Two Chinese Nationals Indicted for 10-Year Hacking Campaign on U.S. Organizations and Government Agencies

Two Chinese nationals have been indicted by the U.S. Department of Justice (DOJ) for targeting and hacking US companies, government agencies, and others to steal sensitive information, including COVID-19 research data. The hackers are alleged to have been working under the direction of the Chinese government and also hacking organizations for personal financial gain.

LI Xiaoyu, 34, and Dong Jiazhi, 33, were trained in computer application technologies and have been operating as state-backed hackers for more than 10 years. The DOJ said the hackers were operating on behalf of the China’s Ministry of State Security, the Guangdong State Security Department (GSSD), and other government agencies, as well as conducting their own attacks. The hackers have been accused of stealing more than a terabyte of intellectual property estimated to be worth hundreds of millions of dollars.

The hackers were prolific and conducted sophisticated hacks on companies and organizations in the United States, Australia, Belgium, Germany, Japan, Lithuania, Spain, the Netherlands, South Korea, Sweden, and the United Kingdom. The attacks were conducted on companies in many industry sectors, including high-tech manufacturing, medical devices, pharmaceutical, energy, gaming software, and business. The hackers also targeted individual dissidents, clergy, and democratic and human rights activists in the U.S, China, and Hong Kong.

The hackers stole intellectual property and sensitive data and passed the information to the Chinese government and, in at least one case, source code was stolen from a company and the hackers attempted to extort money from the company and threatened to release the source code on the internet if payment was not made. More recently, the hackers turned their attention to hacking companies developing vaccines, technology and treatments for COVID-19. A cyberattack on the U.S. Department of Energy’s Hanford Site in Eastern Washington sparked the investigation that led to the to the indictment.

The hackers exploited unpatched vulnerabilities in popular web server software, software collaboration programs, and web application development suites and took advantage of insecure default configurations. In many cases, the vulnerabilities that were exploited were new, so patches were not available to address the flaws. After gaining access to systems, malicious web shells such as ‘China Chopper’ were deployed which allowed the hackers to steal credentials, elevate privileges, and execute malicious code. Data exfiltration was hidden by concealing data in RAR compressed files and changing the extensions of those files to the more innocuous .jpg. The hackers also changed system timestamps and concealed programs and documents in innocuous locations on victims’ networks, such as in recycle bins. In many cases, the hackers left backdoors that allowed them regain access to victims’ networks and steal further intellectual property and data, often several years after the initial attack.

“China has now taken its place, alongside Russia, Iran and North Korea, in that shameful club of nations that provide a safe haven for cyber criminals in exchange for those criminals being ‘on call’ to work for the benefit of the state, here to feed the Chinese Communist party’s insatiable hunger for American and other non-Chinese companies’ hard-earned intellectual property, including COVID-19 research,” said Assistant Attorney General for National Security John C. Demers.

Charges were filed for conducting attacks on at least 8 companies and stealing trade secrets related to manufacturing processes, and technology designs, as well as chemical structures, source code, and test results. The information would allow competitors to gain a significant market edge and save millions on research and development costs, allowing them to create competing products.

The DOJ filed an 11-count indictment with a federal grand jury in Spokane, which includes one count of conspiracy to commit fraud, one count of conspiracy to commit theft of trade secrets, one count of conspiracy to commit wire fraud, one count of unauthorized access of a computer, and seven counts of aggravated identity theft. In total, the hackers face a maximum sentence of more than 40 years in jail; however, the hackers are unlikely to be brought to justice as there is no extradition agreement between the US and China.

“Today’s indictment demonstrates the serious consequences the Chinese MSS and its proxies will face if they continue to deploy malicious cyber tactics to either steal what they cannot create or silence what they do not want to hear,” said FBI Deputy Director David Bowdich. Cybercrimes directed by the Chinese government’s intelligence services not only threaten the United States but also every other country that supports fair play, international norms, and the rule of law, and it also seriously undermines China’s desire to become a respected leader in world affairs. The FBI and our international partners will not stand idly by to this threat, and we are committed to holding the Chinese government accountable.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.