Swedish routers hacked by Chinese state-backed cyber gang to target politicians worldwide

Chinese hackers have been using Swedish routers to send malicious emails, affecting thousands of victims across the world.

Politicians in Sweden, American senators, British members of parliament and European members of the Inter-parliamentary alliance on China (IPAC) are among millions of people to have been affected by Chinese hackers using the routers of Swedish individuals to carry out multiple cyberattacks. Seven people believed to be based in the People’s Republic of China (PRC) have been charged by the US DOJ in connection with the offensive.

The Swedish Security Service (Säpo) has confirmed to Swedish media that Advanced Persistent Threat 31 – APT31, a state-owned Chinese hacker group – has been mounting the attacks.

Säpo says that the hacker group performed extensive attacks between 2020 and 2021, on multiple countries in Europe. Millions of people are believed to have been affected.

Among the Swedish politicians targeted is Elisabet Lann (KD), municipal councillor in the city of Gothenburg and member of IPAC, and member of parliament Joar Forssell (L). Lann said that she received “innocent-looking newsletters” in her e-email account, which were then discovered to be malicious. She called the hack “very personal and nasty”, especially since the hackers seemed to have targeted democratically elected politicians.

“This prolific global hacking operation […] targeted journalists, political officials, and companies to repress critics of the Chinese regime, compromise government institutions, and steal trade secrets.”

Lisa Monaco, US Deputy Attorney General

Norway and Finland are also said to be affected by the attacks. In Finland extensive cyberattacks were carried out against state authorities in 2020 and 2021. Several e-mail accounts of Finnish parliamentarians were exposed by APT31, and the group also breached the parliament’s IT system.

DOJ charges seven hackers

Last week, the US Department of Justice (DOJ) announced charges against seven hackers associated with APT31 with conspiracy to commit computer intrusions, and conspiracy to commit wire fraud. According to the DOJ, the People’s Republic of China (PRC)-based hacking group spent approximately 14 years targeting victims, businesses, and political officials worldwide in furtherance of the PRC’s economic espionage and foreign intelligence objectives.

The US targets included government officials working in the White House, individuals at the DOJ, Commerce, Treasury, and State, and US Senators and Representatives of both political parties. The victims were targeted on both professional and personal email addresses.

In some cases, spouses of the victims were attacked too, including those of a high-ranking DOJ official, high-ranking White House officials, and multiple US Senators. Campaign staff from the election 2020 were also targeted.

“Over 10,000 malicious emails, impacting thousands of victims, across multiple continents. As alleged […], this prolific global hacking operation – backed by the PRC government – targeted journalists, political officials, and companies to repress critics of the Chinese regime, compromise government institutions, and steal trade secrets,” said Deputy Attorney General Lisa Monaco.

The DOJ’s charges were brought against:

  • Ni Gaobin (倪高彬), 38;
  • Weng Ming (翁明), 37;
  • Cheng Feng (程锋), 34;
  • Peng Yaowen (彭耀文), 38;
  • Sun Xiaohui (孙小辉), 38;
  • Xiong Wang (熊旺), 35; and
  • Zhao Guangzong (赵光宗), 38.

All seven defendants are believed to reside in the PRC.

“The indictment […] together with statements from our foreign partners regarding related activity, shed further light on the PRC Ministry of State Security’s aggressive cyber espionage and transnational repression activities worldwide,” said Assistant Attorney General Matthew G Olsen of the Justice Department’s National Security Division.

He added that it served to “underscore the need to remain vigilant to cybersecurity threats and the potential for cyber-enabled foreign malign influence efforts, especially as we approach the 2024 election cycle.”

Advanced Persistent Threat 31 – APT31

According to the indictment and court filings, APT31 operates in the PRC, and was part of a cyberespionage program run by the PRC Ministry of State Security (MMS) Hubei State Security Department, located in the city of Wuhan.

Besides the seven defendants, the group also includes dozens of identified PRC MMS intelligence officers, contractor hackers, and support personnel.

Over 10,000 malicious emails hidden tracking links have been sent out by the APT31 since 2010. If a person opened the email, the hackers gained information about the recipient, including:

  • their location;
  • internet protocol (IP) addresses;
  • network schematics; and
  • specific devices used to access pertinent email accounts.

The information was then transmitted to a server, and was used to enable more direct and sophisticated targeted hacking – such as compromising the recipients’ home routers and other electronic devices.