The Justice Department said Wednesday that a group of hackers connected to China’s main intelligence service had penetrated more than 100 corporations and organisations around the world to steal intelligence, hijack their networks and extort their victims.
The U.S. government outlined the allegations in a series of three unsealed allegations on Wednesday, which showed the scope and sophistication of China’s efforts to illegally advance its economy and become a dominant global super-power through cyber attacks. The indictment also claimed that some of the hackers had worked with Malaysian nationals to steal and launder money from the video game industry.
“The Chinese government has made a deliberate choice to allow its citizens to commit computer intrusions and attacks around the world because these actors will also help the PRC,” Deputy Attorney General Jeffrey A. Rosen said, referring to the People’s Republic of China in a news conference at which he announced the charges.
The acting U.S. attorney for the District of Columbia, Michael R. Sherwin, said some of the perpetrators viewed their association with China as providing “free license to hack and steal across the globe.”
Hackers — Zhang Haoran, Tan Dailin, Jiang Lizhi, Qian Chuan and Fu Qiang — focused on social media and other technology firms, universities, government agencies and non-profit organisations, according to the indictments.
This was partly due to the use of a so-called supply chain attack that allowed them to break into software companies and inject malicious code in their products. When those products were installed in other systems, the hackers could use the code they planted to break in. The attack identified by officials of the Justice Department Wednesday was one of the first supply chain attacks publicly reported in the U.S. indictment of Chinese nationals.
Some Chinese hackers have also worked with two Malaysian businessmen to use video game networks to steal companies and launder illegal proceeds. Businessmen Wong Ong Hua and Ling Yang Ching were arrested in Malaysia on Monday, officials said.
The criminal computer activity and the hackers had been tracked by cyberresearchers under the group names Advanced Persistent Threat 41, Barium, Winnti, Wicked Panda and Panda Spider, officials said.
“They compromised video game distributors to proliferate malware, which could then be used for follow-up operations,” said John Hultquist, the senior director of threat intelligence at cybersecurity company Mandiant.
The community initially known as Wicked Spider to researchers at CrowdStrike, the California cybersecurity company, seemed to be hacking for profit. But there was a noticeable shift starting at the end of 2015.
The group, which was primarily aimed at gaming companies, moved to a long list of companies in the United States, Germany, Hong Kong , Japan, South Korea and Taiwan, operating in agriculture, hospitality, chemicals, manufacturing and technology, whose intellectual property will support China’s official Five-Year Plan, the nation’s top-level policy blueprint.
Their techniques have also changed. In the past, the group was known to use similar malware through attacks, but that year its hackers began attempting a more sophisticated set of supply chain attacks.
By the end of 2016, researchers concluded that the hackers they had identified as Wicked Spider were operating at the behest of the Chinese state and changed their moniker to Wicked Panda. Panda was the CrowdStrike moniker for hacking groups that acted on the orders of the Chinese government.
As the indictments were announced Wednesday, researchers applauded the effort. “The United States government is starting to turn the tide on Chinese intrusion operations on Western companies and targets,” said Adam Meyers, CrowdStrike’s head of threat intelligence.
Verizon, Microsoft, Facebook and Alphabet, Google’s parent company, supported the government in its investigation.