Beijing Leveraging Freelance Hackers and Information Security Companies to Compromise Computer Networks Worldwide

FBI is releasing this Public Service Announcement to highlight that the Chinese government is using formal and informal connections with freelance hackers and information security (InfoSec) companies to compromise computer networks worldwide.

China's InfoSec ecosystem flourishes because China's government agencies, including its primary intelligence service the Ministry of State Security (MSS) and its domestic police agency the Ministry of Public Security (MPS), weaponize InfoSec companies by tasking companies that advertise legitimate cybersecurity services to also use their expertise to gain unauthorized access to victim networks to collect for China's intelligence services. This ecosystem of InfoSec companies and freelance hackers enables and encourages indiscriminate global cyber activity, while providing the Chinese government with a layer of plausible deniability.

Today, the Southern District of New York unsealed an indictment against eight employees of China-based InfoSec company Anxun Information Technology Co., Ltd., aka i-Soon, and two MPS officers who, at times, directed i-Soon activities in service of the Chinese government. i-Soon has been a key player in China's InfoSec ecosystem over the last decade, working with at least 43 separate MSS or MPS bureaus in 31 provinces and municipalities across China. The indicted i-Soon hackers sold stolen data to the MSS and MPS from a myriad of victims, to include US-based critics of the Chinese government and Chinese dissidents, a US news organization, a large US-based religious organization, multiple governments in Asia, and US federal and state government agencies. i-Soon sold information to China's intelligence and security services to suppress free speech and democratic processes worldwide, and target groups deemed a threat to the Chinese government. i-Soon also sold platforms to MSS and MPS customers for their own hacking efforts. i-Soon's activities are publicly tracked as Aquatic Panda, Red Alpha, Red Hotel, Charcoal Typhoon, Red Scylla, Hassium, Chromium, and TAG-22.

Also today, the District Court for the District of Columbia unsealed two indictments of freelance Chinese hackers Yin KeCheng and Zhou Shuai, who maintained ties to i-Soon and the Chinese government. Since 2011, Yin and Zhou have operated in China's InfoSec ecosystem and enriched themselves by selling stolen US information to the Chinese government. Zhou served for a period of time in i-Soon's Strategic Consulting Division. Yin, known in Chinese hacking circles for his prolific targeting of US entities, explained to an associate in 2013 that he wanted to "mess with the American military" and "break into a big target," hoping the proceeds from selling the stolen US data would be enough to purchase a car. On at least one occasion, Yin compromised sensitive data which he turned over to Zhou, who partnered with an i-Soon employee to sell the stolen data. Yin and Zhou's activities are publicly tracked as APT27, Threat Group 3390, Bronze Union, Emissary Panda, Lucky Mouse, Iron Tiger, UTA0178, UNC 5221, and Silk Typhoon.