Full Report
The U.S. Department of Justice (DoJ) has announced charges against 12 Chinese nationals for their alleged participation in a wide-ranging scheme designed to steal data and suppress free speech and dissent globally. The individuals include two officers of the People's Republic of China's (PRC) Ministry of Public Security (MPS), eight employees of an ostensibly private PRC company, Anxun
Analysis Summary
# Threat Actor: Aquatic Panda (and associated entities/actors)
## Attribution & Identity
The threat actors are 12 Chinese nationals, explicitly including officers from the **People's Republic of China's (PRC) Ministry of Public Security (MPS)** and employees of the ostensibly private company, **Anxun Information Technology Co. Ltd. (i-Soon)**.
**Known Aliases and Associated Groups:**
* **Aquatic Panda** (FBI Moniker, aka RedHotel)
* **APT27** (Advanced Persistent Threat 27)
* **Associated APT Names:** Budworm, Bronze Union, Emissary Panda, Lucky Mouse, Iron Tiger
* **Overlapping Activity:** Silk Typhoon, UNC5221, UTA0178
* **Named Individuals Linked to APT27/Hacking:** Yin Kecheng (YKC), Zhou Shuai (Coldface)
## Activity Summary
The actors conducted a wide-ranging scheme involving computer intrusions designed to steal data and suppress free speech globally, operating either as freelancers, employees of i-Soon, or at the clear direction of the PRC's **MPS and Ministry of State Security (MSS)**.
* **Duration:** At least from 2016 through 2023.
* **Modus Operandi:** MPS/MSS employed i-Soon and other private contractors to conduct intrusions and steal data while actively obscuring government involvement.
* **Motivation for Profit/Sale:** i-Soon allegedly sold stolen data to at least 43 different bureaus of the MSS or MPS across 31 provinces/municipalities after conducting intrusions either on direct request or on their own initiative. They charged significant amounts for data, estimated between \$10,000 and \$75,000 per successfully exploited email inbox.
* **Transnational Repression:** Some intrusions were conducted specifically for transnational repression purposes at the direction of the MPS, targeting overseas critics and dissidents.
* **Training & Tool Sales:** i-Soon also trained MPS employees in hacking techniques and sold offensive tools and zero-day vulnerabilities.
* **Specific Historic Activity:** Named individuals (Shuai and Kecheng) are accused of hacking conspiracies for profit and data theft dating back to 2011, often utilizing the **PlugX** malware.
## Tactics, Techniques & Procedures
The TTPs focus heavily on initial access, data exfiltration, and account takeover, often bundled as commercial services:
* **Initial Access/Credential Theft:** Deploying custom malware to gain remote access via initial infection (likely phishing).
* **Phishing Capabilities:** Utilization of an **"Automated Penetration Testing Platform"** capable of sending malicious phishing emails and creating cloned websites to harvest sensitive information.
* **Password/MFA Bypass:** Selling a **"Divine Mathematician Password Cracking Platform."**
* **Social Media Account Takeover:** Specialized software capable of compromising accounts on platforms like **Microsoft Outlook, Gmail, and X (Twitter)**, sometimes bypassing Multi-Factor Authentication (MFA) via spear-phishing links delivered to the victim.
* **Post-Compromise Actions (Twitter):** After compromising an X account, the actors could send/delete tweets, forward messages, comment, and like posts, often using the compromised accounts for **"Public Opinion Guidance and Control."**
* **Malware Usage (Historical):** PlugX malware mentioned in connection with specific APT27 actors.
* **Infrastructure Seizure:** The DoJ seized four domains linked to the operation: `ecoatmosphere[.]org`, `newyorker[.]cloud`, `heidrickjobs[.]com`, and `maddmail[.]site`.
## Targeting
* **Sectors:** Religious organizations, state legislative bodies, **U.S. Government Agencies**, **News Organizations**, and companies/municipalities.
* **Geography:** Global intrusions, with specific mention of targeting entities in the **United States** and **ministries of foreign affairs of multiple governments in Asia.**
* **Victims:** Prominent **overseas critics/dissidents** of the PRC government; various government entities globally; a large U.S. religious organization.
## Tools & Infrastructure
* **Malware Families Used:** PlugX (historically linked).
* **Commercial Platforms Sold:** "Automated Penetration Testing Platform," "Divine Mathematician Password Cracking Platform," and specialized X/Twitter account control software ("Public Opinion Guidance and Control Platform (Overseas)").
* **Infrastructure (Defanged Domains Seized):** `ecoatmosphere[.]org`, `newyorker[.]cloud`, `heidrickjobs[.]com`, `maddmail[.]site`
* **Government Infrastructure:** MPS and MSS offices across various PRC provinces acted as customers/handlers.
## Implications
This case exposes a sophisticated, state-sponsored hacking ecosystem leveraging nominally private companies (like i-Soon) to conduct espionage, theft, and **transnational repression** while maintaining plausible deniability for the PRC government (MPS/MSS). The focus extends beyond typical state espionage to include the monetization of stolen data and the active suppression of overseas political dissent through cyber means. The documented capability to bypass MFA on major platforms represents a significant threat to organizational security.
## Mitigations
* **Strengthen MFA:** Review and reinforce Multi-Factor Authentication across all critical services (especially email and social media), considering context-aware or phishing-resistant MFA solutions where possible, given documented MFA bypass capabilities.
* **Phishing Awareness:** Enhance training focusing on spear-phishing, credential harvesting site cloning, and unusual account activity (especially on social media platforms like X/Twitter).
* **External Communications Monitoring:** Organizations or individuals critical of the PRC government should assume heightened risk of targeted espionage, including email and social media monitoring.
* **Network Defense:** Monitor for indicators related to previously known state-sponsored Chinese malware families, such as PlugX.
* **Supply Chain Security:** Scrutinize third-party vendors, especially those operating in the security or IT services space within China, due to the documented use of private contractors for state operations.