Chinese university students were lured to work in a secret technology company that obscured the true nature of their work: tracking down Western targets to spy on and translate documents hacked under Beijing’s industrial-scale intelligence regime.
The Financial Times identified and contacted 140 potential translators, mostly recent graduates who studied English at public universities in Hainan, Sichuan and Xi’an. They had responded to job offers at Hainan Xiandun, a company located in the southern tropical island of Hainan.
The application process included translation tests on sensitive documents obtained from US government agencies and instructions to search for individuals at Johns Hopkins University, a key intelligence target.
Hainan Xiandun is charged in a 2021 US federal indictment with serving as a cover for Chinese hacking group APT40. Western intelligence agencies have accused APT40 of infiltrating government agencies, companies and universities in the United States, Canada, Europe and the Middle East, under orders from the Chinese Ministry of State Security.
The FBI sought to disrupt Hainan Xiandun’s activities last July by indicting three state security officials in Hainan province – Ding Xiaoyang, Cheng Qingmin and Zhu Yunmin – for their alleged role in establishing the business as a front for state-sponsored espionage. Another man mentioned in the indictment, Wu Shurong, is believed to be a hacker who helped supervise Hainan Xiandun employees.
Western intelligence services also scout would-be spies at universities, with candidates undergoing rigorous vetting and training before joining organizations like the CIA in the US or the signals intelligence agency GCHQ in the UK.
But the Chinese graduates targeted by Hainan Xiandun appear to have been unwittingly drawn into a life of espionage. Company job vacancies were posted on university websites for translators without further explanation of the nature of the work.
This could have lifelong consequences, as those identified as having cooperated with the MSS in their work for Hainan Xiandun are likely to find it difficult to live and work in Western countries, a key motivation for many. students studying foreign languages.
The FT contacted all 140 people on a leaked list of candidates compiled by security officials in the region to corroborate the authenticity of the applications. Several of those contacted initially confirmed their identities, but ended the phone calls after being asked about their ties to Hainan Xiandun. A few spoke about their experience with the hiring process.
Their applications provide insight into the tactics of APT40, known to target biomedical, robotics and maritime research institutions as part of broader efforts to gain knowledge of Western industrial strategy and steal sensitive data.
Hacking on this scale requires a huge workforce of English speakers who can help identify hacking targets, cyber technicians who can access adversaries’ systems, and intelligence operatives to analyze stolen material.
Zhang, an English graduate who applied to Hainan Xiandun, told the FT that a recruiter asked him to go beyond conventional translation tasks by researching the Johns Hopkins Applied Physics Lab, with instructions for finding information about the institution, including the CVs of its board directors, the architecture of the building, and details of research contracts it had with clients.
The PLA, a major recipient of research funds from the US Department of Defense, is likely to be of significant interest to Beijing and the individuals working there are targets for hacking.
The instruction document instructed job applicants to download “software to get behind the Great Firewall.” He warns that the research will involve visiting websites such as Facebook, which is banned in China and therefore requires a VPN, software that hides the user’s location in order to access it.
“It was very clear that this was not a translation company,” said Zhang, who decided not to pursue the application.
Dakota Cary, a Chinese cyber espionage expert and former security analyst at Georgetown University, said student translators were likely to help research organizations or individuals who might prove to be fruitful sources of information. sensitive.
“The fact that you have to use a VPN, that you have to do your own research, and that you need good language skills all tell me that these students will identify hacking targets,” he said.
Cary, who testified earlier this year before the US-China Economic and Security Review Panel on Beijing’s cyber capabilities, said the instruction to investigate Johns Hopkins was an indicator of the level of initiative and the ability to acquire specialized knowledge that translators had to demonstrate. .
A security official in the region said the revelations were proof that the MSS was using university students as a “recruitment channel” for its espionage activities.
Antony Blinken, US Secretary of State, has previously condemned the MSS for creating an “ecosystem of criminal hackers” who engage in both state-sponsored activities and financially motivated cybercrime. Blinken added that these hackers cost governments and corporations “billions of dollars” in stolen intellectual property, ransom payments and cyber defense.
Hainan Xiandun asked candidates to translate a document from the United States Office of Infrastructure Research and Development containing technical explanations on the prevention of corrosion on networks and transport infrastructure. It seemed to test potential employees’ abilities to interpret complex scientific concepts and terminology.
“It was a very strange process,” said Cindy, an English student at a respected Chinese university. “I applied online, then the HR person sent me a very technical translation test.” She decided not to pursue the claim.
Adam Kozy, a former FBI official who most recently worked for cybersecurity firm CrowdStrike, said he hadn’t heard of Western intelligence services conscripting college students without them being given security clearance for collect information.
“MSS does everything very informally and they like the gray areas,” he said. “It’s interesting that they rely on a young student workforce to do a lot of the dirty work that can have these consequences later in life and most likely doesn’t fully explain these potential risks.”
The MSS did not respond to requests for comment.
Hainan Xiandun has solicited applications from university recruitment sites and appears to have a close relationship with Hainan University. The company was registered on the first floor of the university library, which houses the student computer room.
A job posting on the university’s foreign language department website called for applications from English-speaking female students and members of the Communist Party. The ad has been removed since queries from the FT regarding this story.
Several candidate students in Hainan Xiandun had won school prizes for their language skills, and others had the added distinction of being party members.
According to the FBI indictment, MSS agents “coordinated with staff and faculty at universities in Hainan and elsewhere in China” to further their intelligence objectives. Staff from a Hainan-based university also helped support and run Hainan Xiandun as a front company, “including through payroll, benefits and a mailing address,” the deed says. of accusation.
While the FBI has accused the university of helping the MSS identify and recruit hackers and linguists to “penetrate and steal” computer networks, it does not mention the university’s role in the seizure of students to help the cause.
In response to the FT’s findings, Michael Misumi, Chief Information Officer at Johns Hopkins APL, said that “like many technical organizations, the APL “must respond to many cyber threats and take appropriate steps to defend against them. permanence as well as its systems”.
Hainan University did not respond to requests for comment.
The names of the candidates have been changed to protect their identity