DOJ: Chinese Hackers Targeted COVID-19 Vaccine Research2 Indicted for Theft of a Broad Range of Intellectual Property in US and Elsewhere
The U.S. Department of Justice has charged two Chinese nationals with hacking into the computer systems of hundreds of organizations in the U.S. and abroad to steal intellectual property. Prosecutors say the suspects' activities included probing for vulnerabilities in systems at companies developing COVID-19 vaccines, treatments and testing technologies.
See Also: A Toolkit for CISOs
The U.S. does not have an extradition agreement with China, so it's unlikely the pair, who live in China, will face trial on the charges.
The Tuesday announcement of the indictment comes on the heels of authorities in the U.S., U.K. and Canada on July 16 issuing a joint advisory warning that the Russian hacker gang Cozy Bear - or APT20 - targeted research organizations involved with COVID-19 vaccine development (see: US, UK, Canada: Russian Hackers Targeting COVID-19 Research).
The Justice Department said a federal grand jury in Spokane, Washington, returned an indictment earlier this month charging the pair of Chinese defendants with hacking into the computer systems of hundreds of companies and other organizations and governments, as well as individual dissidents, clergy and human rights activists in the U.S. and elsewhere, including Hong Kong and China.
The defendants sometimes acted for their own personal financial gain, and in other cases, for the benefit of China's Ministry of State Security or other Chinese government agencies, U.S. prosecutors say. The hackers stole terabytes of data, posing a sophisticated and prolific threat to U.S. networks, prosecutors allege.
The July 7 11-count indictment alleges that Li Xiaoyu, 34, and Dong Jiazhi, 33, were trained in computer application technologies at a Chinese electrical engineering college and conducted a hacking campaign that lasted more than 10 years.
The duo allegedly targeted companies in the U.S., Australia, Belgium, Germany, Japan, Lithuania, the Netherlands, Spain, South Korea, Sweden and the United Kingdom.
Companies were targeted in a variety of sectors, including high-tech manufacturing; medical devices, civil and industrial engineering; business, educational and gaming software; solar energy; pharmaceuticals; and defense, prosecutors say.
Massive Theft Alleged
The indictment alleges that the pair "stole hundreds of millions of dollars' worth of trade secrets, intellectual property and other valuable business information."
In at least one instance, the hackers sought to extort cryptocurrency by threatening to release the victim's stolen source code on the internet, prosecutors say. More recently, the defendants probed for vulnerabilities in computer networks of companies developing COVID-19 vaccines, testing technology and treatments, the DOJ alleges.
"China has now taken its place, alongside Russia, Iran and North Korea, in that shameful club of nations that provide a safe haven for cybercriminals in exchange for those criminals being 'on call' to work for the benefit of the state, here to feed the Chinese Communist party's insatiable hunger for American and other non-Chinese companies' hard-earned intellectual property, including COVID-19 research," said John Demers, assistant attorney general for the DOJ's National Security Division.
The hacking campaign was first discovered on computers of the Department of Energy's Hanford site in eastern Washington, prosecutors say.
"The computer systems of many businesses, individuals and agencies throughout the United States and worldwide have been hacked and compromised with a huge array of sensitive and valuable trade secrets, technologies, data, and personal information being stolen," prosecutors allege.
The indictment says that to gain initial access to networks, the accused hackers primarily exploited publicly known software vulnerabilities in popular web server software, web application development suites and software collaboration programs.
"In some cases, those vulnerabilities were newly announced, meaning that many users would not have installed patches to correct the vulnerability. The defendants also targeted insecure default configurations in common applications," the Justice Department alleges.
The hackers allegedly used their initial unauthorized access to place malicious web shell programs - for example, the "China Chopper" web shell - and credential-stealing software on victim networks, which allowed them to remotely execute commands on victim computers, the indictment says.
To conceal the theft of information from victim networks and evade detection, the defendants typically packaged victim data in encrypted Roshal Archive Compressed files, according to prosecutors. They allegedly changed the files' and victim documents' names and extensions - for example, from ".rar" to ".jpg" - as well as system timestamps, and they concealed programs and documents at innocuous-seeming locations on victim networks and in victim networks' "recycle bins."
"The defendants frequently returned to re-victimize companies, government entities and organizations from which they had previously stolen data, in some cases years after the initial successful data theft," DOJ states. "In several instances, however, the defendants were unsuccessful in this regard, due to the efforts of the FBI and network defenders."
The alleged hackers are charged with conspiring to steal trade secrets from at least eight victims. Those trade secrets included technology designs, manufacturing processes, test mechanisms and results, source code, and pharmaceutical chemical structures, according to the indictment.
"Such information would give competitors a market edge by providing insight into proprietary business plans and savings on research and development costs in creating competing products," the Justice Department says.
The defendants are each charged with one count of conspiracy to commit computer fraud, which carries a maximum sentence of five years in prison; one count of conspiracy to commit theft of trade secrets, which carries a maximum 10-year prison sentence; one count of conspiracy to commit wire fraud, with a maximum 20-year prison sentence; one count of unauthorized access of a computer, with a five-year maximum sentence; and seven counts of aggravated identity theft, which each carry a mandatory sentence of two non-consecutive years in prison.