US authorities unsealed two indictments against two Chinese nationals, Yin Kecheng aka “YKC” (“YIN”) and Zhou Shuai aka “Coldface,” for their involvement in an extensive series of cyberattacks spanning over a decade. The US Department of Justice revealed that Yin and Zhou, associated with the hacking group APT27 (also known by various other names like Threat Group 3390, Bronze Union, Emissary Panda, Lucky Mouse, Iron Tiger, UTA0178, UNC 5221, and Silk Typhoon), had engaged in sophisticated, profit-driven cyber intrusions targeting both US and global networks from as early as 2013.
The indictment accuses Yin, Zhou, and their co-conspirators of utilizing advanced hacking techniques and tools to breach highly protected computer systems, enabling them to evade detection and maintain persistent access to the targeted networks. Their methods included scanning for vulnerabilities, exploiting them, and carrying out reconnaissance once inside the compromised systems. The hackers would install malware to maintain access, enabling communication with external servers and stealing sensitive data, which was then exfiltrated to servers they controlled.
The stolen data was sold to various customers, including some with links to the Chinese government and military. In addition to the indictments, the Department of Justice also announced the seizure of internet domains and computer server accounts used by Yin and Zhou for their hacking activities. The two defendants remain at large, with the US authorities offering a reward of up to $2 million each for information leading to the capture and conviction of Yin Kecheng and Zhou Shuai.
In addition, the US authorities charged eight employees from a Chinese company, Anxun Information Technology Co. Ltd., also known as “i-Soon,” believed to be a major player in China’s hacker-for-hire industry. The employees are accused of engaging in various cyber intrusions, including hacking email accounts, cell phones, servers, and websites from 2016 to 2023. i-Soon, operating as a private entity, generated millions of dollars in revenue by conducting hacking operations on behalf of the Chinese government and military, specifically the Ministry of State Security (MSS) and the Ministry of Public Security (MPS).
The company was implicated in transnational repression, carrying out cyber intrusions at the request of Chinese authorities, and also in the sale of stolen data to multiple bureaus of the MSS and MPS across China. i-Soon reportedly charged between $10,000 and $75,000 per exploited email inbox, offering a range of hacking services and even training MPS personnel on how to hack independently. The US authorities also seized the primary internet domain used by i-Soon to advertise its hacking services.
The U.S. Department of State has offered a reward of up to $10 million for information leading to the identification or location of the suspects.
