Five Chinese nationals, two Malaysians charged in connection with global hacking campaign

The Justice Department is trying to put alleged Chinese hackers on notice.
China flag, hackers, cybersecurity, thrip, lotus blossom, coronavirus disinformation
(Getty Images)

Five Chinese nationals working as part of a well-resourced hacking group and two Malaysian nationals have been charged in connection with a global hacking campaign that hit hundreds of targets in the U.S. and around the world in multiple industries, the Department of Justice announced Wednesday.

The accused Chinese hackers allegedly compromised technology providers and installed software backdoors in their networks, giving themselves a portal to collect information. The operation is linked to an advanced persistent threat group known as APT41, which private security firms have tied to the Chinese government. U.S. indictments unsealed Wednesday alleged that the activity is tied to China’s Ministry of State Security (MSS), a civilian intelligence agency.

The suspects are alleged to have targeted software development companies, computer hardware manufacturers, telecommunications entities, social media companies, as well as non-profit organizations, universities and think tanks. They are also accused of targeting foreign governments, and pro-democracy politicians and activists in Hong Kong.

Prosecutors say the hackers compromised video game companies, and defrauded them of in-game resources. By generating video game currency, attackers would sell that in exchange for real dollars, demonstrating how attackers are exploiting the global video game market for their own gain. The Malaysian nationals are accused of helping the Chinese hackers, namely by selling those game resources on the black market.


The Malaysian suspects have been arrested for their efforts, marking a rare opportunity for the Department of Justice to hold Chinese hackers and their alleged partners to account, according to the Deputy Director of the FBI, David Bowdich.

“We’re here today to tell these hackers and the Chinese government officials who turned a blind eye to their activity that their actions are once again unacceptable, and we will call them out publicly,” Bowdich said. “Indictments are one way we do that. But often that’s all we can do — indict the criminals and publicly condemn their actions. But this time, thanks to our law enforcement partners in Malaysia, two of these criminals are behind bars.”

The U.S. government is seeking to extradite the men arrested in Malaysia, Wong Ong Hua and Ling Yang Ching, he added.

One of the Chinese hackers is alleged to have told a colleague he was “very close” to the Chinese government’s civilian intelligence and counterintelligence service, the MSS, according to one of the indictments. Prosecutors say three of the men charged worked with a China-based company called Chengdu 404 Network Technology.

“Intelligence services leverage criminals such as APT41 for their own ends because they are an expedient, cost-effective, and deniable capability,” said John Hultquist, Senior Director of Analysis at FireEye’s Mandiant Threat Intelligence, which has been tracking APT41 hacking operations.


The FBI, which has issued a wanted poster with photos of the alleged Chinese hackers, is still seeking information on Zhang Haoran, Tan Dailin, Qian Chuan, Fu Qiang, and Jiang Lizhi, the Chinese men charged.

The indictments come amid a flurry of activity from the U.S. government meant to expose details of MSS-linked hacking operations. Earlier this week the Department of Homeland Security and the FBI announced MSS hackers have lately been exploiting common vulnerabilities with known patches, including those affecting Citrix and Pulse Secure VPN appliances, F5 Networks’ Big-IP Traffic Management User Interface, and Microsoft Exchange Server.

The Justice Department in July announced charges against two hackers with alleged ties to the MSS for their efforts to target defense and medical entities in the U.S. researching the coronavirus vaccine. Moderna, one of the pharmaceutical companies working on developing a coronavirus vaccine, has worked with the FBI following the hacking efforts.

APT41 hackers have a high operational tempo and broad collection requirements, according to the California-based security firm FireEye, and are some of the most prolific hackers in the world. Security researchers at FireEye earlier this year exposed an operation from APT41 hackers that is “one of the most widespread campaigns [they] have seen from China-nexus espionage actors in recent years.”

The Chinese and Malaysian hackers were charged by a federal grand jury in Washington, D.C. in August 2019 and August 2020, according to a Justice Department statement. In the meantime, the U.S. government has been working with Microsoft, Facebook, Google, Verizon Media, and others to try to neutralize malicious domains and other tools, according to Deputy Attorney General Jeffrey Rosen.


Broadly, Wednesday’s actions to disrupt APT41 are meant to show Chinese hackers that their activities are not anonymous and that the U.S. government will hold their feet to the fire, according to Rosen.

“The Department of Justice will do everything it can to disrupt these crimes by exposing the techniques, tactics, and procedures used by APT-41, enabling the private sector to disable them, and working with our law enforcement colleagues around the world to arrest the hackers when we can,” Rosen said.

The move, meant to hold the hackers and their networks to account, comes just as the FBI is working to roll out a new cyber strategy, set to be issued later this month, that will outline the bureau’s plans to impose more risks and consequences for criminal hackers, according to Bowdich.

The FBI also issued a FLASH alert containing technical details on APT41’s operation to foreign partners and the private sector to help in detecting and protecting against their hacking, according to Bowdich.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts