Full Report
A 59-year-old U.S. citizen who immigrated from the People's Republic of China (PRC) has been sentenced to four years in prison for conspiring to act as a spy for the country and sharing sensitive information about his employer with China's principal civilian intelligence agency. Ping Li, 59, of Wesley Chapel, Florida, is said to have served as a cooperative contact for the Ministry of State
Analysis Summary
# Threat Actor: Unnamed Individual (Ping Li) / Chinese Intelligence Proxy
## Attribution & Identity
The threat actor is identified as **Ping Li**, a 59-year-old U.S. citizen who immigrated from the People's Republic of China (PRC). Li acted as a **cooperative contact** for the **Ministry of State Security (MSS)**, which is China's principal civilian intelligence agency.
## Activity Summary
Ping Li served as an MSS asset starting as early as August 2012 until his conviction in late 2024. His activities, conducted on behalf of the MSS, focused on obtaining sensitive corporate and political information of interest to the Chinese government. He pleaded guilty to conspiring to act as an agent of the PRC without notifying the Attorney General.
## Tactics, Techniques & Procedures
- **Information Gathering/Research:** Conducting research on topics of interest to the PRC.
- **Data Exfiltration:** Transmitting sensitive information to MSS officers using anonymous Gmail and Yahoo! accounts.
- **Insider Threat:** Leveraging employment positions to gain access to corporate data.
- **Social Engineering/Relationship Building:** Befriending MSS officers, one of whom he knew from high school/college in China.
- **No specific MITRE ATT&CK IDs were mentioned.**
## Targeting
- **Sectors:** Telecommunications (Verizon), Information Technology Services (Infosys), Advocacy/NGOs.
- **Geography:** United States (Wesley Chapel, Florida).
- **Victims:** His employers (Verizon and Infosys), Chinese dissidents, pro-democracy advocates, members of the Falun Gong religious movement, and U.S.-based non-governmental organizations. Personally identifiable information regarding U.S. politicians was also targeted.
## Tools & Infrastructure
- **Malware Families Used:** None explicitly named, but the exfiltrated data included Verizon training applications and cybersecurity training materials related to the SolarWinds cyber attack.
- **Infrastructure (C2, domains, IPs):**
- Anonymous **Gmail** accounts
- Anonymous **Yahoo!** accounts
## Implications
This case highlights the MSS's strategy of using "cooperative contacts" (insiders and agents of influence) embedded within critical U.S. infrastructure and advocacy groups for traditional espionage purposes. The focus included proprietary corporate data, security training materials (like those related to SolarWinds responses), and personal data on political dissidents, confirming dual-use espionage objectives (economic and national security).
## Mitigations
- Robust employee vetting and ongoing monitoring, especially for employees with access to sensitive IP or national security information.
- Strong internal controls regarding the handling and transmission of sensitive corporate and cybersecurity training documentation.
- Enhanced monitoring and anomaly detection for the use of personal, anonymous email accounts (Gmail, Yahoo!) for transmitting work-related data.