4 APT40 Chinese Hackers Charged for Developing Malware & Hacking U.S Companies, Universities & GOV Entities

U.S federal grand jury Charged four Chinese hackers who are working with the Chinese Ministry of State Security for allegedly hacking into the computer systems of dozens of victim companies, universities and government entities in the United States and other country networks between 2011 to 2018.

There are 2 indictments alleged that 3 of them (Ding Xiaoyang, Cheng Qingmin, and Zhu Yunmin) were working as HSSD officers with the responsibilities of coordinating, facilitating, and managing computer hackers at Hainan Xiandun. The fourth one “Wu Shurong” was a malware developer who has duties of creating malware, hacked into computer systems operated by foreign governments, companies, and universities, also supervised other Hainan Xiandun hackers.

Hainan Xiandun Technology Development Co., Ltd. is a Chinese government-backed company where hackers used to target and attack foreign governments, companies, and universities, also included, among others, aviation, defense, education, government, health care, biopharmaceutical, and maritime.

The defendant’s malicious activities are already observed in various hacking groups such as Advanced Persistent Threat (APT 40) 40, BRONZE, MOHAWK, FEVERDREAM, G0065, Gadolinium, GreenCrash, Hellsing, Kryptonite Panda, Leviathan, Mudcarp, Periscope, Temp.Periscope and Temp.Jumper.

These attacks were initiated with the motivation of stealing trade secrets and confidential business information included, among other things, sensitive technologies used for submersibles and autonomous vehicles, specialty chemical formulas, commercial aircraft servicing, proprietary genetic-sequencing technology, and data.

These MSS officers are coordinated with staff and professors at various Chinese universities to identify and recruit the hackers and linguists to penetrate and steal from the computer networks of targeted entities and also found the Hainan-based university was helped  Hainan Xiandun as a front company.

According to Deputy Attorney General Lisa O. Monaco, “These charges are clearly stated that China continues to use cyber-enabled attacks to steal what other countries make in different sectors ranging from healthcare and biomedical research to aviation and defense.”

Infection Methods

Indictment Referred that the attackers were initiated by sent fraudulent spearphishing emails, Developing malicious domains that  resemble the domains of well-known companies, and drop the link into the victims.

“The conspiracy also used multiple and evolving sets of sophisticated malware, including both publicly available and customized malware, to obtain, expand and maintain unauthorized access to victim computers and networks.”DOJ report stated.

In order to communicate anonymously, hackers were used the Onion Router (TOR), to access malware on victim networks and manage their hacking infrastructure, including servers, domains and email accounts.

conspiracy have used legitimate third party services GitHub to store both store malware and stolen data to hide them using steganography.

“The defendants are each charged with one count of conspiracy to commit computer fraud, which carries a maximum sentence of five years in prison, and one count of conspiracy to commit economic espionage, which carries a maximum sentence of 15 years in prison,” DOJ said.

 DHS and Infrastructure Security Agency (CISA) released a detailed technical report that including technical details of the attacks, operations, Tactics, Techniques, Procedures, indicators of compromise, and mitigation measures.

The NSA, CISA, and FBI also issued a joint advisory with over 50 tactics, techniques, and procedures (TTPs) that APT40 and other Chinese-backed threat groups.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.