{ "id": "3fbe6f68-4396-4a16-baa6-d2ed273b1a6b", "created_at": "2026-04-06T00:17:14.7734Z", "updated_at": "2026-04-10T03:38:01.828016Z", "deleted_at": null, "sha1_hash": "becd2782a0fd4356afb31f324777eced2bfe77c6", "title": "Four Chinese Nationals Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Confidential Business Information, Including Infectious Disease Research", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 60363, "plain_text": "Four Chinese Nationals Working with the Ministry of State\r\nSecurity Charged with Global Computer Intrusion Campaign\r\nTargeting Intellectual Property and Confidential Business\r\nInformation, Including Infectious Disease Research\r\nPublished: 2021-07-19 · Archived: 2026-04-02 12:18:24 UTC\r\nA federal grand jury in San Diego, California, returned an indictment in May charging four nationals and residents\r\nof the People’s Republic of China with a campaign to hack into the computer systems of dozens of victim\r\ncompanies, universities and government entities in the United States and abroad between 2011 and 2018. The\r\nindictment, which was unsealed on Friday, alleges that much of the conspiracy’s theft was focused on information\r\nthat was of significant economic benefit to China’s companies and commercial sectors, including information that\r\nwould allow the circumvention of lengthy and resource-intensive research and development processes. The\r\ndefendants and their Hainan State Security Department (HSSD) conspirators sought to obfuscate the Chinese\r\ngovernment’s role in such theft by establishing a front company, Hainan Xiandun Technology Development Co.,\r\nLtd. (海南仙盾) (Hainan Xiandun), since disbanded, to operate out of Haikou, Hainan Province.\r\nThe two-count indictment alleges that Ding Xiaoyang (丁晓阳), Cheng Qingmin (程庆民) and Zhu Yunmin (朱允\r\n敏), were HSSD officers responsible for coordinating, facilitating and managing computer hackers and linguists at\r\nHainan Xiandun and other MSS front companies to conduct hacking for the benefit of China and its state-owned\r\nand sponsored instrumentalities. The indictment alleges that Wu Shurong (吴淑荣) was a computer hacker who,\r\nas part of his job duties at Hainan Xiandun, created malware, hacked into computer systems operated by foreign\r\ngovernments, companies and universities, and supervised other Hainan Xiandun hackers.\r\nThe conspiracy’s hacking campaign targeted victims in the United States, Austria, Cambodia, Canada, Germany,\r\nIndonesia, Malaysia, Norway, Saudi Arabia, South Africa, Switzerland and the United Kingdom. Targeted\r\nindustries included, among others, aviation, defense, education, government, health care, biopharmaceutical and\r\nmaritime. Stolen trade secrets and confidential business information included, among other things, sensitive\r\ntechnologies used for submersibles and autonomous vehicles, specialty chemical formulas, commercial aircraft\r\nservicing, proprietary genetic-sequencing technology and data, and foreign information to support China’s efforts\r\nto secure contracts for state-owned enterprises within the targeted country (e.g., large-scale high-speed railway\r\ndevelopment projects). At research institutes and universities, the conspiracy targeted infectious-disease research\r\nrelated to Ebola, MERS, HIV/AIDS, Marburg and tularemia.\r\nAs alleged, the charged MSS officers coordinated with staff and professors at various universities in Hainan and\r\nelsewhere in China to further the conspiracy’s goals. Not only did such universities assist the MSS in identifying\r\nand recruiting hackers and linguists to penetrate and steal from the computer networks of targeted entities,\r\nincluding peers at many foreign universities, but personnel at one identified Hainan-based university also helped\r\nsupport and manage Hainan Xiandun as a front company, including through payroll, benefits and a mailing\r\naddress.\r\nhttps://www.justice.gov/opa/pr/four-chinese-nationals-working-ministry-state-security-charged-global-computer-intrusion\r\nPage 1 of 4\n\n“These criminal charges once again highlight that China continues to use cyber-enabled attacks to steal what other\r\ncountries make, in flagrant disregard of its bilateral and multilateral commitments,” said Deputy Attorney General\r\nLisa O. Monaco. “The breadth and duration of China’s hacking campaigns, including these efforts targeting a\r\ndozen countries across sectors ranging from healthcare and biomedical research to aviation and defense, remind us\r\nthat no country or industry is safe. Today’s international condemnation shows that the world wants fair rules,\r\nwhere countries invest in innovation, not theft.”\r\n“The FBI, alongside our federal and international partners, remains committed to imposing risk and consequences\r\non these malicious cyber actors here in the U.S. and abroad,” said Deputy Director Paul M. Abbate of the FBI.\r\n“We will not allow the Chinese government to continue to use these tactics to obtain unfair economic advantage\r\nfor its companies and commercial sectors through criminal intrusion and theft. With these types of actions, the\r\nChinese government continues to undercut its own claims of being a trusted and effective partner in the\r\ninternational community.”\r\n“This indictment alleges a worldwide hacking and economic espionage campaign led by the government of\r\nChina,” said Acting U.S. Attorney Randy Grossman for the Southern District of California. “The defendants\r\ninclude foreign intelligence officials who orchestrated the alleged offenses, and the indictment demonstrates how\r\nChina’s government made a deliberate choice to cheat and steal instead of innovate. These offenses threaten our\r\neconomy and national security, and this prosecution reflects the Department of Justice’s commitment and ability to\r\nhold individuals and nations accountable for stealing the ideas and intellectual achievements of our nation’s best\r\nand brightest people.”\r\n“The FBI’s San Diego Field Office is committed to protecting the people of the United States and the community\r\nof San Diego, to include our universities, health care systems, research institutes, and defense contractors,” said\r\nSpecial Agent in Charge Suzanne Turner of the FBI’s San Diego Field Office. “The charges outlined today\r\ndemonstrate China’s continued, persistent computer intrusion efforts, which will not be tolerated here or abroad.\r\nWe stand steadfast with our law enforcement partners in the United States and around the world and will continue\r\nto hold accountable those who commit economic espionage and theft of intellectual property.” \r\nThe defendants’ activity had been previously identified by private sector security researchers, who have referred to\r\nthe group as Advanced Persistent Threat (APT) 40, BRONZE, MOHAWK, FEVERDREAM, G0065, Gadolinium,\r\nGreenCrash, Hellsing, Kryptonite Panda, Leviathan, Mudcarp, Periscope, Temp.Periscope and Temp.Jumper.\r\nAccording to the indictment, to gain initial access to victim networks, the conspiracy sent fraudulent\r\nspearphishing emails, that were buttressed by fictitious online profiles and contained links to doppelgänger\r\ndomain names, which were created to mimic or resemble the domains of legitimate companies. In some instances,\r\nthe conspiracy used hijacked credentials, and the access they provided, to launch spearphishing campaigns against\r\nother users within the same victim entity or at other targeted entities. The conspiracy also used multiple and\r\nevolving sets of sophisticated malware, including both publicly available and customized malware, to obtain,\r\nexpand and maintain unauthorized access to victim computers and networks. The conspiracy’s malware included\r\nthose identified by security researchers as BADFLICK, aka GreenCrash; PHOTO, aka Derusbi; MURKYTOP, aka\r\nmt.exe; and HOMEFRY, aka dp.dll. Such malware allowed for initial and continued intrusions into victim\r\nsystems, lateral movement within a system, and theft of credentials, including administrator passwords.\r\nhttps://www.justice.gov/opa/pr/four-chinese-nationals-working-ministry-state-security-charged-global-computer-intrusion\r\nPage 2 of 4\n\nThe conspiracy often used anonymizer services, such as The Onion Router (TOR), to access malware on victim\r\nnetworks and manage their hacking infrastructure, including servers, domains and email accounts. The conspiracy\r\nfurther attempted to obscure its hacking activities through other third-party services. For example, the conspiracy\r\nused GitHub to both store malware and stolen data, which was concealed using steganography. The conspiracy\r\nalso used Dropbox Application Programming Interface (API) keys in commands to upload stolen data directly to\r\nconspiracy-controlled Dropbox accounts to make it appear to network defenders that such data exfiltration was an\r\nemployee’s legitimate use of the Dropbox service.\r\nCoinciding with today’s announcement, to enhance private sector network defense efforts against the conspirators,\r\nthe FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA)\r\nreleased a Joint Cybersecurity Advisory\r\ncontaining these and further technical details, indicators of compromise and mitigation measures.\r\nThe defendants are each charged with one count of conspiracy to commit computer fraud, which carries a\r\nmaximum sentence of five years in prison, and one count of conspiracy to commit economic espionage, which\r\ncarries a maximum sentence of 15 years in prison. The maximum potential sentences in this case are prescribed by\r\nCongress and are provided here for informational purposes only, as any sentencings of the defendants will be\r\ndetermined by the assigned judge.\r\nThe investigation was conducted jointly by the U.S. Attorney’s Office for the Southern District of California, the\r\nNational Security Division’s Counterintelligence and Export Controls Section, and the FBI’s San Diego Field\r\nOffice. The FBI’s Cyber Division, Cyber Assistant Legal Attachés and Legal Attachés in countries around the\r\nworld provided essential support. Numerous victims cooperated and provided valuable assistance in the\r\ninvestigation.\r\nAssistant U.S. Attorneys Fred Sheppard and Sabrina Feve of the Southern District of California and Trial Attorney\r\nMatthew McKenzie of the National Security Division’s Counterintelligence and Export Control Section are\r\nprosecuting this case.\r\nhttps://www.justice.gov/opa/pr/four-chinese-nationals-working-ministry-state-security-charged-global-computer-intrusion\r\nPage 3 of 4\n\nThe details contained in the charging document are allegations. The defendants are presumed innocent until\r\nproven guilty beyond a reasonable doubt in a court of law.\r\nSource: https://www.justice.gov/opa/pr/four-chinese-nationals-working-ministry-state-security-charged-global-computer-intrusion\r\nhttps://www.justice.gov/opa/pr/four-chinese-nationals-working-ministry-state-security-charged-global-computer-intrusion\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://www.justice.gov/opa/pr/four-chinese-nationals-working-ministry-state-security-charged-global-computer-intrusion" ], "report_names": [ "four-chinese-nationals-working-ministry-state-security-charged-global-computer-intrusion" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "78090a48-ca66-4cd8-a454-04d947e9c887", "created_at": "2023-01-06T13:46:38.303662Z", "updated_at": "2026-04-10T02:00:02.919567Z", "deleted_at": null, "main_name": "Hellsing", "aliases": [], "source_name": "MISPGALAXY:Hellsing", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69484be-98d1-49e6-aed1-a28dbf65176a", "created_at": "2022-10-25T16:07:23.886782Z", "updated_at": "2026-04-10T02:00:04.779029Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "G0019", "Hellsing", "ITG06", "Lotus Panda", "Naikon", "Operation CameraShy" ], "source_name": "ETDA:Naikon", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "AR", "ARL", "Agent.dhwf", "Aria-body", "Aria-body loader", "Asset Reconnaissance Lighthouse", "BackBend", "Creamsicle", "Custom HDoor", "Destroy RAT", "DestroyRAT", "Flashflood", "FoundCore", "Gemcutter", "HDoor", "JadeRAT", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LadonGo", "Lecna", "Living off the Land", "NBTscan", "Naikon", "NetEagle", "Neteagle_Scout", "NewCore RAT", "Orangeade", "PlugX", "Quarks PwDump", "RARSTONE", "RainyDay", "RedDelta", "RoyalRoad", "Sacto", "Sandboxie", "ScoutEagle", "Shipshape", "Sisfader", "Sisfader RAT", "Sogu", "SslMM", "Sys10", "TIGERPLUG", "TVT", "TeamViewer", "Thoper", "WinMM", "Xamtrav", "XsFunction", "ZRLnk", "nbtscan", "nokian", "norton", "xsControl", "xsPlus" ], "source_id": "ETDA", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "b9806584-4d82-4f32-ae97-18a2583e8d11", "created_at": "2022-10-25T16:07:23.787833Z", "updated_at": "2026-04-10T02:00:04.749709Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "APT 40", "ATK 29", "Bronze Mohawk", "G0065", "Gadolinium", "Gingham Typhoon", "ISLANDDREAMS", "ITG09", "Jumper Taurus", "Kryptonite Panda", "Mudcarp", "Red Ladon", "TA423", "TEMP.Jumper", "TEMP.Periscope" ], "source_name": "ETDA:Leviathan", "tools": [ "AIRBREAK", "Agent.dhwf", "Agentemis", "AngryRebel", "BADFLICK", "BlackCoffee", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "DADJOKE", "Dadstache", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "GRILLMARK", "Gh0st RAT", "Ghost RAT", "HOMEFRY", "Hellsing Backdoor", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LUNCHMONEY", "Living off the Land", "MURKYTOP", "Moudour", "Mydoor", "NanHaiShu", "Orz", "PCRat", "PNGRAT", "PlugX", "RedDelta", "SeDLL", "Sensocode", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "ZoxPNG", "cobeacon", "gresim", "scanbox" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434634, "ts_updated_at": 1775792281, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/becd2782a0fd4356afb31f324777eced2bfe77c6.pdf", "text": "https://archive.orkl.eu/becd2782a0fd4356afb31f324777eced2bfe77c6.txt", "img": "https://archive.orkl.eu/becd2782a0fd4356afb31f324777eced2bfe77c6.jpg" } }