_name": "ETDA:APT 31",
			"tools": [
				"9002 RAT",
				"Agent.dhwf",
				"AngryRebel",
				"CHINACHOPPER",
				"China Chopper",
				"Destroy RAT",
				"DestroyRAT",
				"Farfli",
				"Gh0st RAT",
				"Ghost RAT",
				"GrewApacha",
				"HOMEUNIX",
				"HiKit",
				"HidraQ",
				"Homux",
				"Hydraq",
				"Kaba",
				"Korplug",
				"McRAT",
				"MdmBot",
				"Moudour",
				"Mydoor",
				"PCRat",
				"PlugX",
				"RedDelta",
				"Roarur",
				"Sakula",
				"Sakula RAT",
				"Sakurel",
				"SinoChopper",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Trochilus RAT",
				"Xamtrav"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775438966,
	"ts_updated_at": 1775792242,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/55e870343cf7cce94cb6d2c1e0ac81bb100b0c6e.pdf",
		"text": "https://archive.orkl.eu/55e870343cf7cce94cb6d2c1e0ac81bb100b0c6e.txt",
		"img": "https://archive.orkl.eu/55e870343cf7cce94cb6d2c1e0ac81bb100b0c6e.jpg"
	}
}