The U.S. Department of Justice (DoJ) has unsealed two major indictments against 12 Chinese nationals linked to state-sponsored cyber espionage campaigns targeting U.S. government agencies, defense contractors, technology firms, and international entities.
The defendants, operating through hacking groups and front companies, allegedly acted in the Chinese government's direction, stealing sensitive data for intelligence gathering and financial gain.
APT27 and i-Soon hackers indicted
A federal court in Washington, D.C. unsealed two indictments against Yin Kecheng (尹可成), aka “YKC,” and Zhou Shuai (周帅), aka “Coldface,” who are accused of leading a sophisticated hacking operation under the well-known Chinese threat group APT27 (also known as Emissary Panda, Bronze Union, and Lucky Mouse). Since 2011, these hackers allegedly infiltrated U.S. federal agencies, defense contractors, think tanks, and universities, stealing sensitive data that was later sold through Chinese data brokers.
At the same time, in New York, federal prosecutors charged 10 more Chinese nationals connected to i-Soon, a Chinese cybersecurity firm that allegedly acted as a front for state-sponsored cyber operations. Eight of the defendants were i-Soon employees, while two were Chinese government officials from the Ministry of State Security (MSS) and the Ministry of Public Security (MPS). According to the indictment, i-Soon worked with at least 43 different MSS and MPS bureaus, hacking foreign governments, religious organizations, media outlets, and dissidents critical of the Chinese Communist Party.
Chinese hacking operations
According to court documents, both APT27 and i-Soon used sophisticated techniques to penetrate hardened targets, including exploiting zero-day vulnerabilities to gain unauthorized access, installing malware and web shells to maintain persistent access, using Virtual Private Server (VPS) accounts to disguise hacking infrastructure and using spear-phishing campaigns to steal credentials and compromise systems.
APT27 hackers allegedly breached the U.S. Department of Treasury in January 2025, leading to sanctions against Yin Kecheng. Other victims included U.S. state and local governments, defense contractors, and technology firms, all of whom suffered millions of dollars in damages.
The i-Soon group reportedly targeted:
- The U.S. Defense Intelligence Agency and U.S. Department of Commerce
- Religious organizations and media outlets critical of the Chinese government
- Foreign ministries of Taiwan, India, South Korea, and Indonesia
- New York-based newspapers covering Chinese politics
- A Texas-based human rights organization advocating for religious freedom in China
Documents also reveal i-Soon's sale of hacking tools, including “Automated Penetration Testing Platform” – a tool for sending phishing emails and malware-laced files, “Divine Mathematician” Password Cracking Platform — a program designed to break into online accounts, and “Public Opinion Guidance and Control Platform (Overseas)” — software for hijacking social media accounts like Twitter (X) to monitor and influence public discourse.
Law enforcement actions
As part of the crackdown, U.S. authorities seized internet domains linked to Yin Kecheng, used for cyber intrusions, and a VPS account operated by Zhou Shuai, which facilitated data theft. Sanctions against Zhou Shuai and his company, Shanghai Heiying Information Technology Co., Ltd. were also announced by the U.S. Department of the Treasury.
The U.S. Rewards for Justice program is offering up to $10 million for information leading to the identification or arrest of these cybercriminals. Anyone with relevant intelligence is encouraged to submit tips through Rewards for Justice.
Leave a Reply