The U.S. Department of Justice has indicted 12 Chinese-backed hackers who initiated several cyberattacks against large corporations in the country, including the U.S. Treasury Cyberattack.
The Treasury cyberattack was announced via a letter from the DOJ, confirming there was unauthorized access to unclassified documents in the U.S. Treasury Departmental Offices.
The cyberattack was as a result of the exploitation of two pairs of vulnerabilities (CVE-2024-12356 and CVE-2024-12686) in a third-party software provided by BeyondTrust, a third-party SaaS (Software-as-a-Service) and a Cybersecurity firm, offering services including but not limited to Identity Security Platform, Privileged Access Management (PAM), and Remote Access Technology.
“On December 8, 2024, Treasury was notified by a third-party software service provider, BeyondTrust, that a threat actor had gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users,” the letter says.
The letter then adds that “with access to the stolen key, the threat actor was able to override the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users.”
In a culminating effort of national agencies CISA (Cybersecurity and Infrastructure Security Agency) and FBI (Federal Bureau of Investigation), the cyberattack was alleged to be sponsored by the government of the PRC (People Republic of China), and was dubbed APT27.
“The incident has been attributed to a China state-sponsored Advanced Persistent Threat (APT) actor,” the letter further explains.
As a result of the wide range of cyberattacks carried out by this threat actor between 2013 and 2024, and according to the DOJ indictment, APT27 has been given several nicknames by many private sector security researchers: “Threat Group 3390,” “Bronze Union,” “Emissary Panda,” “Lucky Mouse,” “Iron Tiger,” “UTA0178,” “UNC 5221,” and “Silk Typhoon.”
In the press release announcing the indictment of 12 Chinese nationals – 2 officers of the PRC’s Ministry of Public Security (MPS), 2 Chinese nationals at the helm of APT27, and 8 employees of a PRC private company Anxun Information Technology Co. Ltd. (aka i-Soon) – the names of APT27’s threat actors were said to be Yin Kecheng and Zhou Shuai.
Yin and Zhou are Chinese nationals who allegedly launched cyberattacks against U.S. large corporations – for example, Microsoft – on behalf of the Chinese government.
The cyberattacks carried out by these two dates back to 2013. Before the recent Treasury cyberattack in December 2024, they were reported to have “exploited vulnerabilities in victim networks, conducted reconnaissance once inside those networks, and installed malware, such as PlugX malware, that provided persistent access,” according to the indictment.
“The defendants (Yin and Zhou) and their co-conspirators then identified and stole data from the compromised networks by exfiltrating it to servers under their control,” adds the press release announcing the charges.
“Next, they brokered stolen data for sale and provided it to various customers, only some of whom had connections to the PRC government and military. For example, Zhou sold data stolen by Yin through i-Soon, whose primary customers, as noted above, were PRC government agencies, including the MSS and the MPS.”
Due to the large scale of these cyberattacks, Kecheng and Shuai have been placed on a wanted list with a bounty offered to anyone who provides information on their whereabouts.
“The Department of State’s Bureau of International Narcotics and Law Enforcement Affairs is announcing two reward offers under the Transnational Organized Crime Rewards Program (TOCRP) of up to $2 million each for information leading to the arrests and convictions, in any country, of malicious cyber actors Yin Kecheng and Zhou Shuai, both Chinese nationals residing in China.”
