US charges 12 Chinese hackers in major government-backed espionage campaign

US authorities have announced criminal charges against 12 Chinese nationals allegedly involved in a long-running cyber-espionage campaign tied to China’s government.

The Justice Department (DOJ) and the FBI also announced the seizure of internet domains linked to the Silk Typhoon hacking group, which is accused of breaching US government agencies and high-profile organizations.

“These malicious cyber actors, acting as freelancers or as employees of i-Soon, conducted computer intrusions at the direction of the PRC’s (People’s Republic of China) Ministry of Public Security (MPS) and Ministry of State Security (MSS) and on their own initiative,” the DOJ said in a statement.

China’s hacker-for-hire industry

According to court documents, among those charged are two officers from China’s Ministry of Public Security (MPS), while the remaining ten worked for Anxun Information Technology, commonly known as i-Soon, a private firm allegedly connected to China’s APT27 hacking group, also called Silk Typhoon.

The hackers reportedly operated both as company employees and as freelancers, conducting attacks at the direction of China’s MPS and MSS while being “motivated by profit,” according to prosecutors.

“Each of these defendants played a critical role in the PRC government hacker-for-hire ecosystem, which by any measure, has gotten out of control,” the DOJ statement added.

The indictments name Wu Haibo, i-Soon’s chief executive officer; Chen Cheng, its chief operating officer; and sales director Wang Zhe, along with multiple technical staff members. Also charged were Wang Liyu and Sheng Jing, identified as MPS officers directly involved in the operation.

Lucrative cyber mercenary operation

The financial scope of the operation was substantial, with i-Soon reportedly charging Chinese government ministries between $10,000 and $75,000 per compromised email inbox, plus additional fees for analyzing stolen data, the DOJ statement added.

This scheme generated millions for both the company and individual hackers. Notably, Silk Typhoon is the same group responsible for the 2021 Microsoft Exchange Server zero-day exploits that targeted Western intelligence and defense agencies. At that time, Microsoft tracked the group under the name Hafnium.

The scale and sophistication of the operations indicate a well-established infrastructure with significant resources, suggesting years of development and refinement of hacking techniques specifically designed to evade detection by US cybersecurity systems.

Extensive victim profile

The indictments describe a wide-ranging campaign affecting numerous high-value American targets, including a technology and defense contractor serving the Department of Defense, Department of Homeland Security, and intelligence agencies; a major US law firm; a managed communications provider of Microsoft Exchange email services; a county government; a university healthcare system operating multiple hospitals; and a defense policy think tank.

The breadth of targets demonstrates the strategic nature of the campaign, targeting not only government entities but also the broader ecosystem of organizations that support critical national infrastructure and security operations. This approach allows the hackers to acquire sensitive information through various entry points in the supply chain.

Two previously indicted individuals, Yin KeCheng and Zhou Shuai, were specifically named in a seizure warrant as having “facilitated and profited from some of the most significant Chinese-based computer network exploitation schemes against US victims.” Their activities reportedly date back to 2013, indicating a persistent and long-term espionage effort.

Domain seizures and bounties

In addition to the indictments, authorities announced court-authorized seizures of i-Soon internet domains linked to December 2024 Treasury Department network intrusions and other breaches. These domains served as command and control infrastructure for the hacking operations.

The State Department has offered bounties of up to $2 million for information leading to the arrest or conviction of two key alleged Silk Typhoon members, though officials acknowledged the limited likelihood of China allowing any arrests.

This move represents an escalation in US response tactics, combining law enforcement actions with financial incentives to disrupt the hacking operations and potentially create internal discord within the hacking groups.

Implications for enterprise security

For enterprise security teams, the indictments reveal critical insights into the operational methods of state-sponsored threat actors. The use of private contractors and the establishment of financial incentives for data theft demonstrate the commercialization of cyberespionage, creating new challenges for defensive strategies.

Organizations should reevaluate their security postures in light of these revelations, with particular attention to potential compromise of email systems, which appear to be highly valued targets. The involvement of managed service providers in the victim list also highlights the importance of supply chain security and vendor risk management.

The revelations about specific pricing for compromised email inboxes provide unprecedented visibility into the economics driving these attacks and may help organizations better prioritize their defensive investments based on adversary incentives.