Hubei State Security Department

Edit links
Coordinates: 30°31′03″N 114°20′02″E / 30.51755°N 114.33385°E / 30.51755; 114.33385
From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Abovfold (talk | contribs) at 20:52, 19 April 2024. The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.


Hubei State Security Department
湖北省国家安全厅
Seal of the Ministry of State Security

HSSD headquarters in Wuhan
Department overview
Formed29 November 1993 (1993-11-29)
JurisdictionHubei province
HeadquartersNo.180 Xiongchu Boulevard, Wuchang, Wuhan, Hubei
30°31′03″N 114°20′02″E / 30.51755°N 114.33385°E / 30.51755; 114.33385
EmployeesClassified
Annual budgetClassified
Department executive
  • Tu Hongjian (涂红剑), Director
Parent ministryMinistry of State Security

The Hubei State Security Department (HSSD; Chinese: 湖北省国家安全厅) is the regional branch of the Chinese Ministry of State Security (MSS) responsible for national security and secret policing in Hubei province of central China. Founded in 1993, it is headquartered in the provincial capital of Wuhan, with subordinate offices in cities and towns across the province.

The department is best known for operating the advanced persistent threat (APT) 31.

History

The Hubei State Security Department was established on November 29, 1993, after the province was included among the localities approved by the Central Committee of the Communist Party and the State Council to receive a dedicated unit during the fourth and, to date, final round of major expansions of the MSS. Among the dignitaries in attendance for the department's inaugural meeting were Jia Chunwang, then–Minister of State Security; and Guan Guangfu, Secretary of the Provincial Party Committee.[1]

Advanced persistent threat

The Hubei State Security Department is widely understood to be the operator behind the advanced persistent threat designated APT 31 by Mandiant, also known as Judgment Panda by CrowdStrike, Zirconium or Violet Typhoon by Microsoft, RedBravo by Recorded Future, Bronze Vinewood by SecureWorks, TA412 by Proofpoint, or Red Keres by PricewaterhouseCoopers.[2]

The APT is run directly by the Hubei SSD, likely without much input from MSS headquarters, with the group staffed by intelligence officers of the Hubei SSD as well as outside contractors employed through cutout organizations and front companies. APT31 is known to have successfully executed attacks against targets in the United States[3], United Kingdom[3], France[4], Germany[4], Norway[5], Finland[6], Mongolia[4], Russia[7], and throughout Eastern Europe.[8]

According to the United States, in 2010, the HSSD established Wuhan Xiaoruizhi Science and Technology Company, Limited (Chinese: 武汉晓睿智科技有限责任公司, aka Wuhan XRZ) as a front company to carry out cyber operations. This activity resulted in the surveillance of U.S. and foreign politicians, foreign policy experts, academics, journalists, and pro-democracy activists and their families, as well as persons and companies operating in areas of national importance. In 2018, employees of Wuhan XRZ conducted a cyber operation on a Texas-based energy company, gaining unauthorized access.[3]

Indictments and investigations

United States

In March 2024, the United States and United Kingdom jointly indicted and sanctioned members of the Hubei SSD for a wide range of cyber operations against the two countries.[3]

The U.S. Treasury's Office of Foreign Asset Control (OFAC) designated Zhao Guangzong and Ni Gaobin as Specially Designated Nationals. OFAC charged that as a contractor for Wuhan XRZ, Zhao was behind the 2020 APT 31 spear phishing operation against the United States Naval Academy and the United States Naval War College’s China Maritime Studies Institute. Additionally, Zhao is charged with conducted numerous spear phishing operations against Hong Kong legislators and democracy advocates. Ni Gaobin is charged with assisting Zhao in his most high profile malicious cyber activities while Zhao Guangzong was a contractor at Wuhan XRZ.

The US Department of Justice also unsealed indictments charging Zhao Guangzong, Ni Gaobin (倪高彬), Weng Ming (翁明), Cheng Feng (程锋), Peng Yaowen (彭耀文), Sun Xiaohui (孙小辉), and Xiong Wang (熊旺) for their involvement in malicious operations coordinated by Wuhan XRZ over a span of roughly 14 years. Ending in January 2024, these operations targeted U.S. critical infrastructure, as well as U.S. businesses and politicians, in support of China's foreign intelligence and economic espionage objectives.

United Kingdom

Joining US officials in revealing their public indictment, the UK Foreign Office accused the group of targeting British Parliament, hacking the GCHQ intelligence agency, and breaching systems of the UK's Electoral Commission.[3]

Finland

One day after the US and UK charges, the Finnish Security and Intelligence Service revealed APT31 as the actor responsible for a cyber breach of the country's parliament disclosed in March 2021.[6] The country revealed that the National Bureau of Investigation is pursuing charges including aggravated espionage against members of the group.[6]

Russian

In August 2022, Moscow-based Positive Technologies attributed a cyberattack on Russian media and energy companies to APT31 based on a range of consistencies in attack methodology and software used in similar attacks.[7]

In 2023, Moscow's Kaspersky assessed that APT-31 was capable of exfiltrating data from air-gapped systems.[9]

List of directors

Name Entered office Left office Time in office cite
Deng Fanquan (邓凡全) Position established January 14, 2000 6 years [10]
Liu Zhangtang (刘章棠) January 14, 2000 March 31, 2006 6 years, 2 months [11]
Zhu Xiaolin, (朱小林) March 31, 2006 January 13, 2016 9 years, 11 months [12]
Zhang Qikuan (张其宽) January 13, 2016 2018 2 years
Tu Hongjian (涂红剑) 2018 Present Incumbent

References

  1. ^ 湖北年鉴编辑委员会 (编). 湖北年鉴·1994. 武汉: 湖北年鉴社. 1994: 44. ISSN 1005-2585.
  2. ^ "APT 31, Judgment Panda, Zirconium - Threat Group Cards: A Threat Actor Encyclopedia". Electronic Transactions Development Agency. March 10, 2024. Retrieved 2024-04-11.
  3. ^ a b c d e Gatlan, Sergiu (March 25, 2024). "US sanctions APT31 hackers behind critical infrastructure attacks". BleepingComputer. Retrieved 2024-03-27.
  4. ^ a b c Kuvshinov, Denis; Koloskov, Daniil (August 1, 2021). "APT31 new dropper. Target destinations: Mongolia, Russia, the U.S., and elsewhere". Positive Technologies. Retrieved 2024-04-11.
  5. ^ Cimpanu, Catalin (June 18, 2021). "Norway says Chinese group APT31 is behind catastrophic 2018 government hack". Recorded Future. Retrieved 2024-04-11.
  6. ^ a b c Gatlan, Sergiu (March 26, 2024). "Finland confirms APT31 hackers behind 2021 parliament breach". BleepingComputer. Retrieved 2024-03-27.
  7. ^ a b "Flying in the clouds: APT31 renews its attacks on Russian companies through cloud storage". ptsecurity.com. Retrieved 2024-03-28.
  8. ^ Toulas, Bill (August 1, 2023). "Hackers use new malware to breach air-gapped devices in Eastern Europe". BleepingComputer. Retrieved 2024-04-11.
  9. ^ "Researchers Shed Light on APT31's Advanced Backdoors and Data Exfiltration Tactics". The Hacker News. Retrieved 2024-03-28.
  10. ^ "湖北省人民代表大会常务委员会" [Appointment and removal list of the Standing Committee of the Ninth People's Congress of Hubei Province]. Hubei Provincial Party Committee. 2006-08-22. Archived from the original on 2020-10-26. Retrieved 2024-04-16.{{cite web}}: CS1 maint: unfit URL (link)
  11. ^ "The resolution of the Standing Committee of the 10th National People's Congress of Hubei Province". web.archive.org. April 1, 2006. Retrieved 2024-04-14.
  12. ^ "湖北省国家安全厅 - 怪猫的图书资源库". Fudan University. Retrieved 2024-04-05.
Retrieved from "https://en.wikipedia.org/w/index.php?title=Hubei_State_Security_Department&oldid=1219790470"