March 27, 2024

U.S. and UK authorities impose joint sanctions on Chinese state-sponsored cyber group APT31

On March 25, 2024, the United States and the United Kingdom targeted the cyber operations of APT31, a cyber group sponsored by the People’s Republic of China that has engaged in multiple malicious cyber operations against the United States and the United Kingdom.  OFAC joined UK authorities to designate the Wuhan Xiaoruizhi Science and Technology Company Limited (“Wuhan XRZ”) and Zhao Guangzong and Ni Gaobin, two Chinese nationals affiliated with Wuhan XRZ.  The OFAC designations were imposed for their roles in malicious cyber operations that targeted high-ranking government officials and critical infrastructure sectors in the United States, while the UK designations were imposed in response to malicious cyber campaigns that targeted UK parliamentarians and the UK Electoral Commission.

According to OFAC, an Advanced Persistent Threat (“APT”) is any sophisticated cyber actor or group capable of conducting “advanced and sustained malicious cyber activity, often with the goal of maintaining ongoing access to a victim’s network.”  Based on observations by information security researchers who noticed certain patterns in perpetrators’ location, victims and techniques, APT31 was identified as a malicious group of Chinese intelligence officers, cyber hackers and support staff that had targeted important members of the US government, including members of Congress and White House staff, and vital infrastructure sectors, including the Defense Industrial Base, information technology and energy sectors.

OFAC reported that APT31 engaged in malicious cyber operations on behalf of the Hubei State Security Department (“HSSD”), which established Wuhan XRZ as a China-based Ministry of State Security (“MSS”) front company, in 2010, specifically to carryout cyber operations.  Wuhan XRZ reportedly engaged in cyber activities involving the surveillance of U.S. and foreign politicians, journalists and pro-democracy activists.  In 2018, Wuhan XRZ also allegedly gained unauthorized access to a Texas -based energy company.  OFAC further reported that the newly designated individuals were responsible for spear phishing operations against the U.S. Naval Academy and the U.S. Naval War College’s China Maritime Studies Institute in the United States.

The OFAC designations were imposed pursuant to Executive Order 13694, as amended by EO 13757, for being responsible or complicit in cyber enabled activities outside of the United States that pose a significant threat to national security.  As a result of these designations, all property and interests in property of the designated persons within the United States or within the possession or control of a U.S. person are blocked, and U.S. persons are generally prohibited from engaging in transactions involving a designated person.  Entities owned 50 percent or more by one or more blocked persons are also blocked.

In addition to the imposition of sanctions, on March 25, 2024, federal prosecutors in New York unsealed the indictment charging seven hackers who operated as part of APT31 with conspiracy to commit computer intrusions and conspiracy to commit wire fraud.  According to federal prosecutors, the PRC-based hacking group spent nearly 14 years targeting PRC critics as well as U.S. and foreign politicians and businesses in an effort to advance economic espionage and foreign intelligence objectives of the PRC.

On March 25, 2024, while announcing the new cyber designations, the UK government reported that, according to the National Cyber Security Centre (“NCSC”), the cyber attacks on the UK Electoral Commission between 2021 and 2022, which most likely compromised the Commission’s systems, were performed by a Chinese state-affiliated entity.  The NCSC also determined that that APT31 was most likely responsible for a reconnaissance activity against UK parliamentarians during a separate campaign in 2021 – a campaign that was unsuccessful as no parliamentary accounts were successfully compromised.

The UK designations were imposed by the Office of Foreign Sanctions Implementation (“OFSI”) under the Cyber (Sanctions) (EU Exit) Regulations 2020 (SI 2020/597), which subjects designees to asset freezes and travel bans in the United Kingdom, and prohibits UK operators from providing funds or economic resources to listed persons.

U.S. Department of Treasury Press Release | UK Government Press Release | OFSI Financial Sanctions Notice – Cyber