Hubei State Security Department

The Hubei State Security Department (HSSD; ) is the regional branch of the Chinese Ministry of State Security (MSS) responsible for national security and secret policing in Hubei province of central China. Founded in 1993, it is headquartered in the provincial capital of Wuhan, with subordinate offices in cities and towns across the province.

The department is best known for operating the advanced persistent threat 31 (APT 31).

History
The Hubei State Security Department was established on November 29, 1993, after the province was included among the localities approved by the Central Committee of the Communist Party and the State Council to receive a dedicated unit during the fourth and, to date, final round of major expansions of the MSS. Among the dignitaries in attendance for the department's inaugural meeting were Jia Chunwang, then–Minister of State Security; and Guan Guangfu, Secretary of the Provincial Party Committee.

Advanced persistent threat
The Hubei State Security Department is widely understood to be the operator behind the advanced persistent threat designated APT 31 by Mandiant, also known as Judgment Panda by CrowdStrike, Zirconium or Violet Typhoon by Microsoft, RedBravo by Recorded Future, Bronze Vinewood by SecureWorks, TA412 by Proofpoint, or Red Keres by PricewaterhouseCoopers.

APT 31 is run directly by the Hubei SSD, likely without much input from MSS headquarters, with the group staffed by intelligence officers of the Hubei SSD as well as outside contractors employed through cutout organizations and front companies. APT 31 is known to have successfully executed attacks against targets in the United States, United Kingdom, France, Germany, Norway, Finland, Mongolia, Russia, and throughout Eastern Europe.

According to the United States, in 2010, the HSSD established Wuhan Xiaoruizhi Science and Technology Company, Limited (, aka Wuhan XRZ) as a front company to carry out cyber operations. This activity resulted in the surveillance of U.S. and foreign politicians, foreign policy experts, academics, journalists, and pro-democracy activists and their families, as well as persons and companies operating in areas of national importance. In 2018, employees of Wuhan XRZ conducted a cyber operation on a Texas-based energy company, gaining unauthorized access.

United States
In March 2024, the United States and United Kingdom jointly indicted and sanctioned members of the Hubei SSD for a wide range of cyber operations against the two countries.

The U.S. Treasury's Office of Foreign Asset Control (OFAC) designated Zhao Guangzong and Ni Gaobin as Specially Designated Nationals. OFAC charged that as a contractor for Wuhan XRZ, Zhao was behind the 2020 APT 31 spear phishing operation against the United States Naval Academy and the United States Naval War College’s China Maritime Studies Institute. Additionally, Zhao is charged with conducted numerous spear phishing operations against Hong Kong legislators and democracy advocates. Ni Gaobin is charged with assisting Zhao in his most high profile malicious cyber activities while Zhao Guangzong was a contractor at Wuhan XRZ.

The US Department of Justice also unsealed indictments charging Zhao Guangzong, Ni Gaobin, Weng Ming , Cheng Feng , Peng Yaowen , Sun Xiaohui , and Xiong Wang for their involvement in malicious operations coordinated by Wuhan XRZ over a span of roughly 14 years. Ending in January 2024, these operations targeted U.S. critical infrastructure, as well as U.S. businesses and politicians, in support of China's foreign intelligence and economic espionage objectives.

United Kingdom
Joining US officials in revealing their public indictment, the UK Foreign Office accused the group of targeting British Parliament, hacking the GCHQ intelligence agency, and breaching systems of the UK's Electoral Commission.

Finland
One day after the US and UK charges, the Finnish Security and Intelligence Service revealed APT 31 as the actor responsible for a cyber breach of the country's parliament disclosed in March 2021. The country revealed that the National Bureau of Investigation is pursuing charges including aggravated espionage against members of the group.

Russia
In August 2022, Moscow-based Positive Technologies attributed a cyberattack on Russian media and energy companies to APT 31 based on a range of consistencies in attack methodology and software used in similar attacks.

In 2023, Moscow's Kaspersky assessed that APT 31 was capable of exfiltrating data from air-gapped systems.

Facilities
The HSSD is based out of the headquarters facility shared with the Ministry of Public Security headquarters for the province at 180 Xiongchu Blvd, in the Wuchang District of Wuhan. According to the U.S. Department of Justice, the HSSD has another facility at Bayi Road in the Wuchang District.