Zhou Shuai: A Hacker’s Road to APT27
US-sanctioned, allegedly APT27-associated actor Zhou Shuai represents a group of Chinese elite hackers who have become an important resource for Chinese state cyber operations.
On March 5, 2025, in addition to unsealing the i-SOON indictment, the US Department of the Treasury sanctioned Zhou Shuai (周帅) (a.k.a Coldface) — a Chinese hacker associated with allegedly state-backed cyber threat group APT27 — and Zhou’s company, Shanghai Heiying Information Technology Company (上海黑英信息技术有限公司). On the same day, the US Department of Justice (US DoJ) unsealed indictments charging Zhou Shuai and Yin Kecheng, his alleged co-conspirator, for malicious cyber activity tracing from 2011 to the present-day. Zhou Shuai’s name may be new to many of us. However, in the Chinese hacking world, Zhou Shuai is a renowned hacker who was among men of the moment - the first-generation Chinese patriotic hackers in the mid 90s. In his evolution into an allegedly state-sponsored hacker behind APT27, Zhou Shuai exemplifies a cohort of highly skilled Chinese hackers who have become a significant asset for Chinese state cyber operations.
Zhou Shuai: from Founding Member of Green Army to the Organizer of IS Force
The US DoJ’s indictment alleged that Zhou “has acted as a data broker, selling illegally exfiltrated data and access to compromised computer networks” since at least 2018.
In fact, Zhou Shuai has been active in hacking activities since the late 90s, according to various Chinese media reports. In March 2005, Zhou was featured in a report titled “Chinese Hacker Genealogy” from People in Focus Weekly (时代人物周报) (PiF Weekly), a reputable weekly magazine based in Beijing in the 2000s. Zhou proudly told the reporter that his history of hacking could be traced back to 1996 when he was in his final year of high school. Zhou hacked a local county government’s online chatroom, earning him a strict warning from local public security officers. Later, after a year in college, Zhou dropped out because he failed all the required courses other than computer science and English courses. At that time, Zhou had become a founding member of Green Army (a.k.a Green Corps, 绿色兵团), the very first Chinese hacktivist group founded in 1997. Zhou built his prominent hacker reputation by “continuously hacking foreign websites as a way to practice his skills” and became the station lead of “IS Force” (网络力量), a sub-group of the Green Army group. In 1999, as the dot-com bubble rose, the Green Army group went commercial. In October 1999 it established Shanghai Green Alliance Computer Network Technology Company (上海绿盟计算机网络安全技术有限公司) (the company used the isbase[.]com domain). The Green Army group soon disbanded. It is unclear whether or how Zhou was involved in this commercial endeavor.
It is also unclear whether the Green Army’s venture into private enterprise played a role in Zhou’s split from the group. On July 31, 2000, Zhou – still in his early twenties – announced on the portal of IS Force that IS Force had become an independent group and separated from the Green Army. The slogan of the group was “Internet World – We are the Law”
Zhou seemed to have held onto the idealistic vision of a non-commercial hacker group.
Zhou Shuai: Hacker Spirit in Mind but the Commercial World Tempting
Interestingly, though Zhou’s IS force declared its independence from the Green Army, he could not resist the temptation of going commercial himself. In December 2000, Zhou founded a company with a partner who had the capital to invest, while Zhou used his own technical skills as the investment. The company was quite profitable at the beginning, but soon faced problems with funding, and the company soon closed down, according to the People in Focus Weekly report.
Natto Team research suggests that Zhou’s first company was most likely Beijing Chuangshi Tengfei Technology Development Co. (北京创世腾飞科技发展有限公司)(Shiteng Company). Shiteng Company was founded on December 12, 2000, and deregistered on April 4, 2002. Company registration information stated that Shiteng company conducted software development as the main business. However, the company’s website claimed that it also provided network access services, including satellite high-speed internet access in partnership with Hughes Network Systems in the US and Asia Satellite Corporation. (see the screenshot below)
As confirmation of Zhou’s relationship with Shiteng, it listed its contact person as “coldface,” a known alias of Zhou.
After the Shiteng company shut down, Zhou became “mysterious,” the PiF Weekly report wrote. Zhou was not willing to reveal to the reporter what he was doing. Zhou vaguely mentioned that he left Beijing and went back to his hometown in Yancheng, Jiangsu Province at the end of 2003 and started a studio of his own, with his own “reputation in the ‘river & lake’ (江湖名声) of the hacker world” to “land network security projects.” Zhou used the Chinese term "jianghu" (江湖) to describe the environment in which he had made his reputation. The term evokes an underworld of criminals, rebels, and vigilantes who live by their own code and right social wrongs. Zhou’s phrasing suggests an admission that he had earned a somewhat idealistic, heroic reputation but was using it for crass material gain.
The dedicated PiF Weekly reporter discovered the website of Zhou’s studio named “Asia Intelligence Center” (AIC) which “provides strategy consulting, market consulting, and scientific and technological intelligence.” The reporter stated that visitors to the website had to register in order to access more information. The Natto Team was able to locate the AIC website -www.asiaic[.]org from Wayback Machine (note: the court-authorized seizure document (case no. 25-sz-13) from the US DoJ mentions the domain name ‘asiaic[.]org’ as well). The AIC web page shown below was archived on July 19, 2003.
Nevertheless, Zhou Shuai, already a “senior” hacker, as the reporter indicated in the 2005 report, had a large group of hackers under his command, including Lion, the founder of the famous “Honker Union” (a.k.a “the Red Hacker Alliance”, 红客联盟).
So, was Zhou Shui a man with real hacker spirit who had inspired the first-generation Chinese hackers hacking for justice? Or was he a profit-motivated businessman? This seemed disputable. In the PiF Weekly’s interviews, some hackers said Zhou was a true hacker organization supporter, while others said Zhou was “just a businessman.”
Zhou Shuai and his Asia Intelligence Center, Between Black and White: Using Hacking for Business Espionage
Zhou Shuai’s evolution from hacker to businessman seems to have been a process, a continuing exploration to apply his hacker skills to market needs, as well as a choice between being a black-hat or white-hat hacker .
Zhou openly discussed his thoughts about being a black or white hat hacker with the Chinese media. Zhou claimed that a hacker group going commercial could choose either a “black” road or “white” road. For example, according to the PiF article, “doing cyber security services is the ‘white’ road, while the ‘black’ road can be tricky such as [in the case of] his Asia Intelligence Center.” Zhou admitted that his Asia Intelligence Center, although it was an “experiment,” was to conduct business espionage: using their own hacking skills on behalf of public- or private-sector clients to access business intelligence on target companies. On the AIC’s website it states that AIC had “a comprehensive intelligence system and an efficient team of professionals,” “helping the government to solve immediate crises,” and “fostering the growth of enterprises.”
Zhou Shuai was not the only one who was fond of the tricky “black” road of commercializing hacker groups for business espionage on behalf of private- or public-sector customers. Wan Tao (万涛), the founder of the China Eagle Union (CEU) hacker group, which famously unleashed DDoS attacks on Japan’s Ministry of Foreign Affairs in 1997 and on the North Atlantic Treaty Organization (NATO) in 1999, also recognized the value of business intelligence, a broad term that can include information on a business that is freely available from public sources. Wan Tao argued that “business intelligence is not necessarily ‘stealing’.” Rather, “the important thing is the ability to analyze (the information).” Wan gave the PiF Weekly reporter an example of the value of such analysis for government clients: he referred to “a foreign organization that had produced an analysis report about his China Eagle Union group” and “provided it to the US government for decision-making purposes.”
According to the Natto Team’s research, Wan’s reference to a “foreign organization” and the China Eagle Union report most likely refers to the May 2002 report “Inside the China Eagle Union Hacker Group” issued by iDefense Inc (iDefense), a company that has been described as “one of the world’s first and most prolific cyber threat intelligence businesses.” The original 2002 report is not publicly accessible, but in a July 2005 update report that the Natto Team has seen, iDefense acknowledged that its original 2002 report on the China Eagle Union (CEU) “received broad attention, including from the CEU itself.”
Zhou Shuai: from Shanghai Heiying to APT27
It is not known how long Zhou Shuai ran the Asia Intelligence Center. The last AIC webpage cached on the Wayback Machine, from August 11, 2015, showed a page named “the Hacker Chronicles” (黑客编年史). The webpage looks like a hacker forum and claims to “provide knowledge on hacker and network security.” However, the Natto Team discovered a LinkedIn profile page identifying Zhou Shuai as Chief Technology Officer of Shanghai Heiying and a director of Asia Intelligence Center from January 2001 to present. It is unclear when that LinkedIn profile was last updated.
In addition, the Natto Team could not track down any publicly available business information about the AIC from various Chinese business registration databases. Since Zhou claimed the center was just an “experiment,” it is likely that the AIC might have not been registered as a business.
Clearly, Chinese hackers like Zhou Shuai and Wan Tao have been inspired to establish threat intelligence companies similar to iDefense. Zhou himself had solid computer skills and had built a good enough reputation to draw many talented people to work for him, as the PiF Weekly report and the US DoJ indictment both showed. In addition, as to Zhou’s technical skills, particularly developing exploits, a Microsoft Threat Intelligence report assesses Silk Typhoon (a.k.a APT27), Zhou Shuai-linked threat group, is “a well-resourced and technically efficient group with the ability to quickly operationalize exploits for discovered zero-day vulnerabilities in edge devices.” Similarly, several Chinese-language rankings of Chinese hackers mention Zhou is “proficient in various operating systems and able to exploit various vulnerabilities of the systems”
Given this, it seems that turning the “experiment” into a solid business would be a no-brainer for Zhou. This likely led to the birth in 2010 of Zhou’s Shanghai Heiying Information Technology Company (Shanghai Heiying), which the US Treasury Department described as “a haven for hackers.”
In the meantime, according to the Zhou Shuai LinkedIn profile, Zhou served as Chief Operating Office for the Shanghai Zhongren Technology Company (上海众人科技公司) from January 2007 to November 2010. However, the Natto Team could not find more information on this company.
According to publicly available business registration information, Shanghai Heiying, established in 2010, is currently in operation with three employees. The Natto Team discovered that Shanghai Heiying registered the domain “www.asiaic[.]net” on February 28, 2018, which was recorded with the company’s business information. It looks as if Zhou did not want to give up his “Asia Intelligence Center” name and chose to use “asiaic” in the domain for Shanghai Heiying. In addition, Shanghai Heiying registered two proprietary software products – AIC Decision-making Engine System and AIC Overseas Credit System – in June 2019. Zhou seems not to have let his “Asia Intelligence Center” experiment go to waste.
The website of Shanghai Heiying, www.asiaic[.]net, displays the company’s slogan, “THE MOST VALUABLE COMMODITY IS INFORMATION,” in extra-large font. It says the mission of the company is to “protect the country (China)’s national security and the privacy of its citizens.”
On the front page of the company website, Zhou Shuai introduces himself as one of the first-generation hackers, founding member of the Green Corps and founder of IS force. Zhou is obviously very proud of his hacker history.
Setting up Shanghai Heiying in 2010, Zhou Shuai was officially in business. This was also the beginning of APT27’s threat activity, which the US indictment traced back to 2011.
Zhou Shuai and i-SOON: More Than Selling and Buying Data
The US FBI Wanted Poster states that since at 2018 Zhou Shuai and his employee Yin Kecheng
“Allegedly exploited vulnerabilities in victim networks, conducted reconnaissance once inside those networks, and installed malware, such as PlugX malware, that provided persistent access. The men then allegedly identified and stole data from the compromised networks by exfiltrating it to servers under their control. They also allegedly brokered stolen data for sale and provided it to various customers, only some of whom had connections to the PRC government and military. Zhou Shuai allegedly sold data stolen by Yin Kecheng through i-SOON, a company whose primary customers included the PRC Ministry of State Security (MSS) and the Ministry of Public Safety (MPS).”
In the February 2024 leak of documents from i-SOON,
the Natto Team discovered that the relationship between i-SOON and Zhou Shuai was more than trading stolen data. i-SOON and Zhou Shuai likely shared employees and worked together on projects. In one chat conversation, i-SOON executives discussed the possibility of merging Zhou Shui’s team with i-SOON, so they could better control the workflow. However, they were afraid that it would be difficult to manage because Zhou might still want to be in charge of his people. I-SOON executives also complained that i-SOON was at a disadvantage in its cooperation with Zhou Shui because Zhou often could not keep his promise; he would promise to provide “things” but fail to do so, ruining i-SOON’s projects. “Zhou Shuai is just a dealer!” i-SOON’s founder Shutdown said.1
The close ties and interaction between i-SOON executives and Zhou Shuai are one of the examples of a phenomenon in which China’s first-generation patriotic hackers have turned to entrepreneurs and become an important part of China’s state-sponsored cyber activity.
In an October 2008 interview from a Chinese magazine, Zhou Shuai told the reporter that he was the one who “continues his hacker aspirations in the shadows on his own, but as far as he knows, there are no more first-generation hackers like him left.” Evoking the jianghu outlaw world once again, Zhou continued, “most of the Godfathers of hackers have thrown down their swords, picked up their shields, and transformed themselves into network security experts through whitewashed businesses.”
Well, as a popular saying goes: ideals are beautiful, but reality is cruel. (理想很美好,现实很骨感)
A March 5 2025 FBI public service announcement depicts an even more direct relationship: it reads, "Zhou served for a period of time in i-Soon's Strategic Consulting Division." The FBI's statement may be based on information beyond the publicly available i-SOON leak data.