Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:55 PM
Connect Directly

US Indicts 2 Chinese Nationals for Stealing IP & Business Secrets, Including COVID-19 Research

Pair working on behalf of themselves and China's Ministry of State Security, Justice Department says.

The US government today announced indictments against two Chinese nationals for allegedly stealing intellectual property and confidential information — including COVID-19-related research data — from hundreds of companies worldwide, both for financial gain and on behalf of China's spy agency.

In a press conference announcing the indictments Tuesday, US Justice Department officials used unusually blunt language to accuse the Chinese government of allegedly providing safe harbor for such individuals in return for helping the state. "China is using cyber-enabled theft as part of a global campaign to 'rob, replicate and replace' non-Chinese companies in the global marketplace," Assistant Attorney General John Demers said in a press release from the DoJ.

"China has now taken its place, alongside Russia, Iran and North Korea, in that shameful club of nations that provide a safe haven for cyber criminals in exchange for those criminals being 'on call' to work for the benefit of the state," he said. Demers described today's indictments as the first ever the US has issued where the defendants have been charged with criminal hacking both for their own gain and on behalf of a government.

Li Xiaoyu, 34, and Dong Jiazhi, 33, are accused of hacking into computer systems belonging to companies in industries that are of strategic importance to Beijing's "Made in China 2025" initiative. The list includes organizations in high-tech manufacturing, pharmaceuticals, defense, medical devices, and the solar energy sectors across multiple countries, including the United States, Germany, Japan, Spain, the United Kingdom, and Australia.

Beginning in at least 2009 and continuing until today, Li and Dong are alleged to have stolen hundreds of millions of dollars worth of trade secrets and other proprietary data from these companies. The data would have given rivals valuable insight into the work going on at the victim organizations while also saving them substantial research and development costs, the DoJ said.

The data that the pair is alleged to have stolen includes military secrets, weapons design, and testing data from defense contractors, source code from software companies, research on drugs under development, and personal identity information. Recently, Li and Dong also have been attempting to steal data from organizations that are developing COVID-19 vaccines or are involved in COVID-19 testing products and treatments.

The two individuals face long prison sentences if convicted on all charges, but the chances of that ever happening are dim. "The indictments of foreign state actors are part of a name-and-shame process that the United States government uses to let countries know that they are aware of this kind of activity," says Charles Ragland, security engineer at Digital Shadows. "It is unlikely that many of these individuals will ever be extradited or stand trial in the United States to receive a punishment. Due to this, indictments as a deterrent are probably not very effective."

Indicting papers show that Li and Dong typically have gained initial access to a victim's network by probing for and exploiting vulnerabilities in commonly used web server software, web application development suites, collaboration software, and weak or default configuration settings, the indictment noted. In at least a few cases, Li and Dong were able to exploit newly disclosed vulnerabilities before a targeted organization had an opportunity to patch the issue.

They have then used the initial access to drop difficult-to-discover web shells — with innocuous sounding names — on the compromised network for remotely executing malicious commands. One web shell the pair has used frequently is called "China Chopper" — a tool commonly used by other China-based hackers to remotely control multiple systems on a compromised network.

In addition to web shells, Li and Dong also have typically deployed malware for stealing credentials, which they have then used to escalate privileges and burrow themselves deeper in a victim network. Their tactic for extracting information from a network has included changing extensions and names on stolen documents and files and storing them in compressed fashion in unexpected locations, such as a computer's recycle bin, the indictment said. Often, the two hackers retargeted victims from whom they had previously stolen data, but they usually were unsuccessful in these attempts.

Mounting Pressure
The latest indictments continue the US strategy of putting pressure on China by publicly identifying individuals and groups it believes are working for the government and for its Ministry of State Security. Earlier this year, the DOJ handed down similar indictments against four members of China's People's Liberation Army for their alleged role in the Equifax breach in May 2017. In May 2019, the government similarly charged a Chinese national on charges related to a 2015 breach at health insurer Anthem.

Of course, China is not the only government that the US has accused of sponsoring malicious cyber activity or of endangering national security. In recent years, the Justice Department has accused Russia, Iran, and North Korea of backing similar cyber-espionage campaigns. It has indicted numerous individuals and groups from these countries and in some cases has been able to prosecute them as well.

"China has a long history of economic espionage, and these allegations are yet another example," Digital Shadows' Ragland says. "By stealing proprietary information, Chinese-owned companies can reduce their research and development overhead and produce competitive products for a fraction of the price."

Last year, research by security vendor CrowdStrike showed how the theft of IP and trade secrets from numerous companies around the world helped China accelerate development of its first domestically built commercial airplane.

Ben Read, senior manager of analysis at FireEye's Mandiant Threat Intelligence group, says the pattern the DoJ described today about Li and Dong working both for their own gain and for their government sponsors is consistent with what the company has seen. According to Read, though Li and Dong's activity is not linked to any publicly known group, Mandiant has been tracking their activities internally and has notified customers of the threat.

He says it's unclear how such threat actors interact with government. "We don't know the precise mechanism by which the groups interact with the government, we just see some operations resulting in financial gain and some in information that is not financially valuable, but would be of high interest to a sponsor government."

Related Content:



Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
7/22/2020 | 10:37:06 AM
I get it but still....
I've referenced this in other articles that I understand the importance of making money. But can an event such as a pandemic qualify as grave enough that we instead focus on the sharing of information to get a solution quicker, safer, and more widespread? Why even have a cause to hack IP for COVID 19 Research?

It just shows where our priorities are as a society and its somewhat sickening. 
More SolarWinds Attack Details Emerge
Kelly Jackson Higgins, Executive Editor at Dark Reading,  1/12/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-18
An issue was discovered in the Source Integration plugin before 2.4.1 for MantisBT. An attacker can gain access to the Summary field of private Issues (either marked as Private, or part of a private Project), if they are attached to an existing Changeset. The information is visible on the view.php p...
PUBLISHED: 2021-01-18
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
PUBLISHED: 2021-01-18
Missing Authorization vulnerability in McAfee Agent (MA) for Windows prior to 5.7.1 allows local users to block McAfee product updates by manipulating a directory used by MA for temporary files. The product would continue to function with out-of-date detection files.
PUBLISHED: 2021-01-18
All versions of package tornado are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configura...
PUBLISHED: 2021-01-18
The package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with defa...