Loading
  • 21 Aug, 2019

  • By, Wikipedia

Hubei State Security Department

The Hubei State Security Department (HSSD; Chinese: 湖北省国家安全厅) is the regional branch of the Chinese Ministry of State Security (MSS) responsible for national security and secret policing in Hubei province of central China. Founded in 1993, it is headquartered in the provincial capital of Wuhan, with subordinate offices in cities and towns across the province.

The department is best known for operating the advanced persistent threat 31 (APT 31).

History

The Hubei State Security Department was established on November 29, 1993, after the province was included among the localities approved by the Central Committee of the Communist Party and the State Council to receive a dedicated unit during the fourth and, to date, final round of major expansions of the MSS. Among the dignitaries in attendance for the department's inaugural meeting were Jia Chunwang, then–Minister of State Security; and Guan Guangfu, Secretary of the Provincial Party Committee.

Advanced persistent threat

The Hubei State Security Department is widely understood to be the operator behind the advanced persistent threat designated APT 31 by Mandiant, also known as Judgment Panda by CrowdStrike, Zirconium or Violet Typhoon by Microsoft, RedBravo by Recorded Future, Bronze Vinewood by SecureWorks, TA412 by Proofpoint, or Red Keres by PricewaterhouseCoopers.

APT 31 is run directly by the Hubei SSD, likely without much input from MSS headquarters, with the group staffed by intelligence officers of the Hubei SSD as well as outside contractors employed through cutout organizations and front companies. APT 31 is known to have successfully executed attacks against targets in the United States, United Kingdom, France, Germany, Norway, Finland, Mongolia, Russia, and throughout Eastern Europe.

According to the United States, in 2010, the HSSD established Wuhan Xiaoruizhi Science and Technology Company, Limited (Chinese: 武汉晓睿智科技有限责任公司, aka Wuhan XRZ) as a front company to carry out cyber operations. This activity resulted in the surveillance of U.S. and foreign politicians, foreign policy experts, academics, journalists, and pro-democracy activists and their families, as well as persons and companies operating in areas of national importance. In 2018, employees of Wuhan XRZ conducted a cyber operation on a Texas-based energy company, gaining unauthorized access.

Indictments and investigations

United States

In March 2024, the United States and United Kingdom jointly indicted and sanctioned members of the Hubei SSD for a wide range of cyber operations against the two countries.

The U.S. Treasury's Office of Foreign Asset Control (OFAC) designated Zhao Guangzong and Ni Gaobin as Specially Designated Nationals. OFAC charged that as a contractor for Wuhan XRZ, Zhao was behind the 2020 APT 31 spear phishing operation against the United States Naval Academy and the United States Naval War College’s China Maritime Studies Institute. Additionally, Zhao is charged with conducted numerous spear phishing operations against Hong Kong legislators and democracy advocates. Ni Gaobin is charged with assisting Zhao in his most high profile malicious cyber activities while Zhao Guangzong was a contractor at Wuhan XRZ.

The US Department of Justice also unsealed indictments charging Zhao Guangzong, Ni Gaobin (倪高彬), Weng Ming (翁明), Cheng Feng (程锋), Peng Yaowen (彭耀文), Sun Xiaohui (孙小辉), and Xiong Wang (熊旺) for their involvement in malicious operations coordinated by Wuhan XRZ over a span of roughly 14 years. Ending in January 2024, these operations targeted U.S. critical infrastructure, as well as U.S. businesses and politicians, in support of China's foreign intelligence and economic espionage objectives.

United Kingdom

Joining US officials in revealing their public indictment, the UK Foreign Office accused the group of targeting British Parliament, hacking the GCHQ intelligence agency, and breaching systems of the UK's Electoral Commission.

Finland

One day after the US and UK charges, the Finnish Security and Intelligence Service revealed APT 31 as the actor responsible for a cyber breach of the country's parliament disclosed in March 2021. The country revealed that the National Bureau of Investigation is pursuing charges including aggravated espionage against members of the group.

Russia

In August 2022, Moscow-based Positive Technologies attributed a cyberattack on Russian media and energy companies to APT 31 based on a range of consistencies in attack methodology and software used in similar attacks.

In 2023, Moscow's Kaspersky assessed that APT 31 was capable of exfiltrating data from air-gapped systems.

Facilities

The HSSD is based out of the headquarters facility shared with the Ministry of Public Security headquarters for the province at 180 Xiongchu Blvd, in the Wuchang District of Wuhan. According to the U.S. Department of Justice, the HSSD has another facility at Bayi Road in the Wuchang District.

List of directors

Name Chinese name Entered office Left office Time in office cite
Deng Fanquan 邓凡全 Position established January 14, 2000 6 years
Liu Zhangtang 刘章棠 January 14, 2000 March 31, 2006 6 years, 2 months
Zhu Xiaolin 朱小林 March 31, 2006 January 13, 2016 9 years, 11 months
Zhang Qikuan 张其宽 January 13, 2016 2018 2 years
Tu Hongjian 涂红剑 2018 Present Incumbent

References

  1. ^ 湖北年鉴编辑委员会 (编). 湖北年鉴·1994. 武汉: 湖北年鉴社. 1994: 44. ISSN 1005-2585.
  2. ^ "APT 31, Judgment Panda, Zirconium - Threat Group Cards: A Threat Actor Encyclopedia". Electronic Transactions Development Agency. March 10, 2024. Archived from the original on 2024-04-19. Retrieved 2024-04-11.
  3. ^ Gatlan, Sergiu (March 25, 2024). "US sanctions APT 31 hackers behind critical infrastructure attacks". BleepingComputer. Archived from the original on 2024-03-27. Retrieved 2024-03-27.
  4. ^ Kuvshinov, Denis; Koloskov, Daniil (August 1, 2021). "APT31 new dropper. Target destinations: Mongolia, Russia, the U.S., and elsewhere". Positive Technologies. Archived from the original on 2024-04-19. Retrieved 2024-04-11.
  5. ^ Cimpanu, Catalin (June 18, 2021). "Norway says Chinese group APT 31 is behind catastrophic 2018 government hack". Recorded Future. Archived from the original on 2024-04-04. Retrieved 2024-04-11.
  6. ^ Gatlan, Sergiu (March 26, 2024). "Finland confirms APT 31 hackers behind 2021 parliament breach". BleepingComputer. Archived from the original on 2024-03-27. Retrieved 2024-03-27.
  7. ^ "Flying in the clouds: APT 31 renews its attacks on Russian companies through cloud storage". ptsecurity.com. Archived from the original on 2024-03-28. Retrieved 2024-03-28.
  8. ^ Toulas, Bill (August 1, 2023). "Hackers use new malware to breach air-gapped devices in Eastern Europe". BleepingComputer. Archived from the original on 2024-04-19. Retrieved 2024-04-11.
  9. ^ "Researchers Shed Light on APT 31's Advanced Backdoors and Data Exfiltration Tactics". The Hacker News. Archived from the original on 2024-03-28. Retrieved 2024-03-28.
  10. ^ Peace, Breon (January 30, 2024). "United States v. Ni Gaobin et al". United States Department of Justice. 4. The Hubei State Security Department ("HSSD") was the provincial foreign intelligence arm of the MSS in Hubei Province, PRC. The HSSD was located on Bayi Road, Wuchang District, in Wuhan, a city in Hubei Province.
  11. ^ "湖北省人民代表大会常务委员会" [Appointment and removal list of the Standing Committee of the Ninth People's Congress of Hubei Province]. Hubei Provincial Party Committee. 2006-08-22. Archived from the original on 2020-10-26. Retrieved 2024-04-16.
  12. ^ "The resolution of the Standing Committee of the 10th National People's Congress of Hubei Province". Sina Corporation. April 1, 2006. Archived from the original on 2020-10-26. Retrieved 2024-04-14.{{cite web}}: CS1 maint: bot: original URL status unknown (link)
  13. ^ "湖北省国家安全厅 - 怪猫的图书资源库". Fudan University. Archived from the original on 2024-04-05. Retrieved 2024-04-05.