Two Chinese hackers working with the Ministry of State Security, and charged by the Justice Department on Tuesday, allegedly ran a more-than-decade-long campaign hacking into the systems of hundreds of companies, governments, NGOs, dissidents, human rights activists and even clergy, nicking intellectual property and proprietary business research and more recently targeting companies developing COVID-19 vaccines, testing and treatments.
The duo, who the DOJ says operated sometimes for their own gain and other times on behalf of the MSS or other Chinese government entities, were indicted on 11 counts by a federal grand jury in Spokane, Wash.
According to the Justice Department, Li Xiaoyu, 34, and Dong Jiazhi, 33, targeted high-tech manufacturing; medical devices, civil and industrial engineering; business, educational, and gaming software; solar energy; pharmaceuticals; and the defense industry in countries including the U.S., Australia, Belgium, Germany, Japan, Lithuania, the Netherlands, Spain, South Korea, Sweden and the U.K. They took advantage of the pandemic, much like Russian operatives did, by plying the systems of companies developing COVID-19 vaccines and treatments, the DOJ states.
“Today’s indictment demonstrates the serious consequences the Chinese MSS and its proxies will face if they continue to deploy malicious cyber tactics to either steal what they cannot create or silence what they do not want to hear,” FBI Deputy Director David Bowdich said in a release. “Cybercrimes directed by the Chinese government’s intelligence services not only threaten the United States but also every other country that supports fair play, international norms, and the rule of law, and it also seriously undermines China’s to become a respected leader in world affairs.”
The hacking scheme was first uncovered on computers belonging to the Department of Energy’s Hanford Site, according to William Hyslop, U.S. Attorney for the Eastern District of Washington, noting that the two men operated out of China. “As the grand jury charged, the computer systems of many businesses, individuals and agencies throughout the United States and worldwide have been hacked and compromised with a huge array of sensitive and valuable trade secrets, technologies, data and personal information being stolen,” he said.
Noting that “the size and scope of this indictment, and the wealth of data taken is staggering” and “much of the focus is on medical and biotech research for obvious reasons,” Tim Bandos, vice president of cybersecurity at Digital Guardian, said “the 10-plus year compendium of attacks belies much bigger and more systemic issues. Whether for vaccines, or economic competitiveness, nation states are continuously looking to plunder our most valuable IP and assets – and not only from creators, but their manufacturing and development supply chains.”
Bandos pointed out that the hackers used some methods that exploited know vulnerabilities in popular software and leveraged credential theft and other commonly used attack techniques. “To that end, it goes without saying that while Zero Days and APTs exist, we first need to address foundational data protection and governance controls which can prevent or at least limit what goes out from a compromised device,” he said.