US charges Chinese security officers in global cyberattack that sought to bolster PRC, state-owned businesses

Ding Xiaoyang, Zhu Yunmin, and Wu Shurong are pictured here in undated images provided by the FBI. The three were charged Monday, along with a 4th man not pictured, in an alleged global computer intrusion campaign. (Photo: FBI/Handout)

Four Chinese citizens in an alleged global cyberattack campaign that victimized dozens of universities, companies, and government agencies both in the US and abroad, officials said this week.

The indictment, unsealed in a federal court in California, says the conspiracy took place across seven years, from 2011 to 2018, and focused on gaining information that was “of significant economic benefit” to the Chinese government and state-owned businesses. Chinese state-employed hackers allegedly sought information that would allow them to take shortcuts in various research and development processes related to infrastructure, infectious disease study, and other topics of interest.

Federal agents say Ding Xiaoyang, Cheng Qingmin, and Zhu Yunmin oversaw a large technology development company, Hainan Xiandun, which was allegedly used as a front by China’s Ministry of State Security to unleash malware and other cyber attacks targeting institutions around the globe. Those institutions included universities, research facilities, and transport corporations like rail companies and airlines. Twenty-one organizations in six countries are said to have been targeted in total.

Wu Shurong, a Hainan Xiandun employee, is also charged in the indictment with creating malware, hacking into computers operated by foreign entities, and supervising other hackers working in the same company.

The plot started, authorities say, in 2009 when Ding Xiaoyang and Zhu Yunmin joined the Hainan State Security Department. The men began to compile several collections of open-source material regarding leadership, funding, and other information relevant to the CDC and the US State Department’s Biosecurity Engagement Program. In February of 2011, Yunmin got in touch with an old schoolmate who is said to have helped him recruit skilled hackers, who were subsequently hired by the Chinese government. One of those computer experts was Wu Shurong.

In June of 2011, Hainan Xiandun was established. The company operated out of the library of an unnamed Chinese university, where the men allegedly took on the assistance of a computer science professor known as G.J. to help manage the company. Xiaoyang is said to have registered several websites used as call-back domains to help facilitate the attacks.

In 2012, the Ministry of State Security delivered malware including remote access trojans to Hainan Xiandun. The sprawling hacking campaign was on.

Officials say the men used the “multiple and evolving sets” of complex malware, including some engineered specifically for the attacks, to gain unauthorized access to protected computers and networks.

“Such malware allowed for initial and continuous intrusions into victim systems, lateral movement within a system, and theft of credentials, including passwords,” paragraph 13 of the indictment reads.

The hackers allegedly sent fraudulent emails that were designed to look legitimate, but were really corrupted with viruses that would damage and allow the senders access to the recipient’s computer system if opened — a practice known as spearfishing. The emails were associated with sock puppet accounts and domain names made to closely resemble those of real companies in an effort to both deceive recipients and hinder the identification of intrusions.

Once hackers got access to foreign computers, documents say, they stole credentials including usernames and passwords that belonged to people with administrative access to those computers in an effort to maintain their newly-found entry into the systems. They used the stolen logins to continue their spearfishing efforts, sending similar emails through the stolen accounts across the same network and others. Additional malware was used to pull confidential and sensitive data from the computers, some of which had to be translated into Chinese.

Once they came in possession of the stolen data, the men allegedly used internet hosting software GitHub to conceal that data within several photos shared through Dropbox, such as images depicting a Koala Bear and former President Donald Trump. Hidden in the seemingly innocuous and humorous images, officials say, were stolen trade secrets and proprietary data associated with Hydroacoustics — the study of how sound travels underwater.


The hacking campaign targeted victims in the US, Austria, Cambodia, Germany, Canada, Malaysia, Indonesia, Norway, Switzerland, South Africa, Saudi Arabia, and the UK. Officials say the entire trove of stolen data included crucial information regarding submarines, commercial aircraft, and infectious disease research.

“These criminal charges once again highlight that China continues to use cyber-enabled attacks to steal what other countries make, in flagrant disregard of its bilateral and multilateral commitments,” Deputy Attorney General Lisa Monaco said. “The breadth and duration of China’s hacking campaigns, including these efforts targeting a dozen countries across sectors ranging from healthcare and biomedical research to aviation and defense, remind us that no country or industry is safe. Today’s international condemnation shows that the world wants fair rules, where countries invest in innovation, not theft.”

All four men are currently . Officials have asked anyone with knowledge on the fugitives to contact their local FBI office or the nearest American Embassy. Each man faces a maximum sentence of 20 years in prison.