For years, a group of Chinese hackers known variously as Barium, Winnti, or APT41 has carried out a unique mix of sophisticated hacking activities that has puzzled the cybersecurity researchers tracking them. At times they appear focused on the usual state-sponsored espionage, believed to be working in the service of the Chinese Ministry of State Security. At other times their attacks looked more like traditional cybercrime. Now a set of federal indictments has called out those intruders by name, and cast their activities in a new light.
Five Chinese hackers are accused of a sprawling scheme to break into the networks of hundreds of global companies in a broad range of industries, as well as think tanks, universities, foreign government agencies, and the accounts of Hong Kong government officials and pro-democracy activists. The victims are located in a dozen Asian countries as well as the US, France, Australia, the United Kingdom, and Chile. The Department of Justice says that the hackers, employed by a company called Chengdu 404 Network Technology, allegedly hit dozens of private companies to steal millions of dollars, sometimes using ransomware schemes or cryptojacking, malware that exploits compromised computers to generate cryptocurrency. In many cases, the hackers used a rare and brazen technique known as supply chain attacks to plant their malicious code in legitimate software used by their targets.
But the most detailed element of the alleged schemes revealed in the indictments is the targeting of nine video game firms. The victims go unnamed, but are based in the US, France, South Korea, Japan, and Singapore. Court documents describe how the attackers used supply chain attacks and spear-phishing to infiltrate those companies' networks. They used that access to generate in-game goods and artificially inflate the virtual currency balances of accounts controlled by two Malaysian men, Wong Ong Hua and Ling Yang Chua, who would then allegedly sell the hacker-created items and currency on a market they controlled called SEA Gamer. The DOJ says it's currently seeking the extradition of both men.
"We see this as unfortunately a new area in which hackers are exploiting, and it’s a billion-dollar industry," Acting US Attorney for the District of Columbia Michael Sherwin said of the video game firm targeting in a Justice Department's press conference Wednesday. "I’m sure this isn’t the end."
The charges mark the second time in just two months that the DOJ has charged Chinese hackers with a hybrid collection of state-sponsored spying and cybercriminal hacking. "I’ve been up here too many times now announcing charges against hackers working at the behest of the Chinese government or, at the very least, with the Chinese government’s tacit approval," FBI deputy director David Bowdich at Wednesday's press conference. "We’re here today to tell these hackers and the Chinese government officials who turned a blind eye to their activity that their actions are once again unacceptable, and we will call them out publicly."
The indictments help to solve a mystery for the cybersecurity researchers tracking the group. Over more than half a decade, it has carried out a series of shocking supply chain attacks, hijacking the updates to Asus laptops and the CCleaner antivirus software, for instance, to silently plant malicious code on millions of computers. But it has also long appeared to have different subgroups, sometimes believed to be Ministry of State Security hackers moonlighting as cybercriminals targeting video game firms. Now it appears instead that, rather than moonlighting, one element of Barium was in fact a contracted organization, including hackers with a long cybercriminal past.
The company the alleged hackers worked for, Chengdu 404, advertises itself as a cybersecurity firm offering white hat hacking and penetration testing, and publicly boasts of customers among Chinese security agencies and the military. But the indictment includes communications in which the company's vice president of its technical department, Jiang Lizhi, allegedly refers to his past as a cybercriminal and brags that his connections to China's Ministry of State Security protect him from domestic law enforcement. Sherwin noted repeatedly Wednesday that the group's targeting of pro-democracy groups indicates it had at times had motivation other than criminal gains.
"These for-profit criminal activities took place with the tacit approval of the government of the People’s Republic of China," said FBI special agent in charge James Dawson at Wednesday's press conference. "This investigation is another example of the blended threat increasingly seen in cyber investigations."
The Ministry of State Security likely began enlisting groups like Chengdu 404 after the landmark "Xi Agreement," when the Chinese and US governments pledged in 2014 to cease any hacking that targeted private sector companies for an economic advantage, says Adam Meyers, vice president of intelligence at security firm CrowdStrike. "I think [the hackers] probably ran in the same circles and created a company that became a contract element of the Ministry of State Security when they started outsourcing," says Meyers. "By outsourcing you’re moving into plausible deniability and creating some distance from sanctioned activity."
The indictments make clear, too, that it was the Chengdu 404 hackers who carried out some of Barium's most notorious supply chain attacks. By naming the group as responsible for a piece of malware known as Shadowpad, it links them to operations that planted variants of that malware in legitimate software including those of Asus, CCleaner, and Netsarang, a Korean-made enterprise remote management tool. "These were some of the most massive supply chain attacks in history," says Costin Raiu, the head of security firm Kaspersky's Global Research & Analysis Team. "Connecting these guys with those attacks is very significant."
As is often the case with indictments of foreign cyberspies, the five indicted hackers remain at large, charged only in absentia. Only the two alleged Malaysian accomplices were arrested. But the Justice Department argued that the charges send a signal to Chinese cybercriminals—and the Chinese government agencies that collaborate with and protect them—that the United States often has deep visibility into their activities and will hold them accountable.
"We know the Chinese authorities to be at least as able as the law enforcement authorities here and in likeminded states to enforce laws against computer intrusions. But they choose not to," said Deputy Attorney General Deputy Rosen. "But know this: No country can be respected as a global leader while paying only lip service to the rule of law and without taking steps to disrupt brazen criminal acts like these. No responsible government knowingly shelters cybercriminals that target victims worldwide in acts of rank theft."
- 📩 Want the latest on tech, science, and more? Sign up for our newsletters!
- Gravity, gizmos, and a grand theory of interstellar travel
- How to deal with the anxiety of uncertainty
- One IT guy’s spreadsheet-fueled race to restore voting rights
- Is lightning-fast plasma the key to a cleaner car engine?
- The flagrant hypocrisy of bungled college reopenings
- 💻 Upgrade your work game with our Gear team’s favorite laptops, keyboards, typing alternatives, and noise-canceling headphones
