US Charges 12 Chinese Hackers, Officials for Cyber Operation Whose Targets Included The Epoch Times

WASHINGTON—The United States has sanctioned a dozen Chinese nationals, including two intelligence officials, for their involvement in a years-long hacking campaign to steal data from the U.S. government and undermine dissident groups.

The Epoch Times has learned it was a victim of the hacking campaign.

Eight of the defendants work for i-Soon, a Chinese tech firm that has hacked victims around the globe, including U.S. government agencies and dissident groups the Chinese Communist Party considers a threat, according to Department of Justice (DOJ) filings released on March 5.

From 2016 through 2023, i-Soon breached email accounts, cellphones, servers, and websites under Beijing’s instructions and made tens of millions of dollars from doing so, according to the DOJ. The company allegedly worked with 43 Chinese intelligence or police bureaus, charging somewhere between $10,000 and $75,000 for each email inbox hacked.

Its victims include The Epoch Times, a New York-based newspaper that publishes China-related news critical of the Chinese regime; a Texas-based organization that promotes human rights in China; a U.S. religious organization with thousands of churches; a Washington-based U.S.-funded news service; the foreign ministries of Taiwan, India, South Korea, and Indonesia; a U.S.-based religious leader; along with the U.S. Defense Intelligence Agency, Department of Commerce, and the New York State Assembly.

Related Stories

It allegedly sold bespoke software designed to target accounts on a range of applications, among them Microsoft Outlook, Gmail, Android cell phones, social media platform X, and computer systems such as Windows, Macintosh, and Linux.

Hackers targeted at least four news service agencies, including two newspapers based in New York and one in Hong Kong, the document said.

Under the direction of Chinese police officer Wang Liyu, who is also on the list of people charged, the i-Soon employees launched a distributed denial-of-service attack in December 2016 that temporarily shut down the website of The Epoch Times.

Around May 2017, they compromised the email accounts of the newspaper’s chief editor and a vice president, according to the court filing. In September 2017, Sheng Jing, another Ministry of Public Security officer under U.S. charges, asked the i-Soon associates to identify the Chinese IP addresses that had accessed the newspaper’s website to locate dissidents in China. Wang gave i-Soon the username and password of the administrator account of The Epoch Times’ website, according to the court filing.

The hackers also accessed around 200 email accounts belonging to executives and employees of a Texas-based religious organization with millions of members. The organization had previously sent missionaries to China, according to the Justice Department.

Both the State and the Treasury Departments also imposed sanctions on a Shanghai-based cyber actor, accusing him of working with other Chinese hackers to infiltrate critical U.S. infrastructure networks.

In an announcement, the Treasury identified the actor as Zhou Shuai, who has sold “illegally exfiltrated data and access to compromised computer networks” since 2018.

At least some of the data was acquired by another Chinese cyber actor, Yin Kecheng, who was sanctioned in January for aiding the hack of the Treasury.

Wednesday’s sanction also applied to Zhou’s company, Shanghai Heiying Information Technology, due to its employment of numerous Chinese hackers.

U.S. prosecutors have linked Zhou and Yin to a Chinese state-sponsored hacking group known as APT27, Silk Typhoon, or Hafnium. This espionage group garnered global attention in 2021 when more than 30,000 organizations in the United States were compromised through flaws in Microsoft’s mail and calendar servers.

The Justice Department alleged that Zhou and Yin have carried out “years-long, sophisticated computer hacking conspiracies that successfully targeted a wide variety of U.S.-based victims from 2011 to the present-day.”

Companies and organizations allegedly targeted by Zhou and Yin include “numerous” U.S.-based tech companies, local governments, think tanks, universities, and defense contractors, according to the DOJ. Both Zhou and Yin were indicted.

Both Zhou and Yin faced multiple charges, including wire fraud, money laundering, aggravated identity theft, and violation of the Computer Fraud and Abuse Act.

Microsoft has issued a warning about a shift in tactics by hackers associated with Silk Typhoon, who are now focusing on remote management tools and cloud applications to gain initial access to corporate networks, the company said in a blog post published on Wednesday.

The indictment against Yin quotes his communications with an associate, including their discussion about technical strategies. At one point, the unnamed associate suggested targeting the subsidiaries of large American companies or their partner firms, stating that “they are the same and easier to attack.” Yin agreed, calling this approach “correct,” according to the court document unsealed on Wednesday. 

All 12 remain at large. The State Department is offering up to $10 million for information on i-Soon and its employees, as well as the two Ministry of Public Security officials. It also issued a $2 million reward to help arrest Yin and Zhou, both of whom are in China.

“China offers safe harbor for private sector companies that conduct malicious cyber activity against the United States and its partners,” State Department spokesperson Tammy Bruce said in a statement.

Bruce said the multi-agency effort reflects the United States’s whole-of-government approach to protect Americans and U.S. critical infrastructure against China-based cyber threats.

She described Chinese state-backed hacking as “one of the greatest and most persistent threats to U.S. national security.”