In an article on June 30, the Financial Times said that Chinese university graduates are being recruited to unknowingly work for Beijing’s state-backed hacking group APT 40.
The news outlet found that China-based firm Hainan Xiandun Technology Development Company Limited has been offering translation jobs for English-capable graduates from public universities in Hainan and Sichuan provinces, in addition to Xi’an city.
The firm, also shortly referred to as Hainan Xiandun, did not explain the nature of the job responsibility. But the recruiting process showed it was not simply looking for translators.
Candidates were asked to interpret highly complex research documents extracted from U.S. government agencies. They were also required to investigate profiles of persons from research institutions, such as Johns Hopkins University.
Applicant Zhang said it became strange when the recruiter asked him to use software that can breach China’s Great Firewall to research the individual given. It forewarned that the process would include visiting blocked websites like Facebook, which calls for the usage of a VPN. VPN is a program that hides the user’s location.
Dakota Cary, an expert in Chinese cyber espionage and former security analyst at Georgetown University, commented, “The fact that you’re going to have to use a VPN, that you will need to be doing your own research and you need good language skills, all say to me that these students will be identifying hacking targets.”
Many students who applied to Hainan Xiandun received awards from their schools for their proficiency in the language. Some also had the added recognition of being party members.
A 2021 US federal indictment stated that Hainan Xiandun served as a front for the Chinese hacking group APT40. The group has been accused of working on behalf of China’s Ministry of State Security. It is known for infiltrating colleges, businesses, and government organizations throughout the U.S., Canada, Europe, and the Middle East.
Financial Times’ report echoed that released by Intrusion Truth in January this year. The research group found that Hainan Xiandun was also seeking translators from overseas, such as Cambodians and Indonesians.
Citing a report by FireEye, Intrusion Truth pointed out that the dates when the job adverts were issued coincidentally came just weeks before APT40’s activities related to Cambodia’s general elections.
The group wrote, “APT40 conducted a series of compromises of Cambodian targets in the run up to the July 2018 Cambodian election. … Between March and April 2018 Hainan Xiandun, a front company with specialist network and penetration engineers, was recruiting Cambodian linguists.”