Justice Department Charges Chinese Hackers in Treasury Breach

Criminal Charges Filed Against Chinese Hackers

The U.S. Department of Justice has unveiled criminal indictments against twelve individuals connected to the Chinese government. These hackers are alleged to have compromised over 100 American organizations throughout the past decade.

A senior DOJ representative stated during a briefing with journalists that the accused individuals were central figures within China’s network of hackers available for hire. This group included both contracted hackers and officials directly employed by Chinese law enforcement.

Targeting of Organizations

The DOJ confirmed a connection between two of the indicted individuals and APT27, also known as Silk Typhoon, a China-backed hacking group.

Yin Kecheng and Zhou Shuai are specifically accused of conducting extensive, financially motivated cyber intrusions beginning in 2013. Prosecutors allege they illicitly obtained data from victim organizations and subsequently sold it to third parties, some with ties to the Chinese government.

According to the unsealed indictment, the hackers exploited multiple vulnerabilities present in commonly used enterprise software to gain access to victim networks. Recent research from Microsoft corroborates this, identifying exploited flaws in products like Microsoft Exchange, Palo Alto Networks firewalls, Citrix NetScaler appliances, and Ivanti Pulse Connect Secure appliances, with activity as recent as January.

Ivanti’s chief security officer, Daniel Spicer, indicated to TechCrunch that while they cannot verify Microsoft’s attribution, the company promptly addressed the identified security flaw.

The targeted organizations encompassed a broad spectrum, including U.S.-based technology firms, research institutions, legal practices, defense contractors, local government entities, healthcare providers, and universities, as stated by U.S. prosecutors.

Links to U.S. Treasury Hack

Yin Kecheng has also been implicated in the large-scale hack of the U.S. Treasury in December 2024. He was sanctioned by the Treasury Department’s Office of Foreign Assets Control in February, following a determination of his affiliation with China’s Ministry of State Security (MSS), the nation’s primary foreign intelligence agency.

The DOJ reports that the FBI has successfully seized virtual private servers and related infrastructure utilized by Yin in the execution of the U.S. Treasury hack.

I-Soon and Ministry of Public Security Involvement

Alongside these indictments, the Justice Department announced charges against eight employees of I-Soon, a Chinese government hacking contractor, including its CEO and COO. Additionally, two alleged officials from China’s Ministry of Public Security, responsible for national policing, were also charged.

The DOJ alleges that I-Soon employees engaged in a widespread hacking campaign between 2016 and 2023, generating “tens of millions of dollars” in revenue. They are accused of conducting hacks both at the behest of Chinese security agencies and independently, later selling the stolen data to the Chinese government.

Prosecutors state that the I-Soon employees targeted several U.S. organizations, including a religious group critical of the Chinese government, an organization advocating for religious freedom within China, and multiple U.S. news outlets.

Data compromised by Yin was reportedly also sold through I-Soon, although it remains unclear if this included information obtained during the U.S. Treasury breach.

Rewards for Information

Currently, all defendants remain at large. The U.S. Department of State’s Rewards for Justice program is offering a reward of up to $10 million for information leading to the location of I-Soon employees. A separate reward of $2 million is available for information resulting in the arrest and conviction of Yin and Zhou.