By James Pomfret and Yew Lun Tian
(Reuters) – The United States and Britain filed charges and imposed sanctions on a company and individuals tied to a Chinese state-backed hacking group named APT31 that they allege engaged in a sweeping cyber espionage campaign.
This group was allegedly run by China’s Ministry of State Security and targeted millions of people, mostly in the U.S. and Britain, for more than a decade including officials, lawmakers, activists, academics and journalists, and firms ranging from defence contractors to a U.S. smartphone maker.
China has denied the charges.
“We urge the U.S. and British sides to stop politicising the issue of cybersecurity, stop slandering and smearing China and imposing unilateral sanctions, and stop cyber-attacks against China,” foreign ministry spokesman Lin Jian said.
WHAT IS APT31?
Advanced Persistent Threat Group 31 (APT31) is a collective of Chinese state-sponsored intelligence officers, contract hackers and attendant staff that engage in hacking activities and “malicious cyber operations” according to the U.S. Treasury department in a statement. APTs are a general term for cyber actors or groups, often state-backed, that engage in malicious cyber activities.
The group, also known as Zirconium, operated through a front company, Wuhan Xiaoruizhi Science and Technology Company (Wuhan XRZ), from at least 2010 until January 2024, according to a U.S. indictment filed in New York’s eastern district court on Monday. It is allegedly linked to China’s Ministry of State Security (MSS) in the province of Hubei.
Separately, the New Zealand government claimed on March 25 that another state-backed Chinese hacking group, APT40, was behind a hack of its parliament in 2021.
WHAT IS APT31 ACCUSED OF DOING?
APT31 and Chinese security authorities targeted thousands of U.S. and foreign politicians, foreign policy experts and others as part of the MSS’s foreign intelligence and economic espionage objectives according to the U.S. Individuals in the White House, State Department, and spouses of officials were also targets.
Often the hacks were conducted in relation to geopolitical events affecting China, including economic tensions with the U.S., maritime claims in the South China Sea and the Hong Kong pro-democracy protests in 2019 and subsequent crackdown, the U.S. indictment alleges.
The conspiracy involved over 10,000 malicious emails across multiple continents in a “prolific global hacking operation” backed by Beijing, the indictment alleged. The aims included repressing critics of Beijing, compromising government institutions and stealing trade secrets, U.S. authorities said.
The U.S. Treasury department’s office of foreign assets control (OFAC) sanctioned Wuhan XRZ and 7 Chinese individuals on March 25, including Ni Gaobin and Zhao Guangzong.
The British government also sanctioned the same Wuhan company along with the two men, Ni and Zhao. British authorities alleged they were behind a 2021 hack of emails belonging to the Inter-Parliamentary Alliance on China (IPAC), a British group with ties to an international network of politicians critical of China; as well as a 2021-2022 cyber-attack on Britain’s Electoral Commission.
WHAT DO WE KNOW ABOUT THOSE SANCTIONED?
The seven men, aged between 34-38, in the U.S. indictment stand accused of hacking activities in support of MSS foreign intelligence and economic espionage objectives.
Wuhan XRZ is formally listed as a firm engaged in technology development and consulting on China’s Qichacha company information database with less than 50 staff. It is based in a technology development zone in Wuhan’s south-eastern suburbs.
The firm and APT 31 were “responsible for, engaging in, or providing support for the commission, planning, or preparation of relevant cyberactivity on behalf of the Chinese State,” the British government wrote on its updated sanctions list.
The current legal owner is listed as Wang Hongye, who took over from a previous owner in late 2023. The firm was established in 2010 with registered capital of 250,000 yuan.
U.S. authorities have offered rewards of up to $10 million for information on the hackers.
Ni, a 38-year-old Chinese citizen sanctioned by both the U.S. and U.K., was also singled out by the U.S. for targeting Hong Kong democracy activists and lawmakers, and members of the Uyghur minority group, through spear-phishing campaigns and information systems interference.
In recent years, China has clamped down on dissidents in Hong Kong and the northwestern region of Xinjiang, home to many Uyghurs.
(Additional reporting by Yew Lun Tian in Beijing and Hong Kong newsroom; Editing by Raju Gopalakrishnan)