The US Department of Justice (DOJ), together with the FBI, the Naval Criminal Investigative Service, and the Departments of State and the Treasury, announced a coordinated enforcement action aimed at disrupting and deterring cyber espionage by a group of 12 Chinese nationals.
Those charged include two officers from the Ministry of Public Security (MPS), employees of a Chinese company identified as Anxun Information Technology (also known as i‑Soon), and members of the Advanced Persistent Threat group APT27.
According to the DOJ, the accused actors operated both as freelancers and as i‑Soon employees, conducting computer intrusions on behalf of the MPS and the Ministry of State Security (MSS), as well as for their own financial gain.
Court filings allege that the MPS and MSS paid for stolen data, with victims including U.S.-based critics of the Chinese government, a major religious organization, Asian foreign ministries, and U.S. federal and state government entities — including a reported intrusion of the Treasury between September and December 2024.
“The Department of Justice will relentlessly pursue those who threaten our cybersecurity by stealing from our government and our people,” said Sue J. Bai, head of the Justice Department’s National Security Division. She added that the department is exposing government-directed cyberattacks, the companies that enable them, and the individual hackers involved, and that authorities will continue working to dismantle this ecosystem of “cyber mercenaries.”
The FBI emphasized similar themes, asserting that the MPS allegedly paid hackers to target Americans who criticize the Chinese Communist Party. “To those victims who bravely came forward with evidence of intrusions, we thank you,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division. He warned that those aiding unlawful cyber activity will be identified, indicted, and publicly exposed.
Court documents describe a network of private companies and contractors in China allegedly used by the MPS and MSS to mask official involvement in hacking and data theft. That network reportedly operated from a “safe haven” within China, indiscriminately targeting vulnerable computers worldwide and selling the stolen information to the highest bidders, including Chinese government bureaus.
Indictments and seizures tied to alleged Chinese cyber espionage
A federal court in Manhattan unsealed an indictment charging eight i‑Soon employees and two MPS officers for alleged intrusions into email accounts, mobile phones, servers, and websites between 2016 and 2023. The court also authorized seizure of i‑Soon’s primary internet domain.
Matthew Podolsky, Acting U.S. Attorney for the Southern District of New York, described state‑sponsored hacking as a serious threat to community and national security. He said the defendants — including two alleged PRC officials — used advanced techniques to target religious organizations, journalists, and government agencies to gather sensitive information for the People’s Republic of China. Podolsky noted that these charges aim to halt such schemes and bring those responsible to justice.
All defendants in the i‑Soon case remain at large. The U.S. Department of State’s Rewards for Justice program has posted a reward of up to $10 million for information leading to their capture.
Authorities allege i‑Soon generated tens of millions of dollars in revenue as a significant actor in a “hackers‑for‑hire” ecosystem. The company is accused of performing intrusions on behalf of the MSS and MPS, engaging in cyber‑enabled transnational repression, and selling stolen data to at least 43 different MSS or MPS bureaus across China.
Reported targets of i‑Soon’s alleged activities include:
- A large religious organization critical of the Chinese government
- An organization advocating human rights and religious freedom in China
- News organizations in the United States critical of the CCP
- The New York State Assembly
- A religious leader and his office
- A Hong Kong newspaper critical of the Chinese government
- The foreign ministries of Taiwan, India, South Korea, and Indonesia
Separately, a federal court unsealed indictments charging APT27 actors Yin Kecheng and Zhou Shuai — the latter also known by the alias “Coldface” — for conducting multi‑year, profit‑driven intrusion campaigns. The court authorized seizure of internet domains and server accounts linked to those defendants.
Interim U.S. Attorney Edward R. Martin Jr. for the District of Columbia said the indictments reflect a persistent effort to investigate and hold accountable hackers and data brokers who threaten U.S. national security and global victims. He urged the Chinese government to halt the activities of cybercriminals who target victims worldwide and monetize stolen data.
Yin and Zhou are accused of exploiting network vulnerabilities, deploying malware, and stealing data from numerous U.S. organizations, including technology companies, think tanks, law firms, defense contractors, local governments, healthcare systems, and universities. Those intrusions are said to have caused millions of dollars in damages. The documents also link Yin to the recent Treasury intrusion between September and December 2024; the FBI reported seizing virtual private servers and other infrastructure allegedly used in that attack.
The Treasury’s Office of Foreign Assets Control (OFAC) announced sanctions against Yin Kecheng and Zhou Shuai, and against Shanghai Heiying Information Technology, a company reportedly operated by Zhou.
Private sector partners played a role in identifying and countering the alleged campaign. Microsoft published research describing the tactics, techniques, and procedures used by the threat actor known as Silk Typhoon, including its focus on the IT supply chain.
This coordinated action by U.S. authorities and private sector partners highlights growing concern about state‑sponsored cyber activity attributed to Chinese actors and demonstrates a determination to pursue those responsible and disrupt their operations.
(Photo by David Trinks)
See also: Cisco further exposes Salt Typhoon intrusions of telecoms networks
Interested in learning more about cybersecurity and cloud topics from industry leaders? Consider events such as Cyber Security & Cloud Expo, which gathers experts and practitioners to discuss cybersecurity, cloud computing, digital transformation, IoT, blockchain, AI, and enterprise technology trends.