The United States Department of Justice has announced charges against 12 Chinese nationals for their alleged involvement in a widespread scheme designed to steal data and suppress free speech and dissent on a global scale.

The individuals charged include two officers from the People’s Republic of China’s Ministry of Public Security, eight employees of a Chinese company called Anxun Information Technology Co. Ltd., also known as i-Soon, as well as members of Advanced Persistent Threat 27 (APT27, also known as Budworm, Bronze Union, Emissary Panda, Lucky Mouse, and Iron Tiger). The list of individuals includes:

• Wu Haibo (吴海波), Chief Executive Officer
• Chen Cheng (陈诚), Chief Operating Officer
• Wang Zhe (王哲), Sales Director
• Liang Guodong (梁国栋), Technical Staff
• Ma Li (马丽), Technical Staff
• Wang Yan (王堰), Technical Staff
• Xu Liang (徐梁), Technical Staff
• Zhou Weiwei (周伟伟), Technical Staff
• Wang Liyu (王立宇), MPS Officer
• Sheng Jing (盛晶), MPS Officer
• Yin Kecheng (尹可成), APT27 actor also known as “YKC”
• Zhou Shuai (周帅), APT27 actor also known as “Coldface”

According to the Department of Justice, “these malicious cyber actors, acting as freelancers or as employees of i-Soon, conducted computer intrusions at the direction of the PRC’s MPS and Ministry of State Security, and on their own initiative.” The MPS and MSS allegedly paid significant amounts for stolen data.

Court documents reveal that the MPS and MSS employed a network of private companies and contractors in China to carry out unauthorized access to companies and steal data, while also attempting to conceal the involvement of the government.

The eight i-Soon employees, along with two MPS officers, have been accused of breaking into email accounts, cell phones, servers, and websites from at least 2016 through 2023.

The U.S. Federal Bureau of Investigation (FBI) stated in a court filing that the activities associated with i-Soon are tracked by the cybersecurity community under the monikers Aquatic Panda (also known as RedHotel), while APT27 overlaps with that of Silk Typhoon, UNC5221, and UTA0178.

The agency further noted that the Chinese government is utilizing both formal and informal connections with freelance hackers and information security companies to compromise computer networks worldwide.

Separately, the U.S. Department of State’s Rewards for Justice program has announced a reward of up to $10 million for information leading to the identification or location of any individual who engages in malicious cyber activities against U.S. critical infrastructure while acting under the direction of a foreign government.

The Department of Justice further noted that i-Soon and its employees generated tens of millions of dollars in revenue, making the company a key player in the PRC hacker-for-hire ecosystem, with prices ranging from $10,000 to $75,000 for each successfully exploited email inbox.

“In some instances, i-Soon conducted computer intrusions at the request of the MSS or MPS, including cyber-enabled transnational repression at the direction of the MPS officer defendants,” the department said. “In other instances, i-Soon conducted computer intrusions on its own initiative and then sold, or attempted to sell, the stolen data to at least 43 different bureaus of the MSS or MPS in at least 31 separate provinces and municipalities in China.”

Targets of i-Soon’s attacks included a large U.S. religious organization, critics and dissidents of the PRC government, a state legislative body, United States government agencies, the foreign affairs ministries of multiple Asian governments, and news organizations.

An additional monetary reward of up to $2 million each has been announced for information leading to the arrests and/or convictions of Shuai and Kecheng, who are accused of participating in sophisticated computer hacking conspiracies to breach U.S. victim companies, municipalities, and organizations for profit from 2011, and stealing data after establishing persistent access via the PlugX malware.

Concurrent to the charges, the Department of Justice has also announced the seizure of four domains linked to i-Soon and the APT27 actors, including:

• ecoatmosphere.org
• newyorker.cloud
• heidrickjobs.com
• maddmail.site

“i-Soon’s victims were of interest to the PRC government because, among other reasons, they were prominent overseas critics of the PRC government or because the PRC government considered them a threat to the rule of the Chinese Communist Party,” the Department of Justice said.

The company is also said to have provided training to MPS employees on how to hack independently of i-Soon, and offered various hacking methods for sale, including an “industry-leading offensive and defensive technology” and a “zero-day vulnerability arsenal.”

Among the tools advertised by i-Soon was a software called the “Automated Penetration Testing Platform,” capable of sending phishing emails, creating files with malware that provide remote access to victims’ computers upon opening, and cloning websites of victims to trick them into providing sensitive information.

Another of i-Soon’s offerings is a password-cracking utility known as the “Divine Mathematician Password Cracking Platform,” as well as a program engineered to hack into various online services like Microsoft Outlook, Gmail, and X (formerly Twitter), among others.

“With respect to Twitter, i-Soon sold software with the capability to send a victim a spear phishing link and then to obtain access to and control over the victim’s Twitter account,” the Department of Justice explained. “The software had the ability to access Twitter even without the victim’s password and to bypass multi-factor authentication. After a victim’s Twitter was compromised, the software could send tweets, delete tweets, forward tweets, make comments, and like tweets.”

The purpose of the tool, referred to as “Public Opinion Guidance and Control Platform (Overseas),” was to let the company’s customers leverage the network of hacked X accounts to understand public opinion outside of China.

“The charges announced today expose the PRC’s continued attempts to spy on and silence anyone it deems threatening to the Chinese Communist Party,” Acting Assistant Director in Charge Leslie R. Backschies said in a statement. “The Chinese government tried to conceal its efforts by working through a private company, but their actions amount to years of state-sponsored hacking of religious and media organizations, numerous government agencies in multiple countries, and dissidents around the world who dared criticize the regime.”