Language students in China have been duped into translation duties for government spy hacking group APT40, reports Eleanor Olcott and Helen Warrell in the Financial Times. They write:
Chinese university students have been lured to work at a secretive technology company that masked the true nature of their jobs: researching western targets for spying and translating hacked documents as part of Beijing’s industrial-scale intelligence regime.
The Financial Times has identified and contacted 140 potential translators, mostly recent graduates who have studied English at public universities in Hainan, Sichuan and Xi’an. They had responded to job adverts at Hainan Xiandun, a company that was located in the tropical southern island of Hainan.
The application process included translation tests on sensitive documents obtained from US government agencies and instructions to research individuals at Johns Hopkins University, a key intelligence target.
Hainan Xiandun is alleged by a 2021 US federal indictment to have been a cover for the Chinese hacking group APT40. Western intelligence agencies have accused APT40 of infiltrating government agencies, companies and universities across the US, Canada, Europe and the Middle East, under the orders of China’s Ministry of State Security.
The FBI sought to disrupt the activities of Hainan Xiandun last July by indicting three state security officials in Hainan province — Ding Xiaoyang, Cheng Qingmin and Zhu Yunmin — for their alleged role in establishing the company as a front for state-backed espionage. Another man mentioned in the indictment, Wu Shurong, is believed to be a hacker who helped supervise employees at Hainan Xiandun.
Western intelligence services also seek out prospective spies from universities, with applicants undergoing rigorous vetting and training before joining the likes of the CIA in the US or the UK’s GCHQ signals intelligence agency.
But Chinese graduates targeted by Hainan Xiandun appear to have been unwittingly drawn into a life of espionage. Job adverts from the company were posted on university websites for translators without further explanation of the nature of the work.
An FBI wanted notice. The bureau sought to disrupt the activities of Hainan Xiandun last July by indicting three state security officials in Hainan province — Ding Xiaoyang, Cheng Qingmin and Zhu Yunmin — for their alleged role in establishing the company as a front for state-backed espionage. Another man mentioned in the indictment, Wu Shurong, is believed to be a hacker who helped supervise employees at Hainan Xiandun
This could have life-long consequences, as individuals identified as having co-operated with the MSS through their work for Hainan Xiandun are likely to face difficulty in living and working in western countries, a key motivation for many students who study foreign languages.
The FT contacted all 140 individuals on a leaked list of candidates compiled by security officials in the region to corroborate the authenticity of the applications. Several of those contacted initially confirmed their identities, but ended phone calls after being asked about their links to Hainan Xiandun. A few discussed their experience of the hiring process.
Their applications provide insight into the tactics of APT40, known for targeting biomedical, robotics and maritime research institutions as part of wider efforts to gain knowledge of western industrial strategy and steal sensitive data.
Hacking on that scale requires a huge workforce of English speakers who can help identify hacking targets, cyber technicians who can access adversaries’ systems and intelligence officers to analyse the stolen material.
Zhang, an English language graduate who applied to Hainan Xiandun, told the FT that a recruiter had asked him to go beyond conventional translation duties by researching the Johns Hopkins Applied Physics Laboratory, with instructions to find out information on the institution, including the CVs of the directors on its board, the building’s architecture and details of research contracts it had struck with clients.
The APL, a big recipient of US Department of Defense research funds, is likely to be of significant intelligence interest to Beijing and the individuals who work there prime hacking targets.
The instruction document asked the job candidates to download “software to get behind the Great Firewall”. It warns that the research will involve consulting websites such as Facebook, which is banned in China and so requires a VPN, software that masks the location of the user in order to gain access.
“It was very clear that this was not a translation company,” said Zhang, who decided against continuing with his application.
Dakota Cary, an expert in Chinese cyber espionage and former security analyst at Georgetown University, said the student translators were likely to be helping with researching organisations or individuals who might prove to be fruitful sources of sensitive information.
“The fact that you’re going to have to use a VPN, that you will need to be doing your own research and you need good language skills, all says to me that these students will be identifying hacking targets,” he said.
Cary, who testified earlier this year to the US-China economic and security review commission on Beijing’s cyber capabilities, said the instruction to investigate Johns Hopkins was an indicator of the level of initiative and ability to acquire specialist knowledge that the translators were expected to demonstrate.
One security official in the region said the revelations were evidence that the MSS was using university students as a “recruitment pipeline” for its spying activities.
Antony Blinken, US secretary of state, has previously condemned the MSS for building an “ecosystem of criminal contract hackers” who engage in both state-sponsored activities and financially motivated cyber crime. Blinken added that these hackers cost governments and businesses “billions of dollars” in stolen intellectual property, ransom payments and cyber defences.
Read more here.