U.S. indicts Chinese hackers in sweeping cyber espionage case

Federal authorities have charged 10 individuals and two Chinese government officials on Wednesday in connection to several high-profile Beijing-backed intrusions.
Why it matters: The U.S. alleges that these individuals helped carry out a wide-reaching Chinese espionage campaign that targeted U.S. government agencies, state governments, news services, universities, defense contractors, law firms, and critical infrastructure.
Catch up quick: The people either worked for Silk Typhoon — the Chinese hacking team linked to last year's Treasury breach — or for I-Soon, an offensive "hacker-for-hire" contractor that was exposed in an extensive online document leak last year.
The leaked documents, which were publicly available on GitHub, detailed I-Soon's clients and targets.
The big picture: The indictment offers one of the clearest insights yet into the shadowy world of offensive cyber contracting — a common practice among the world's superpowers.
The Justice Department also seized the web infrastructure that both the Silk Typhoon and I-Soon hackers used in their attacks.
A spokesperson for the Chinese embassy did not immediately respond to a request for comment.
Zoom in: According to one indictment, I-Soon hacked a range of U.S. victims, including:
The Defense Intelligence Agency, the Department of Commerce and the International Trade Administration;
Two New York City-based newspapers, including one that publishes news related to China and is opposed to the Chinese Communist Party;
A massive religious organization with millions of members;
The New York State Assembly and a state research university;
A D.C.-based news service that "delivers uncensored domestic news to audiences in Asian countries, including China;" and
Several foreign ministries across southeast Asia.
Meanwhile, according to a second indictment, the two hackers linked to Silk Typhoon targeted:
U.S. technology and defense contractors working with the Pentagon and intelligence agencies;
A university-based academic health system with servers in California;
A major law firm with hundreds of attorneys specializing in corporate and intellectual property;
A municipal government in the U.S.; and
A D.C. think tank specializing in defense policy and a law firm that works on IP theft issues.
Between the lines: The indictment reveals new details about how I-Soon worked with Beijing, including how much it charged, how long it worked on these efforts and more.
I-Soon is believed to have worked with at least 43 different bureaus of China's Ministry of State Security and Ministry of Public Security across 31 different provinces and municipalities, according to the FBI.
The company also charged the agencies between $10,000 and $75,000 for each email inbox it successfully hacked, according to the indictment.
Sometimes I-Soon worked at the direction of the agencies and other times it would conduct its own hacks and then sell either the network access or data stolen from those targets to the Chinese government.
The intrigue: I-Soon would train Chinese government employees to hack on their own, and it sold various tools to help them carry out their attacks.
One of those products gave customers the ability to write phishing emails, create malware-laced files and clone websites, according to the U.S. Justice Department.
Reality check: China is unlikely to extradite the indicted individuals, but the charges do bar them from traveling to the United States or allied countries where they could be arrested.
Go deeper: Leaked documents detail inner-workings of China's vast hacking operations

Try Our AI Features

Explore what Daily8 AI can do for you:

Learn with AIFact CheckingText to SpeechAI Summary

Related Articles

The Hill

26 minutes ago

• The Hill

Iran reportedly moves to close Strait of Hormuz after US attacks

The Iranian Parliament has approved a measure to close the Strait of Hormuz, a critical global oil chokepoint, after the United States bombed three nuclear sites in Iran, according to the Iranian state media on Sunday. While the Parliament has voted in favor of closing the strait, the final decision rests with the country's Supreme National Security Council, according to state media. Closing the strait, located between Iran and Oman, could have serious implications for both the global and U.S. economy. President Trump on Saturday night announced that the U.S. had bombed three nuclear sites in Iran, engaging U.S. forces in a war that Israel launched two weeks ago. In a brief address on Saturday night, the president warned of continued U.S. attacks on Iran if 'peace does not come quickly.' U.S. bombs targeted three nuclear sites in Natanz, Esfahan and Fordow, located inside a mountain. Six 'bunker buster' bombs were reportedly dropped on Fordow, while more than two dozen Tomahawk missiles were launched at the other two sites. The administration has argued the strikes were a monumental success, but it is currently unclear how much the sites were damaged or how long it has set back Iran's nuclear program. Iran's Foreign Minister Abbas Aragchi said the U.S. 'decided to blow up diplomacy' to end fighting with Israel by joining strikes against the country late Saturday night. Aragaci further warned of 'everlasting consequences.' Secretary of State Marco Rubio on Sunday called on China to encourage Iran not to shut down the Strait of Hormuz. 'I encourage the Chinese government in Beijing to call them about that, because they heavily depend on the Straits of Hormuz for their oil,' Rubio said on Fox News' 'Sunday Morning Futures with Maria Bartiromo.'

Los Angeles Times

29 minutes ago

• Los Angeles Times

Iran accused of abducting journalist's family in retaliation for war coverage

DUBAI — Iran detained the family members of an Iran International journalist Saturday in retaliation for the channel's coverage of the country's war with Israel, threatening to hold them until the journalist resigned from her position. The London-based Persian-language news channel said in a statement that it strongly condemns the abduction of its journalist's family, calling it 'an appalling act of hostage-taking aimed at coercing our colleague into resigning from their post.' 'This deeply reprehensible tactic marks a dangerous escalation in the regime's ruthless campaign to silence dissent and suppress independent journalism,' the news channel said. The detainment marks the latest example of Iran's long-standing effort to crack down not only on Iranian journalists inside the country but also those abroad who still have family and friends living in Iran. The Islamic Republic is one of the world's top jailers of journalists, according to the Committee to Protect Journalists, and in the best of times, reporters face strict restrictions. The broadcaster said that Iran's paramilitary Islamic Revolutionary Guard Corps took the presenter's mother, father and younger brother to an unidentified location. The journalist, whose name the outlet did not disclose, then received a phone call from her father early Saturday, urging her to resign from her role, according to Iran International. The voices of security agents could be heard in the background telling her father what to say. 'I've told you a thousand times to resign. What other consequences do you expect?' Iran International said her father told her. 'You have to resign.' Persian-language broadcasters such as Iran International and BBC Persia have long been targets for the Islamic Republic, given that they broadcast in the native language and many Iranians, both domestically and abroad, rely on them for news, especially of the most recent Iran-Israel war amid an official internet blackout. Iran International in particular has become a target of Tehran in recent years over its programming that is critical of the theocratic government in Tehran. The Iranian government has called the news outlet a terrorist organization. One of its journalists was stabbed in 2024 in an attack suspected to have been carried out by Iran, while men were arrested in a suspected plot to target others at the channel. Amiri writes for the Associated Press.

The Hill

30 minutes ago

• The Hill

Suicide bomber strikes Syrian church near Damascus during mass

DAMASCUS, Syria (AP) — A suicide bomber in Syria on Sunday detonated himself inside a church filled with people, state television and a war monitor said. The explosion in Dweil'a in the outskirts of Damascus took place as people were praying inside the Mar Elias Church. Britain-based war monitor the Syrian Observatory for Human Rights says there were 30 people wounded and killed, but the exact numbers are unclear. Some local media reported that children were among the casualties. The attack was the first of its kind in Syria in years, and comes as Damascus under its de facto Islamist rule is trying to win the support of minorities. As President Ahmad al-Sharaa struggles to exert authority across the country, there have been concerns about the presence of sleeper cells of extremist groups in the war-torn country. Security forces and first-responders rushed to the church. An eye witness said in a video widely circulated online that the attacker came in and started to shoot at the people there before detonating an explosive vest he was wearing.