Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:55 PM
Connect Directly

US Indicts 2 Chinese Nationals for Stealing IP & Business Secrets, Including COVID-19 Research

Pair working on behalf of themselves and China's Ministry of State Security, Justice Department says.

The US government today announced indictments against two Chinese nationals for allegedly stealing intellectual property and confidential information — including COVID-19-related research data — from hundreds of companies worldwide, both for financial gain and on behalf of China's spy agency.

In a press conference announcing the indictments Tuesday, US Justice Department officials used unusually blunt language to accuse the Chinese government of allegedly providing safe harbor for such individuals in return for helping the state. "China is using cyber-enabled theft as part of a global campaign to 'rob, replicate and replace' non-Chinese companies in the global marketplace," Assistant Attorney General John Demers said in a press release from the DoJ.

"China has now taken its place, alongside Russia, Iran and North Korea, in that shameful club of nations that provide a safe haven for cyber criminals in exchange for those criminals being 'on call' to work for the benefit of the state," he said. Demers described today's indictments as the first ever the US has issued where the defendants have been charged with criminal hacking both for their own gain and on behalf of a government.

Li Xiaoyu, 34, and Dong Jiazhi, 33, are accused of hacking into computer systems belonging to companies in industries that are of strategic importance to Beijing's "Made in China 2025" initiative. The list includes organizations in high-tech manufacturing, pharmaceuticals, defense, medical devices, and the solar energy sectors across multiple countries, including the United States, Germany, Japan, Spain, the United Kingdom, and Australia.

Beginning in at least 2009 and continuing until today, Li and Dong are alleged to have stolen hundreds of millions of dollars worth of trade secrets and other proprietary data from these companies. The data would have given rivals valuable insight into the work going on at the victim organizations while also saving them substantial research and development costs, the DoJ said.

The data that the pair is alleged to have stolen includes military secrets, weapons design, and testing data from defense contractors, source code from software companies, research on drugs under development, and personal identity information. Recently, Li and Dong also have been attempting to steal data from organizations that are developing COVID-19 vaccines or are involved in COVID-19 testing products and treatments.

The two individuals face long prison sentences if convicted on all charges, but the chances of that ever happening are dim. "The indictments of foreign state actors are part of a name-and-shame process that the United States government uses to let countries know that they are aware of this kind of activity," says Charles Ragland, security engineer at Digital Shadows. "It is unlikely that many of these individuals will ever be extradited or stand trial in the United States to receive a punishment. Due to this, indictments as a deterrent are probably not very effective."

Indicting papers show that Li and Dong typically have gained initial access to a victim's network by probing for and exploiting vulnerabilities in commonly used web server software, web application development suites, collaboration software, and weak or default configuration settings, the indictment noted. In at least a few cases, Li and Dong were able to exploit newly disclosed vulnerabilities before a targeted organization had an opportunity to patch the issue.

They have then used the initial access to drop difficult-to-discover web shells — with innocuous sounding names — on the compromised network for remotely executing malicious commands. One web shell the pair has used frequently is called "China Chopper" — a tool commonly used by other China-based hackers to remotely control multiple systems on a compromised network.

In addition to web shells, Li and Dong also have typically deployed malware for stealing credentials, which they have then used to escalate privileges and burrow themselves deeper in a victim network. Their tactic for extracting information from a network has included changing extensions and names on stolen documents and files and storing them in compressed fashion in unexpected locations, such as a computer's recycle bin, the indictment said. Often, the two hackers retargeted victims from whom they had previously stolen data, but they usually were unsuccessful in these attempts.

Mounting Pressure
The latest indictments continue the US strategy of putting pressure on China by publicly identifying individuals and groups it believes are working for the government and for its Ministry of State Security. Earlier this year, the DOJ handed down similar indictments against four members of China's People's Liberation Army for their alleged role in the Equifax breach in May 2017. In May 2019, the government similarly charged a Chinese national on charges related to a 2015 breach at health insurer Anthem.

Of course, China is not the only government that the US has accused of sponsoring malicious cyber activity or of endangering national security. In recent years, the Justice Department has accused Russia, Iran, and North Korea of backing similar cyber-espionage campaigns. It has indicted numerous individuals and groups from these countries and in some cases has been able to prosecute them as well.

"China has a long history of economic espionage, and these allegations are yet another example," Digital Shadows' Ragland says. "By stealing proprietary information, Chinese-owned companies can reduce their research and development overhead and produce competitive products for a fraction of the price."

Last year, research by security vendor CrowdStrike showed how the theft of IP and trade secrets from numerous companies around the world helped China accelerate development of its first domestically built commercial airplane.

Ben Read, senior manager of analysis at FireEye's Mandiant Threat Intelligence group, says the pattern the DoJ described today about Li and Dong working both for their own gain and for their government sponsors is consistent with what the company has seen. According to Read, though Li and Dong's activity is not linked to any publicly known group, Mandiant has been tracking their activities internally and has notified customers of the threat.

He says it's unclear how such threat actors interact with government. "We don't know the precise mechanism by which the groups interact with the government, we just see some operations resulting in financial gain and some in information that is not financially valuable, but would be of high interest to a sponsor government."

Related Content:



Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
7/22/2020 | 10:37:06 AM
I get it but still....
I've referenced this in other articles that I understand the importance of making money. But can an event such as a pandemic qualify as grave enough that we instead focus on the sharing of information to get a solution quicker, safer, and more widespread? Why even have a cause to hack IP for COVID 19 Research?

It just shows where our priorities are as a society and its somewhat sickening. 
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox."
PUBLISHED: 2020-10-21
BigBlueButton before 2.2.8 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or tr...
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant.