Hubei State Security Department Explained

The Hubei State Security Department (HSSD;) is the regional branch of the Chinese Ministry of State Security (MSS) responsible for national security and secret policing in Hubei province of central China. Founded in 1993, it is headquartered in the provincial capital of Wuhan, with subordinate offices in cities and towns across the province.

The department is best known for operating the advanced persistent threat 31 (APT 31).

History

The Hubei State Security Department was established on November 29, 1993, after the province was included among the localities approved by the Central Committee of the Communist Party and the State Council to receive a dedicated unit during the fourth and, to date, final round of major expansions of the MSS. Among the dignitaries in attendance for the department's inaugural meeting were Jia Chunwang, then–Minister of State Security; and Guan Guangfu, Secretary of the Provincial Party Committee.^[1]

Advanced persistent threat

The Hubei State Security Department is widely understood to be the operator behind the advanced persistent threat designated APT 31 by Mandiant, also known as Judgment Panda by CrowdStrike, Zirconium or Violet Typhoon by Microsoft, RedBravo by Recorded Future, Bronze Vinewood by SecureWorks, TA412 by Proofpoint, or Red Keres by PricewaterhouseCoopers.^[2]

APT 31 is run directly by the Hubei SSD, likely without much input from MSS headquarters, with the group staffed by intelligence officers of the Hubei SSD as well as outside contractors employed through cutout organizations and front companies. APT 31 is known to have successfully executed attacks against targets in the United States,^[3] United Kingdom, France,^[4] Germany, Norway,^[5] Finland, Mongolia, Russia, and throughout Eastern Europe.^[6]

According to the United States, in 2010, the HSSD established Wuhan Xiaoruizhi Science and Technology Company, Limited (aka Wuhan XRZ) as a front company to carry out cyber operations. This activity resulted in the surveillance of U.S. and foreign politicians, foreign policy experts, academics, journalists, and pro-democracy activists and their families, as well as persons and companies operating in areas of national importance. In 2018, employees of Wuhan XRZ conducted a cyber operation on a Texas-based energy company, gaining unauthorized access.

Indictments and investigations

United States

In March 2024, the United States and United Kingdom jointly indicted and sanctioned members of the Hubei SSD for a wide range of cyber operations against the two countries.

The U.S. Treasury's Office of Foreign Asset Control (OFAC) designated Zhao Guangzong and Ni Gaobin as Specially Designated Nationals. OFAC charged that as a contractor for Wuhan XRZ, Zhao was behind the 2020 APT 31 spear phishing operation against the United States Naval Academy and the United States Naval War College’s China Maritime Studies Institute. Additionally, Zhao is charged with conducted numerous spear phishing operations against Hong Kong legislators and democracy advocates. Ni Gaobin is charged with assisting Zhao in his most high profile malicious cyber activities while Zhao Guangzong was a contractor at Wuhan XRZ.

The US Department of Justice also unsealed indictments charging Zhao Guangzong, Ni Gaobin, Weng Ming, Cheng Feng, Peng Yaowen, Sun Xiaohui, and Xiong Wang for their involvement in malicious operations coordinated by Wuhan XRZ over a span of roughly 14 years. Ending in January 2024, these operations targeted U.S. critical infrastructure, as well as U.S. businesses and politicians, in support of China's foreign intelligence and economic espionage objectives.

United Kingdom

Joining US officials in revealing their public indictment, the UK Foreign Office accused the group of targeting British Parliament, hacking the GCHQ intelligence agency, and breaching systems of the UK's Electoral Commission.

Finland

One day after the US and UK charges, the Finnish Security and Intelligence Service revealed APT 31 as the actor responsible for a cyber breach of the country's parliament disclosed in March 2021.^[7] The country revealed that the National Bureau of Investigation is pursuing charges including aggravated espionage against members of the group.

Russia

In August 2022, Moscow-based Positive Technologies attributed a cyberattack on Russian media and energy companies to APT 31 based on a range of consistencies in attack methodology and software used in similar attacks.^[8]

In 2023, Moscow's Kaspersky assessed that APT 31 was capable of exfiltrating data from air-gapped systems.^[9]

Facilities

The HSSD is based out of the headquarters facility shared with the Ministry of Public Security headquarters for the province at 180 Xiongchu Blvd, in the Wuchang District of Wuhan. According to the U.S. Department of Justice, the HSSD has another facility at Bayi Road in the Wuchang District.^[10]

List of directors

Name	Entered office	Left office	Time in office	cite
Deng Fanquan (邓凡全)	Position established	January 14, 2000	6 years	[11]
Liu Zhangtang (刘章棠)	January 14, 2000	March 31, 2006	6 years, 2 months	[12]
Zhu Xiaolin, (朱小林)	March 31, 2006	January 13, 2016	9 years, 11 months	[13]
Zhang Qikuan (张其宽)	January 13, 2016	2018	2 years
Tu Hongjian (涂红剑)	2018	Present	Incumbent

References

1. 湖北年鉴编辑委员会 (编). 湖北年鉴·1994. 武汉: 湖北年鉴社. 1994: 44. ISSN 1005-2585.
2. Web site: March 10, 2024 . APT 31, Judgment Panda, Zirconium - Threat Group Cards: A Threat Actor Encyclopedia . 2024-04-11 . Electronic Transactions Development Agency . 2024-04-19 . https://web.archive.org/web/20240419200253/https://apt.etda.or.th/cgi-bin/showcard.cgi?g=APT%2031,%20Judgment%20Panda,%20Zirconium&n=1 . live .
3. Web site: Gatlan . Sergiu . March 25, 2024 . US sanctions APT 31 hackers behind critical infrastructure attacks . 2024-03-27 . . en-us . 2024-03-27 . https://web.archive.org/web/20240327001102/https://www.bleepingcomputer.com/news/security/us-sanctions-apt31-hackers-behind-critical-infrastructure-attacks/ . live .
4. Web site: Kuvshinov . Denis . Koloskov . Daniil . August 1, 2021 . APT31 new dropper. Target destinations: Mongolia, Russia, the U.S., and elsewhere . 2024-04-11 . Positive Technologies . en . 2024-04-19 . https://web.archive.org/web/20240419200253/https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-new-attacks/ . live .
5. Web site: Cimpanu . Catalin . June 18, 2021 . Norway says Chinese group APT 31 is behind catastrophic 2018 government hack . 2024-04-11 . . 2024-04-04 . https://web.archive.org/web/20240404215503/https://therecord.media/norway-says-chinese-group-apt31-is-behind-catastrophic-2018-government-hack . live .
6. Web site: Toulas . Bill . August 1, 2023 . Hackers use new malware to breach air-gapped devices in Eastern Europe . 2024-04-11 . . en-us . 2024-04-19 . https://web.archive.org/web/20240419200252/https://www.bleepingcomputer.com/news/security/hackers-use-new-malware-to-breach-air-gapped-devices-in-eastern-europe/ . live .
7. Web site: Gatlan . Sergiu . March 26, 2024 . Finland confirms APT 31 hackers behind 2021 parliament breach . 2024-03-27 . . en-us . 2024-03-27 . https://web.archive.org/web/20240327232620/https://www.bleepingcomputer.com/news/security/finland-confirms-apt31-hackers-behind-2021-parliament-breach/ . live .
8. Web site: Flying in the clouds: APT 31 renews its attacks on Russian companies through cloud storage . 2024-03-28 . ptsecurity.com . en . 2024-03-28 . https://web.archive.org/web/20240328172409/https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-cloud-attacks/ . live .
9. Web site: Researchers Shed Light on APT 31's Advanced Backdoors and Data Exfiltration Tactics . 2024-03-28 . The Hacker News . en . 2024-03-28 . https://web.archive.org/web/20240328201719/https://thehackernews.com/2023/08/researchers-shed-light-on-apt31s.html . live .
10. Web site: Peace . Breon . January 30, 2024 . United States v. Ni Gaobin et al . . "4. The Hubei State Security Department (“HSSD”) was the provincial foreign intelligence arm of the MSS in Hubei Province, PRC. The HSSD was located on Bayi Road, Wuchang District, in Wuhan, a city in Hubei Province.".
11. Web site: 2006-08-22 . 湖北省人民代表大会常务委员会 . Appointment and removal list of the Standing Committee of the Ninth People's Congress of Hubei Province . unfit . https://web.archive.org/web/20201026213557/http://www.hppc.gov.cn/2006/0822/1845.html . 2020-10-26 . 2024-04-16 . Hubei Provincial Party Committee.
12. Web site: April 1, 2006 . The resolution of the Standing Committee of the 10th National People's Congress of Hubei Province . 2024-04-14 . . 2020-10-26 . https://web.archive.org/web/20201026032742/http://news.sina.com.cn/c/2006-04-01/04448584362s.shtml . bot: unknown .
13. Web site: 湖北省国家安全厅 - 怪猫的图书资源库 . 2024-04-05 . . 2024-04-05 . https://web.archive.org/web/20240405194558/http://biographicdb.fudan.edu.cn/bookstore/Units/Details/5c789747-219f-40df-9885-7b046f2e8205 . live .