Treasury Sanctions China Hacker Targeting U.S. Networks
U.S. Treasury Targets Chinese Cyber Actor Zhou Shuai for Critical Infrastructure Attacks
Table of Contents
WASHINGTON — In a move to counter cyber threats, the Department of the treasury’s Office of Foreign Assets Control (OFAC) announced the designation of Zhou Shuai, a Shanghai-based malicious cyber actor and data broker, along with his company, Shanghai Heiying Information Technology Company, Limited (Shanghai Heiying). This action, taken on March 5, 2025, aims to disrupt the illegal acquisition, brokering, and sale of data from sensitive U.S.critical infrastructure networks. Zhou Shuai collaborated with Yin Kecheng, previously sanctioned by the U.S., in these activities.
The designation highlights the ongoing threat posed by malicious cyber actors, particularly those operating from China. The office of the Director of National Intelligence’s recent Annual Threat Assessment underscores the severity and persistence of these threats to U.S. national security.
Acting Under Secretary of the Treasury for Terrorism and financial Intelligence, Bradley T.Smith, stated, “Today’s action underscores our resolve to hold accountable malicious cyber actors like Zhou who continue to target U.S. government systems, the data of U.S. companies, and our citizens. the United States is committed to disrupting all aspects of this criminal ecosystem leveraging all our available tools and authorities.”
Recent Actions Against Chinese Cyber Criminals
This designation follows a series of recent Treasury actions aimed at combating dangerous cyber activity perpetrated by cybercriminals operating from China. These include:
-
The January 17, 2025 designation of yin Kecheng and Sichuan Juxinhe Network Technology Company, Ltd. for their roles in the Department of the Treasury network compromise and the Salt Typhoon cyber group.
-
The January 3, 2025 designation of Integrity Technology Group, Inc. for its role in the Flax Typhoon intrusion set.
-
The December 10, 2024 designation of Sichuan Silence Information Technology Company, Ltd. and one of its employees for compromising firewalls.
Department of Justice and State Department Actions
In conjunction with the Treasury’s announcement, the Department of Justice is unsealing indictments charging Yin Kecheng and Zhou Shuai based on their malicious cyber activity. Furthermore, the Department of State is offering a Transnational Organized Crime Rewards Program reward of up to $2,000,000 for information leading to the arrest and/or conviction of Yin Kecheng or Zhou Shuai.
zhou Shuai: Chinese hacker and Data Broker
Sence at least 2018, Zhou Shuai has operated as a data broker, engaged in selling illegally obtained data and providing access to compromised computer networks. Some of this data was acquired by Yin Kecheng, a known China-backed malicious cyber actor and former Shanghai Heiying employee. Yin Kecheng, sanctioned by OFAC on January 17, 2025, was involved in the 2024 compromise of the Department of the Treasury’s network.
Victims of Yin Kecheng and Zhou Shuai’s partnership include technology companies, a defense industrial base contractor, a communications service provider, an academic health system affiliated with a university, and a government county municipality.
In 2020, Zhou Shuai appeared to be acting on intelligence requirements that targeted entities within the United States, Russia, and Western Europe. the data types of interest included telecommunications data, border crossing data, data on personnel in religious research, data on media industry personnel, and data on public servants. these requirements likely originated from the CCP’s intelligence services. In early 2021, Zhou Shuai brokered the sale of documents stolen from a U.S. cleared defense contractor.
OFAC is designating Zhou Shuai pursuant to Executive Order (E.O.) 13694, as further amended by E.O. 14144 (“E.O. 13694, as further amended”), for being responsible for or complicit in, or having engaged in, directly or indirectly, activities related to gaining or attempting to gain unauthorized access to a computer or network of computers of a U.S. person, the United States, a U.S. ally or partner or a citizen, national, or entity organized under the laws thereof, where such efforts originate from or are directed by persons located, in whole or significant part, outside the United States and are reasonably likely to result in, or have materially contributed to, a notable threat to the national security, foreign policy, or economic health or financial stability of the United States.
Shanghai Heiying: A Haven for Hackers
Zhou Shuai established Shanghai Heiying Information Technology Company,Limited (Shanghai Heiying) in 2010 and remains its majority owner. Shanghai Heiying, a Shanghai-based cybersecurity company, has employed numerous known China-backed malicious cyber actors, including Yin Kecheng.
OFAC is designating Shanghai Heiying pursuant to E.O. 13694, as further amended, for being owned or controlled by, or having acted or purported to act for or on behalf of, directly or indirectly, Zhou Shuai, a person whose property and interests in property are blocked pursuant to E.O. 13694, as further amended.
Sanctions Implications
As a result of today’s action, all property and interests in property of the designated persons described above that are in the United States or in the possession or control of U.S. persons are blocked and must be reported to OFAC. In addition, any entities that are owned, directly or indirectly, individually or in the aggregate, 50 percent or more by one or more blocked persons are also blocked. Unless authorized by a general or specific license issued by OFAC or exempt, U.S. sanctions generally prohibit all transactions by U.S. persons or within (or transiting) the United States that involve any property or interests in property of designated or or else blocked persons.
Violations of U.S.sanctions may result in the imposition of civil or criminal penalties on U.S. and foreign persons. OFAC may impose civil penalties for sanctions violations on a strict liability basis. OFAC’s Economic sanctions Enforcement Guidelines provide more information regarding OFAC’s enforcement of U.S. economic sanctions. in addition, financial institutions and other persons may risk exposure to sanctions for engaging in certain transactions or activities with designated or otherwise blocked persons.
The power and integrity of OFAC sanctions derive not onyl from OFAC’s ability to designate and add persons to the SDN List, but also from its willingness to remove persons from the SDN List consistent with the law. The ultimate goal of sanctions is not to punish, but to bring about a positive change in behaviour. for information concerning the process for seeking removal from an OFAC list, including the SDN List, please refer to OFAC’s Frequently asked Question 897 here and to submit a request for removal, click here.
Click here for more information on the individuals and entities designated today.
Okay, I’ve analyzed teh provided article “U.S. Treasury Targets Chinese Cyber Actor Zhou Shuai for Critical Infrastructure Attacks” and identified potential areas where additional details could enrich the context and provide a more extensive understanding to the reader. Based on this analysis, I will outline search queries to investigate these areas, focusing on reputable sources like government websites, cybersecurity firms, and news organizations.
I. Specific Technical Details about the Cyber Attacks & Data Brokering
Missing Detail: While the article mentions targeting “sensitive U.S. critical infrastructure networks,” it lacks specifics. What kind of infrastructure was targeted? What methods (e.g., malware, phishing) were used to compromise these networks? What type of data was specifically targeted?
Search Queries:
Zhou Shuai cyber attacks critical infrastructure details
Yin Kecheng Zhou Shuai hacking techniques
salt Typhoon group TTPs (Tactics, Techniques, and Procedures)
Flax Typhoon intrusion set technical analysis
Shanghai Heiying cybersecurity vulnerabilities
Indicators of compromise (IOCs) Zhou Shuai (Important for technical depth)
"critical infrastructure" OR "industrial control systems" attacks China
II. Deeper Dive into the Victims and thier Meaning
Missing Detail: The article names types of victims (tech companies, defense contractor, etc.) but doesn’t provide specifics or explain the impact of the breaches on these victims. How were technological companies targetted? What kind of data breach was experienced by them? Why were the other victims targeted, and what information stolen from them was sensitive and worth breaching the victim for.
Search Queries:
Zhou Shuai victims "defense industrial base"
"academic health system" data breach impact Zhou Shuai
"government county municipality" cyber attack Zhou Shuai
Impact of attacks by yin Kecheng on technological companies
Impact of attacks by yin Kecheng on communications service providers
III. The CCP’s Intelligence Services Connection
Missing detail: The article claims that Zhou Shuai’s 2020 intelligence requirements “likely originated from the CCP’s intelligence services.” This is a meaningful claim; it needs more support. What evidence links Zhou Shuai’s activities to the Chinese government?
Search Queries:
Zhou Shuai CCP intelligence connection evidence
Yin Kecheng ties to Chinese government
APT27 Chinese government (APT27 is mentioned in the DOJ indictment link; explore this connection).
Shanghai Heiying government contracts
Chinese cyber espionage linked to research data
Relationship between data brokers and the CCP
IV. Shanghai Heiying Background and Operations
Missing Detail: More information about Shanghai Heiying’s business is needed. What specific cybersecurity services did it offer? How did it operate as a haven for hackers? Did it have any legitimate clients?
Search Queries:
Shanghai Heiying Information Technology services
Shanghai Heiying client list
Shanghai Heiying cybersecurity offerings
"cybersecurity company" front for hacking China
Company registry information for Shanghai Heiying - this helps understand legitimacy
V. Sanctions Implications – Deeper Dive
Missing Detail: More practical examples of sanction implications. What are the consequences for US citizens doing business with Zhou Shuai. What are the implications for other possible actors involved with Zhou Shuai?
Search Queries:
Sanctions implications for US citizens doing business with Zhou Shuai
Potential sanctions exposure for companies working with Shanghai Heiying
OFAC enforcement actions cybercrime China
Examples of penalties for China related OFAC violations
VI. Annual Threat Assessment – Context
Missing Detail: What specific threats outlined in the Annual Threat Assessment pertain to the case? More clarity helps to contextualise the threat that Zhou Shuai posed.
Search Queries:
Identify key threats mentioned in the Annual Threat Assessment
Review report for alignment to Zhou Shuai case
What specifically does the annual threat assesment say about Chinese cybercrime
VII.Rewards for Justice – Prior Cases
Missing Detail: What prior cases has the Transnational Organized Crime rewards Programme taken action on? What were the motivations and the outcomes of the rewards program
Search Queries
List of transnational Organized Crime Rewards Program prior cases
Motivations, processes, outcomes of Rewards Program
Critically important Considerations:
Source Reliability: Prioritize official government sources (treasury, justice Department, State Department), reputable cybersecurity firms (e.g., Mandiant, CrowdStrike, FireEye), and established news organizations.
Date Relevance: Focus on information published around the dates mentioned in the article (2018 onward) to ensure relevance.
* Keyword Variations: Experiment with different keyword combinations to refine search results.
By using these search queries and focusing on reliable sources, you can gather additional information to create a richer and more informative article about the Zhou Shuai case.