Federal authorities in the United States announced on Tuesday the seizure of digital infrastructure linked to two hackers in Shanghai, allegedly working on behalf of the Chinese government under the code name “Silk Typhoon.” The hackers were accused of carrying out a cyberattack on the Department of Treasury in late 2024.
The authorities executed a judicially authorized seizure of four online domains used in phishing attacks and virtual private servers that were utilized to establish a VPN. The seized domains included ecoatmosphere.org, newyorker.cloud, heidrickjobs.com, and maddmail.site. The indictments against the two hackers, along with Treasury sanctions and a reward of up to $2 million for information leading to their arrest, were unsealed simultaneously.
The individuals at the center of the investigation were identified as Zhou Shuai, also known as “Coldface,” and Yin Kecheng. Prosecutors noted that their hacking activities were associated with a threat group known by various names, such as APT27, Silk Typhoon, Emissary Panda, and UNC 5221.
Upon examining a server leased by Yin, FBI investigators discovered Phishlets – files used to configure the Evilginx hacking tool, typically used for intercepting and stealing login credentials, including multifactor authentication challenges. The investigation revealed that attackers had utilized subdomains of the seized domains to launch phishing attacks.
Yin had already been sanctioned by the Treasury in January for his involvement in hacking into the department’s computing environment, which included breaching the bureau responsible for enforcing sanctions and the office overseeing foreign investments for national security threats. The FBI believes that Yin was primarily responsible for the intrusion into the Department of Treasury.
China’s utilization of government contractors for hacking activities has garnered attention, especially after internal documents from a hacking firm called iSoon were leaked in February 2024. The leaked documents detailed government clients, rates for hacking into foreign governments, and various hacking tools. Prosecutors unveiled an indictment against the CEO of iSoon, seven employees, and two Ministry of Public Security officers who directed the firm’s operations.
Investigators revealed that Zhou was involved in brokering stolen data from Yin and iSoon, and he also served in iSoon’s strategic consulting division for a period. Both individuals were motivated by financial gains, according to government documents. The FBI disclosed that Yin had expressed a desire to make money by penetrating an American military target as early as 2013.
Zhou’s involvement in the Chinese hacking scene dates back to at least 2007, while Yin has been active since at least 2013. Both individuals had been indicted by a grand jury in the U.S. District Court for the District of Columbia in 2023, facing criminal charges related to hacking into a multinational company and stealing designs for electromagnetic weapons and naval warships. Yin had also been indicted in 2013 on 19 criminal counts, which included activities such as leasing servers to conceal his IP address and deploying the PlugX remote access Trojan linked to Chinese nation-state hackers.
The announcement of the seizure of the hackers’ digital infrastructure and the unsealing of indictments underscore the ongoing challenges posed by cyber threats emanating from nation-state actors. The detailed investigation and legal actions taken by U.S. authorities reflect the importance of addressing such cybersecurity risks in a proactive and decisive manner.