ExplainerUS-China tech war: who is the little-known Chinese firm in the crosshairs of US for alleged cyberattacks?
- Hainan Xiandun is alleged to be behind the hacking of computer systems in the US and other countries
- The targeted cyberattacks were launched between 2011 and 2018
A federal grand jury in San Diego, California returned the indictment, which alleged that the cyberattacks stole information that was of significant economic benefit to China’s companies and commercial sectors, according to an announcement by the US Department of Justice.
The four defendants and their conspirators from the State Security Department in southern Hainan province “sought to obfuscate the Chinese government’s role in such theft by establishing a front company, Hainan Xiandun Technology Development Co”, the Justice Department said.
The following information gathered about Hainan Xiandun is based on available public reports, corporate registry information and previous disclosures.
What is Hainan Xiandun?
The company, whose name means “magic shield”, was incorporated in 2011 by the person known as Fu Chuanli with a registered capital of 2 million yuan (US$308,250). Its registry address is the ground floor of the library in the campus of Hainan University, which is located in the provincial capital of Haikou. The company does not have a website.
It did not pay social insurance for any of its personnel in the period 2013 to 2017, according to Tianyacha, a Chinese corporate registry information website. Reports from 2018 were not available.
Recruitment advertisements posted on job markets and university websites showed that Hainan Xiandun needed computer engineers and linguists proficient in different languages.
On a job advertisement posted on the website of southwest China’s Sichuan University in 2018, Hainan Xiandun sought out software developers and so-called penetration testers, while describing itself as a company looking to become “the leading provider of information safety products and services in China”.
The company touted its robust network safety platform, which helped it win many confidential public sector projects. That has made it the go-to brand in network safety for “local governments”, “actors in the arms industry” and “public security organs”.
Successful recruits were expected to “track the latest developments in network safety loopholes” as well as “analyse malicious codes” and provide risk assessments. Hainan Xiandun promised a base salary of more than 150,000 yuan per year, apart from project bonuses and annual bonuses. Project bonuses can reach up to 100,000 yuan, while annual bonuses are no less than two months of an employee’s salary.
Between 2017 and 2018, the company specifically looked to hire translators skilled in English and Cambodia’s Khmer language. Other advertisements sought entry-level talent who can “research and track the shifting landscapes inside and outside China before providing accurate analyses and assessments”.
Does the company still exist?
Hainan Xiandun, according to the Department of Justice announcement on Monday, has already been disbanded.
The South China Morning Post tried to call the company several times, but each time someone hung up. There was no immediate response to emailed questions.
Hainan Xiandun’s activity had been previously identified by private sector security researchers, who have referred to the group as Advanced Persistent Threat (APT) 40, BRONZE, MOHAWK, FEVERDREAM, G0065, Gadolinium, GreenCrash, Hellsing, Kryptonite Panda, Leviathan, Mudcarp, Periscope, Temp.Periscope and Temp.Jumper.
Hacker group Intrusion Truth, which has linked Hainan Xiandun to China’s state security apparatus, previously published a screenshot of a post from the Chinese social networking site Renren. The post said Ding joined the Hainan branch of MSS after his studies as a computer science major at the University of Wuhan in 2009.
The Post was not able to independently verify that claim. In a blog post in 2020, Intrusion Truth described Hainan province as home to at least a dozen network security companies with links to Hainan Xiandun. Some companies share the same legal representative with Hainan Xiandun – a person named Fu Chuanli – and others have job advertisements with the same contact person and phone number.
US, Britain and EU accuse China of sponsoring massive Microsoft email server hack
What were the charges against the company?
The two-count indictment against Hainan Xiandun personnel Ding Xiaoyang, Cheng Qingmin and Zhu Yunmin alleged that they were officers of the Hainan State Security Department, responsible for overseeing computer hackers and linguists at Hainan Xiandun and other front companies of China’s Ministry of State Security (MSS).
It also alleged that Wu Shurong was a computer hacker at Hainan Xiandun, where he created malware, accessed computer systems operated by foreign governments, companies and universities, and supervised other hackers in the company.
Their hacking campaigns, according to the Justice Department, covered the US, Austria, Cambodia, Canada, Germany, Indonesia, Malaysia, Norway, Saudi Arabia, South Africa, Switzerland and the UK. Targets included the aviation, defence, education, government, health care, biopharmaceutical and maritime industries.
Stolen trade secrets and confidential business information included sensitive technologies used for submersibles and autonomous vehicles, speciality chemical formulas, commercial aircraft servicing, proprietary genetic-sequencing technology and data, and foreign information to support China’s efforts to secure contracts for state-owned enterprises within the targeted country. At research institutes and universities, the conspiracy targeted infectious-disease research related to Ebola, Mers, HIV/Aids, Marburg and tularaemia.
In the indictment, the department showed a picture of Ding receiving an award from the MSS for being a leader in contributing to national security in 2018.
The four defendants are each charged with one count of conspiracy to commit computer fraud, which carries a maximum sentence of five years in prison, and one count of conspiracy to commit economic espionage, which carries a maximum sentence of 15 years in prison.
What was Beijing’s response?
Without going into any detail about Hainan Xiandun, the Chinese government rejected the US allegations against the four mainland citizens named in the indictment.
The Chinese embassy in Washington said the US lacked evidence to prove its allegations, while also describing the action against the four accused as “irresponsible” and “ill-intentioned”.
“The Chinese government and relevant personnel never engaged in cyberattacks or cyber theft ,” embassy spokesman Liu Pengyu said on Tuesday. “We urge the US to immediately stop its ‘empire of hacker’ campaign and stop illegally damaging other countries’ interests and security.”
Liu also reminded Washington’s allies that “US agencies have been engaging in large-scale, organised and indiscriminate cyber intrusion, surveillance and monitoring activities on foreign governments, institutions, enterprises, universities and individuals, including on its allies”.
Additional reporting by Bobo Chan.