Image: Department of Justice/Motherboard composite
The US government accused four Chinese hackers working for a cybersecurity company of actually being spies tasked with stealing secrets all over the world. On Monday, the US Department of Justice accused Ding Xiaoyang, Cheng Qingmin, Zhu Yunmin, and Wu Shurong of hacking crimes. Xiaoyang, Qingmin, and Yunmin were allegedly working for China's Ministry of State Security under the cover of a company called Hainan Xiandun, which purportedly provided cybersecurity services. And Shurong was allegedly one of the hackers working for the company. The four were all part of a hacking group known in the industry as APT 40, according to the feds.
In the indictment, the DOJ lists 21 victims without naming them, which include research facilities in the US, universities, defense contractors, and foreign government agencies in Cambodia, Saudi Arabia, and Malaysia. As part of their hacking activities, the four allegedly used popular internet services such as LinkedIn and GitHub. In January of 2018, the hackers hid "stolen trade secrets and proprietary hydroacoustic data" inside pictures of Donald Trump and a koala, according to the indictment.
The hackers hid the stolen data using a technique called steganography, according to the indictment. Steganography is a way of hiding data inside pictures, which at first sight appear like normal images you'd see while surfing the internet. It's a technique "concerned with making information invisible entirely, or hiding it in plain sight," as we wrote in our Guide to Steganography. Steganography has been used to hide the complete works of William Shakespeare in a grainy picture of the writer posted on Twitter, or to exchange messages on a jihadi encrypted messaging app. The four hackers outed by the Department of Justice aren't even the first Chinese hackers to use the technique. In 2019, security researchers said they found another Chinese hacking group, dubbed APT15, using steganography to distribute malware. The Chinese embassy in Washington D.C. did not immediately respond to a request for comment. Subscribe to our cybersecurity podcast CYBER, here.