Silk Typhoon Hackers Indicted

Lots of interesting details in the story:

The US Department of Justice on Wednesday announced the indictment of 12 Chinese individuals accused of more than a decade of hacker intrusions around the world, including eight staffers for the contractor i-Soon, two officials at China’s Ministry of Public Security who allegedly worked with them, and two other alleged hackers who are said to be part of the Chinese hacker group APT27, or Silk Typhoon, which prosecutors say was involved in the US Treasury breach late last year.

[…]

According to prosecutors, the group as a whole has targeted US state and federal agencies, foreign ministries of countries across Asia, Chinese dissidents, US-based media outlets that have criticized the Chinese government, and most recently the US Treasury, which was breached between September and December of last year. An internal Treasury report obtained by Bloomberg News found that hackers had penetrated at least 400 of the agency’s PCs and stole more than 3,000 files in that intrusion.

The indictments highlight how, in some cases, the hackers operated with a surprising degree of autonomy, even choosing targets on their own before selling stolen information to Chinese government clients. The indictment against Yin Kecheng, who was previously sanctioned by the Treasury Department in January for his involvement in the Treasury breach, quotes from his communications with a colleague in which he notes his personal preference for hacking American targets and how he’s seeking to ‘break into a big target,’ which he hoped would allow him to make enough money to buy a car.

Tags: , , , , ,

Posted on March 11, 2025 at 1:14 PM17 Comments

Comments

ResearcherZero March 12, 2025 1:43 AM

@Morley

An international indictment typically provides a handy list for people to remember. It’s official record of who has been charged so they do not employ or do business with them.

If they are not charged they could still apply to work at an agency or department. Foreign actors will still continue running about doing foreign agent activities, but their travel and banking options maybe more restricted. They may get flagged on a list of undesirables.

Sichuan Juxinhe Network Technology Co., LTD (Sichuan Silence) was directly involved.

Sichuan Silence has close connections with I-SOON and Topsec.

‘https://nattothoughts.substack.com/p/sichuan-silence-information-technology

ResearcherZero March 12, 2025 2:10 AM

Yin Kecheng exploited BeyondTrust to gain access to the Treasury Department. Yin along with his fellow conspirator Zhou, in 2019 also exploited Microsoft SharePoint – to break into communications, legal, technology and health companies and a think tank – to steal information regarding military designs and other information. They also targeted a contractor to the DHS, the DoD and intelligence agencies. They did a lot of breaks.

‘https://www.techtarget.com/searchsecurity/news/366617426/BeyondTrust-SaaS-instances-breached-in-cyber-attack

ResearcherZero March 12, 2025 3:00 AM

The indictments provide details of the activities of Yin Kecheng dating back over more than a decade to 2013. Some of the activity was overt but disguised using well hidden payloads.

Silk Typhoon is now moving to target supply chains through IT service providers and by exploiting vulnerabilities in applications or by gaining initial access via zero days. They also use covert networks to remain undetected and credentials captured by password sprays or recovered from repositories like GitHub found during reconnaissance and research.

There is a wide range of systems they have successfully compromised.

‘https://www.microsoft.com/en-us/security/blog/2025/03/05/silk-typhoon-targeting-it-supply-chain/

DownUnder'er March 12, 2025 8:41 AM

So… wouldn’t the USA have a very easy way of bribing chinese hackers into defecting and working FOR them? They are empoverished enough that this one hacker hoped he would be able to achieve something we in the Western hemisphere take for granted. Anyone who has a brain as capable as those men do lives a much more comfortable life in american soil.

The USA was able to gather german scientists back in the 30s-40s, they certainly could do the same to chinese hackers these days. Although admittedly it could be a bit risky for them if the chinese government were aware of a would-be defector’s intent, but even in that case it’s still a lesser win for the USA because China loses an asset whether the hacker sets foot in american ground or not.

Brian March 12, 2025 9:09 AM

@DownUnder’er: How do we know they’re not already on the payroll? I have so little faith in what I see, hear, and read these days… I would not be surprised if this type of thing were simply more smoke and mirrors.

Clive Robinson March 12, 2025 10:39 AM

@ DownUnder’er, Brian,

With regards,

“… wouldn’t the USA have a very easy way of bribing chinese hackers into defecting and working FOR them?”

Actually the short answer is “NO”.

The longer answer is the US shot themselves in the foot years ago so nobody with half a brain and a little knowledge of history would trust them.

In the past the US government entities / agencies have used “fake job offers” and similar to get people out from their home nation “protective cover”…

So the first question anyone should ask is “Is this a setup?” To which the answer is with quite a probability measure is “Yes”.

Then there are all those Chinese people now dead that were recruited by the CIA who basically dumped a “faux OpSec” Internet based system on them… China and Iran worked it out and some got “Shot to send a message” others well nobody realy knows.

The US set up the lousy system because they could not be bothered to check if it was actually secure to a suitable level. Clearly it was not because those involved did not think. Worse the “recruiters” apparently cared not a jot for the lives and well being of those they recruited, nor did those who were involved on a day to day basis with those recruited.

The list goes on but consider something else…

The Chinese are known to “persecute the relatives, co-workers, friends, etc” not just in China or areas China has legal influence over, but in any country where they have a “friends agency”.

The purpose of the agency is to track any and all people with Chinese ancestry to at least 5th generation. They then put pressure on to these people anyway they can to spy on others.

As you can imagine it’s quite hard to hide from all such people as basically anyone who has Chinese ancestry is a very real risk as they will “look after their own” and thus in effect “turn in” anyone new etc.

As the US will not protect such “human assets”, in fact it’s known that US Entities/Agencies will actually use it as “leverage”…

So in all honesty it’s not a good option.

Now add in the recent “green card cancellation” news that has gone world wide…

Most people outside of the US who have followed events this Century know, that no matter what they do, they will never ever be even “3rd Class Citizens” because they won’t be allowed to be a “citizen” and what that brings via legal protections etc.

This is what happens when you have a system that is based only on,

“Short term success, without responsibility.”

Because it creates a tsunami of,

“Long term failure.”

I’ve mentioned this before by pointing out the issue of “self entitlement” that goes with a significant imbalance on the

“Individual Rights v Social Responsibility”

Spectrum. If the nation you are in pushes “Individual Rights” and ignores or worse destroys “Social Responsibility”, you get those very unpleasant types moving up the hierarchy very rapidly. And nobody who can avoid them would willingly chose to have anything to do with them unless of course they could gain significantly (which is what certain insiders have been known to do in the past by “selling secrets”).

As has been indicated in the Bible (Galatians 6:7) and earlier,

“Do not be deceived: God is not mocked; for whatever a man sows, that will he also reap.”

(There is also the observation about dogs and their vomit to remember as well).

Winter March 12, 2025 6:34 PM

@notanonymous

The Biggest worldwide cesspool in regards to moral standards

I think you are exaggerating. There are not that many “standards” where the USA is at the bottom. There are few to none where they are at the top either.

There is one, or rather two linked standards, where the USA is “exceptional” in my opinion.

  1. The USA has legalized corruption. There are few countries where it is legal, and even a virtue, to give politicians money in return for favors
  2. What you already wrote, the US has the world’s largest prison population, in absolute numbers and per capita.

It is often implied that the prison population is the result of a corrupt justice system. That is true, but not exceptional. The root of the matter is that Americans want these people locked up, the more the better. Just as they want humans to be sacrificed.

Neither problem is new.

Winter March 13, 2025 12:24 AM

@Here Comes The Rain

and how would you know that?

Don’t take this personally, but the “I think you are exaggerating.” was referring to
@notanonymous

The Biggest worldwide cesspool in regards to moral standards

And there is ample evidence that the USA is not the country or society with lowest moral standards. Even a glance at countries like, eg, Russia, DR Congo, or Myanmar, shows that things can and do go much, much worse.

Stories like you tell have been daily live for most people in such places for decades.

Winter March 13, 2025 12:48 AM

PS (I forgot)
@Here Comes The Rain

and how would you know that?

As the philosopher Joseph de Maistre wrote:

Every nation gets the government it deserves

It has been argued what we should consider to be “deserved”. But it should always motivate you to ask yourself Am I part of the problem? Do I contribute to this sorry state of affairs?

With respect to your comment. The structural failings of US law enforcement have been known at least since the civil war. The questions then become: Why have the American people put up with such a dismal state of affairs for so long? What do people expect to gain from voting for corrupt people time and again?

Clive Robinson March 13, 2025 3:01 AM

@ Winter,

With regards,

“What do people expect to gain from voting for corrupt people time and again?”

Do they actually have any choice in the matter?

Douglas Adams summed up part of the issue by describing “The Lizard Problem”,

“Odd,” said Arthur, “I thought you said it was a democracy.”
“I did,” said Ford. “It is.”
“So,” said Arthur, hoping he wasn’t sounding ridiculously obtuse, “why don’t people get rid of the lizards?”
“It honestly doesn’t occur to them,” said Ford. “They’ve all got the vote, so they all pretty much assume that the government they’ve voted in more or less approximates to the government they want.”
“You mean they actually vote for the lizards?”
“Oh yes,” said Ford with a shrug, “of course.”
“But,” said Arthur, going for the big one again, “why?”
“Because if they didn’t vote for a lizard,” said Ford, “the wrong lizard might get in.”

Ford shrugged again.
“Some people say that the lizards are the best thing that ever happenned to them,” he said. “They’re completely wrong of course, completely and utterly wrong, but someone’s got to say it.”

The problem not with “democracy” but the evil that is “representational democracy” that I’ve indicated in the past is it’s “A monkeys tea party” pretending to be a “faux beauty pageant”.

As we all should know by now with beauty pageants like XXX-USA is,

1, All the entrants have one earlier pageants.
2, The winners of the earlier pagents were selected by judges not the general populous.
3, The judges are all tied in some way to select only certain contestants.

So if 2028 happens, I expect to see lizards in swim suits throwing tea cakes at each other whilst the band on the deck plays “Hail to the chef” and “We’ll all learn together as the ship goes down”.

You are not anonynous! March 13, 2025 5:06 AM

lol, I see I did get modded, for being a bit over the top I presume. Yet tons of replies didn’t.

Just to reiterate: Please nobody get upset at Bruce for moderating out a post. This web site is like his own personal private house, not a government agency. The 1st amendment only applies to the government, limiting what it can do, not what people can do in their own personal houses. The owner of each private house (and web site) always gets to say what is and isn’t acceptable in their own house (and web site)!

Yes, I may have been exaggerating with some superlatives, I could have toned it down with more descriptive words added like “heading towards”… 🙂 Anyway, it’s bad, and I could have given more examples, but the people want the lizards and that would have caused more of a raucous to argue against that.

You are (still) not anonymous! March 13, 2025 5:20 AM

Here’s a literal lizard-story-like example I’ve had in my own experience:

I said to my friend, “voting for xxx is like voting for Satan”

to which my friend replied with a big grin “I think Satan would make an excellent president!!”

True story. This really happened. This friend is a devout Christian, and was serious, not joking. I will not say here who xxx was, half the country would explode if I said that, and this comment would for sure be modded. It might anyway, we’ll see. You all can think it’s “the other guy” than the one you voted for. This country is so polarized, and extreme, that’s part of the issue. And there are many reasons for that.

Clive Robinson March 13, 2025 12:33 PM

@ Bruce, ALL,

The [very] Insecurity of [some] Telecom Stacks in the Wake of Salt Typhoon.

https://soatok.blog/2025/03/12/on-the-insecurity-of-telecom-stacks-in-the-wake-of-salt-typhoon/

Yup a simple “buffer overflow” found in minutes on telco software open to all…

But it gets worse, to quote the article author,

“To recap: An employee of SignalWire (which develops FreeSWITCH) came right out and said they would let people who aren’t paying for FreeSWITCH Advantage stay vulnerable until their regularly scheduled release (sometime in the Summer).”

What can I politely say other than “ouch!” Or “Perhaps there should be a policy review promptly at SignalWire”.

The thing is I know, two things,

1, People are going to say “What do you expect?” Or equivalent.
2, That it’s a very short term thinking mistake by the organisation that has long term implications on their future.

(Remember that statistic about over half of businesses that get breached publicly become at best marginal or gone only just over a financial quarter later… Well I’ve never been able to find a reliable source, but it does leave you wondering.)

But also back from the last century OS and Critical Infrastructure etc suppliers had a common policy

1, You pay a fee for upgrade patches.
2, Every one gets security patches.

I guess some were to young to get the Memo about why this was not just a good idea but why it was and is “encouraged” by various Governments.

lurker March 13, 2025 5:12 PM

@Clive Robinson

re: soatok[.]blog
Site is presenting me with a bar along the bottom of the page (where the cookie advisory often goes) warning me that I am not using an ad-blocker, and I should consider using one for my own privacy, with a link to get FF plugins. But my browser does have a builtin ad-blocker, that some commercial sites complain about, and demand that I turn it off …

Clive Robinson March 13, 2025 8:19 PM

@ lurker,

Re : Ad blocker

You say,

“… warning me that I am not using an ad-blocker… …But my browser does have a builtin ad-blocker”

It’s not my web site, and I’ve not seen the message you report.

But… I can see how both could be correct.

It all depends on what the site owner and the ad-blocker developer think is the function of an add blocker.

Let’s say the site owner runs a lot of checks not just for java script but cookies of various types etc etc.

Now let us assume that developer of your ad-blocker ‘only does a subset’ of what the site owner things you should do…

It also works the other way… In the past I’ve recommended everyone turns off “javascript” for good reason (and Oh boy did it upset a lot of people back when I started doing so).

However certain types of tests for ad-blocking will require the site to run “client side code” in the users web browser (something I also say should not be done).

Now if the tests are written in javascript and javascript is turned off then the tests won’t happen. Depending on how the tests are written and what they are supposed to report back this could be seen as an ad-blocker not running…

So yup it’s a bit of a conundrum.

Personally I’d blame the scuzzie types that send adds to CSAM sites to make money,

https://www.theregister.com/2025/02/08/amazon_google_accused_of_monetizing/

Because you know that if they and their shareholders are happy to do things like that for years, then there are probably no lengths / depths they would not go to to monetize you…

ResearcherZero March 13, 2025 11:24 PM

@DownUnder’er, Brian, Clive Robinson

Given what is happening at the moment would anyone trust the ability of the US to actually keep the identities of it’s assets secret? Many countries do not look after assets too well at the best of times, but currently any veteran or former asset may abruptly loose any protection afforded to them without any notice. Their files may also be exposed through negligence or a data breach, due to a bunch of script kiddies, and people like Elon Musk who do not understand cyber security, networks, data security or the underlying systems.

Donald Trump signed the bill which enacted CISA. Now DOGE is undermining cyber security, national security and public safety as private business attempts to gain access to the public’s most private and sensitive data. As this is taking place, government employees tasked with guarding this sensitive data, are instead busy watching their backs, while the cyber warriors of hostile foreign governments attempt to take advantage of the chaos to gain persistence on government and private networks to steal huge hauls of sensitive data.

Laid-off employees also include staffers who worked for CISA’s Cyber Incident Response Team
along with top personnel who had worked previously as longtime senior intelligence analysts.

‘https://www.wired.com/story/elon-musk-digital-coup-doge-data-ai/

CISA staff were told they were “not fit for continued employment because your ability, knowledge and skills do not fit the Agency’s current needs.”

https://www.cbsnews.com/news/cybersecurity-agencys-top-recruits-doge-cuts/

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.