The indictments help to solve a mystery for the cybersecurity researchers tracking the group. Over more than half a decade, it has carried out a series of shocking supply chain attacks, hijacking the updates to Asus laptops and the CCleaner antivirus software, for instance, to silently plant malicious code on millions of computers. But it has also long appeared to have different subgroups, sometimes believed to be Ministry of State Security hackers moonlighting as cybercriminals targeting video game firms. Now it appears instead that, rather than moonlighting, one element of Barium was in fact a contracted organization, including hackers with a long cybercriminal past.
The company the alleged hackers worked for, Chengdu 404, advertises itself as a cybersecurity firm offering white hat hacking and penetration testing, and publicly boasts of customers among Chinese security agencies and the military. But the indictment includes communications in which the company’s vice president of its technical department, Jiang Lizhi, allegedly refers to his past as a cybercriminal and brags that his connections to China’s Ministry of State Security protect him from domestic law enforcement. Sherwin noted repeatedly Wednesday that the group’s targeting of pro-democracy groups indicates it had at times had motivation other than criminal gains.
“These for-profit criminal activities took place with the tacit approval of the government of the People’s Republic of China,” said FBI special agent in charge James Dawson at Wednesday’s press conference. “This investigation is another example of the blended threat increasingly seen in cyber investigations.”
The Ministry of State Security likely began enlisting groups like Chengdu 404 after the landmark “Xi Agreement,” when the Chinese and US governments pledged in 2014 to cease any hacking that targeted private sector companies for an economic advantage, says Adam Meyers, vice president of intelligence at security firm CrowdStrike. “I think [the hackers] probably ran in the same circles and created a company that became a contract element of the Ministry of State Security when they started outsourcing,” says Meyers. “By outsourcing you’re moving into plausible deniability and creating some distance from sanctioned activity.”
The indictments make clear, too, that it was the Chengdu 404 hackers who carried out some of Barium’s most notorious supply chain attacks. By naming the group as responsible for a piece of malware known as Shadowpad, it links them to operations that planted variants of that malware in legitimate software including those of Asus, CCleaner, and Netsarang, a Korean-made enterprise remote management tool. “These were some of the most massive supply chain attacks in history,” says Costin Raiu, the head of security firm Kaspersky’s Global Research & Analysis Team. “Connecting these guys with those attacks is very significant.”
As is often the case with indictments of foreign cyberspies, the five indicted hackers remain at large, charged only in absentia. Only the two alleged Malaysian accomplices were arrested. But the Justice Department argued that the charges send a signal to Chinese cybercriminals—and the Chinese government agencies that collaborate with and protect them—that the United States often has deep visibility into their activities and will hold them accountable.