Feds Name and Charge Alleged Silk Typhoon Spies Behind Years of China-on-US Attacks

The US government has announced criminal charges against alleged members of China's notorious hacking group, Silk Typhoon, in connection with a long-term Chinese espionage campaign that targeted the United States. The operation, which spanned years, involved Beijing hiring freelance hackers to compromise US government agencies and other major organizations.

"For years, the PRC government – in particular, its Ministries of State and Public Security – have encouraged, supported and relied on private contractors and Chinese technology companies to hack and steal information in a manner that hides the government's involvement, essentially providing it with plausible deniability," said a Justice Department official during a briefing call attended by The Register.

Twelve Chinese nationals are charged with their suspected roles in this operation, which compromised computers and stole data from high-profile targets, including the US Treasury. Two of these individuals are alleged to be officers at China's Ministry of Public Security (MPS), while the other ten named suspects are employees of a private firm called Anxun Information Technology, also known as i-Soon, and members of China's APT27 group.

"Each of these defendants played a critical role in the PRC government hacker-for-hire ecosystem, which has gotten out of control," said the Justice Department official. The digital snoops broke into victims' computers at the direction of China's MPS and its Ministry of State Security (MSS). Sometimes they attacked when working for i-Soon, while on other occasions, they acted alone, motivated by profit.

The scheme netted millions for i-Soon and China's freelance infosec warriors, according to American prosecutors. "i-Soon charged the MSS and MPS between approximately $10,000 and $75,000 per email inbox hacked," said an FBI official on the briefing call. The company then charged additional fees to analyze the stolen data.

i-Soon is the same crew behind the 2021 Microsoft Exchange Server zero-day exploits that targeted Western governments' intelligence and defense agencies. Microsoft had previously tracked this group as Hafnium. The Justice Department has also announced the court-authorized seizure of i-Soon internet domains, which are tied to the December 2024 Treasury Department network intrusions and other digital break-ins.

The seized domains name Yin KeCheng and Zhou Shuai, who were both indicted in 2023, as having "facilitated and profited from some of the most significant Chinese-based computer network exploitation schemes against US victims." Both men are members of Silk Typhoon and part of the larger Chinese hacker-for-hire ecosystem. Two indictments formally charge Yin and Zhou for their alleged involvement in for-profit computer intrusion campaigns that date back to 2013.

The other ten people charged include Wu Haibo, CEO of i-Soon; Chen Cheng, its COO; sales boss Wang Zhe; and technical staff Liang Guodong, Ma Li, Wang Yan, Xu Liang, and Zhou Weiwei. Two of these individuals are also alleged to be MPS officers, Wang Liyu and Sheng Jing.

The criminal charges and domain seizures follow a series of US government alerts over the past year about Chinese snoops burrowing into American networks. "You look at Volt Typhoon, Flax Typhoon, Salt Typhoon, Silk Typhoon – all this activity demonstrates persistent targeting of US interests by the [Chinese Communist Party] CCP," said the Justice Department official on the briefing call.

It is unlikely that any of those named today will be arrested by US authorities, as the Chinese government would not allow it. The State Department has offered bounties of up to $2 million for information leading to the arrest and/or conviction of alleged Silk Typhoon members KeCheng and Shai.

Microsoft Report Blames Silk Typhoon for Ongoing Attacks

A Microsoft report, released on Wednesday, blames Silk Typhoon for ongoing attacks against IT companies and government agencies. This is the latest development in a series of US government alerts over the past year about Chinese snoops burrowing into American networks.