Five Chinese and two Malaysian international cyberhackers were indicted in federal court on Wednesday for allegedly intruding on over 100 companies and people in the US and abroad through online games to launder “millions of dollars,” the Justice Department announced Wednesday.
“The intrusions, which security researchers have tracked using the threat labels ‘APT41,’ ‘Barium,’ ‘Winnti,’ ‘Wicked Panda,’ and ‘Wicked Spider,’ facilitated the theft of source code, software code signing certificates, customer account data, and valuable business information,” prosecutors said in a news release.
“These intrusions also facilitated the defendants’ other criminal schemes, including ransomware and ‘crypto-jacking’ schemes, the latter of which refers to the group’s unauthorized use of victim computers to ‘mine’ cryptocurrency,” prosecutors said.
Jiang Lizhi, Qian Chuan and Fu Qiang are charged in a nine-count indictment that says they allegedly used Chengdu 404 Network Technology to target over 100 companies, organizations and people in the US, Asia and South America using “sophisticated hacking techniques.”
Since 2014, they held positions as “officers” for Chengdu 404, which was publicly described as “a network security company, composed of elite ‘white hat’ hackers, which provided defensive and counter-offensive network security services and data analytics services, including penetration testing, password recovery services, ‘mobile device forensics’ and other services,” according to the indictment.
Jiang allegedly bragged that it was “easy to find companies to target by searching lists of publicly-traded companies through ‘stock websites,’” the indictment says.
“In one notable instance, the defendants conducted a ransomware attack on the network of a non-profit organization dedicated to combating global poverty,” prosecutors said. The non-profit’s computers that were located in Washington, DC, were allegedly compromised by the hackers since 2018, according to the indictment.
The hackers even targeted more than a dozen “prominent” unidentified universities in the US, Hong Kong and Taiwan, authorities allege. For one institution labeled “University #5” in the indictment, they “browsed at least 4,200 files and directories in over 75 servers” between 2018 and 2020.
Zhang Haoran and Tan Dailin were charged in a 25-count indictment for participating in a “Computer Hacking Conspiracy” that “sought to make money by hacking video game companies” and selling items like video game currency for profit.
The five Chinese nationals are at large and assumed to be in China.
Wong Ong Hua, 46, and Ling Yang Ching, 32, both of Malaysia, are accused of working with hackers that targeted the video game industry to conduct computer intrusion offenses in the US, France, Japan, Singapore and South Korea. They were charged with 23 counts of racketeering, conspiracy, identity theft and other charges. Both are in custody and awaiting extradition to the United States.
One company labeled “Video Game Company#14” in the indictment had a database of approximately 25 million records of which the hackers allegedly obtained a copy.
“The scope and sophistication of the crimes in these unsealed indictments is unprecedented. The alleged criminal scheme used actors in China and Malaysia to illegally hack, intrude and steal information from victims worldwide,” acting US Attorney Michael Sherwin said in a news release.
“This scheme also contained a new and troubling cyber-criminal component – the targeting and utilization of gaming platforms to both defraud video game companies and launder illicit proceeds,” Sherwin said.
Investigators with the US district court in Washington, DC, found through seizure warrants “hundreds of accounts, servers, domain names, and command-and-control ‘dead drop’ web pages used by the defendants to conduct their computer intrusion offenses,” prosecutors said.
The feds collaborated with Microsoft to develop and implement technology to block the threat actor from accessing victims’ computer systems.
“The actions by Microsoft were a significant part of the overall effort to deny the defendants continued access to hacking infrastructure, tools, accounts, and command and control domain names,” prosecutors said.
If convicted, Wong and Jing face a maximum of 27 years in prison for at least one of the charges in the indictment of false registration of domain names. Jiang, Qian and Fu face a maximum of 20 years in prison for at least one count in the indictment of conspiracy to commit computer fraud, and Zhang and Tan face a maximum of 20 years in prison for two counts of wire fraud if convicted.
