Prosecutors Charge Yin Kecheng in 2024 Treasury Department Hack
In a significant development concerning cybercrime, U.S. federal authorities have moved to seize digital infrastructure linked to two Shanghai-based hackers alleged to operate on behalf of the Chinese government, specifically under the guise of a group known as "Silk Typhoon." This action follows their purported involvement in a breach of the Department of Treasury in late 2024.
Yin Kecheng, one of the hackers named, is at the center of this indictment alongside Zhou Shuai, also known as "Coldface." As the two face multiple charges, the indictments come in tandem with an array of government sanctions, including a reward of up to $2 million for information leading to their arrest. The judicially sanctioned seizure encompassed four domains associated with phishing attacks and virtual private servers utilized for creating a VPN, underscoring the sophistication of their operation.
The investigation revealed that Yin’s server contained "Phishlets," files used to configure Evilginx, a tool typically employed by attackers to intercept and steal login credentials, as well as two-factor authentication challenges. Evidence established that they employed a subdomain from one of the seized domains to conduct phishing operations. Treasury’s already imposed sanctions on Yin highlight his past activity targeting the Department’s own systems, affecting offices that enforce sanctions and evaluate foreign investments against national security threats.
Both Yin and Zhou are accused of being integral members of a threat group tracked under various aliases, including APT27 and UNC 5221. According to prosecutors, their operations reflect a broader trend of state-sponsored cyber activities, revealing China’s reliance on contractors to execute these sophisticated attacks. In February 2024, documents leaked from a different contracts firm depicted the operational tactics employed, including pricing for penetrating foreign networks.
Yin’s previous communications with associates indicated a financial motivation behind his cyber activities, demonstrating that profit often drives these attacks. The FBI reported that in 2013, Yin expressed a desire to target U.S. military assets with the hope of reaping financial rewards. Zhou has been linked to the hacking landscape since at least 2007, and both he and Yin were indicted in 2023 on multiple charges for a series of breaches, including stealing sensitive military designs.
The methods employed by both hackers align with various tactics identified in the MITRE ATT&CK Framework. Potentially applicable tactics include "Initial Access," facilitated through phishing techniques; "Persistence," achieved via the deployment of compromised infrastructure; and "Credential Access," as evidenced by the use of Evilginx. The breadth of their activities signifies the ongoing threat posed by nation-state actors that leverage cyber capabilities for economic and political advantage.
With the ongoing scrutiny on their operations and the legal proceedings moving forward, this case exemplifies the increasing intersection of international cyber relations and national security, as well as the commitment of U.S. authorities to counteract and deter such incursions into its digital infrastructure. The implications of these indictments are significant, as they expose vulnerabilities within both governmental and private sectors to state-sponsored cyber threats.
