The U.S. Department of Justice unsealed an indictment on March 25, 2024, charging seven hackers associated with APT31, a Chinese state-sponsored cyber espionage group linked to China’s Ministry of State Security. The defendants, identified as Ni Gaobin, Weng Ming, Cheng Feng, Peng Yaowen, Sun Xiaohui, Xiong Wang, and Zhao Guangzong, face charges including conspiracy to commit computer intrusions and wire fraud following approximately 14 years of operations.
APT31 operates under the direction of the Hubei State Security Department in Wuhan, utilizing a front company named “Wuhan XRZ” established around 2010 to conceal cyber operations. The group received additional support from local company “Wuhan Liuhe,” though this entity has not been accused of serving as an MSS front. Zero-day exploits have been a key component of APT31’s sophisticated attack methods against previously unknown system vulnerabilities.
APT31 operates under China’s Hubei State Security Department, using front company Wuhan XRZ to mask their extensive cyber espionage activities.
FireEye characterizes APT31 as specializing in intellectual property theft, targeting American businesses and government entities.
The hacking group deployed more than 10,000 malicious emails targeting individuals worldwide, disguising communications as legitimate news articles from prominent sources. These emails contained hidden tracking links that transmitted sensitive information about recipients, enabling increasingly sophisticated targeted attacks.
APT31 employs a strategic two-band approach, often targeting subsidiaries, managed service providers, or spouses of primary targets to gain initial network access. The group also targets upstream providers such as law firms to facilitate additional intrusions into their primary objectives.
APT31’s malware arsenal includes the custom-developed RAWDOOR tool as their primary weapon, alongside several other malware families commonly used by Chinese-speaking threat actors. The group recently began utilizing cracked versions of CobaltStrike to compromise victims’ networks, email accounts, cloud storage, and telephone records.
The group’s target selection focuses on perceived critics of China, organizations supporting dissident causes, U.S. government officials, political figures, and election campaign staff. APT31 actively seeks economic plans, intellectual property, and trade secrets from American companies across various industries, contributing to significant financial losses for targeted businesses. The organization has demonstrated remarkable adaptability by registering domains related to the American steel industry in response to U.S. tariffs.
The U.S. Treasury Department imposed sanctions on entities connected to APT31 operations, designating the group as a Chinese malicious cyber organization. Government officials stressed that these activities demonstrate the extensive size and scope of China’s state-sponsored hacking apparatus, underscoring an active cyber espionage campaign spanning more than a decade.
