Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:55 PM
Connect Directly

US Indicts 2 Chinese Nationals for Stealing IP & Business Secrets, Including COVID-19 Research

Pair working on behalf of themselves and China's Ministry of State Security, Justice Department says.

The US government today announced indictments against two Chinese nationals for allegedly stealing intellectual property and confidential information — including COVID-19-related research data — from hundreds of companies worldwide, both for financial gain and on behalf of China's spy agency.

In a press conference announcing the indictments Tuesday, US Justice Department officials used unusually blunt language to accuse the Chinese government of allegedly providing safe harbor for such individuals in return for helping the state. "China is using cyber-enabled theft as part of a global campaign to 'rob, replicate and replace' non-Chinese companies in the global marketplace," Assistant Attorney General John Demers said in a press release from the DoJ.

"China has now taken its place, alongside Russia, Iran and North Korea, in that shameful club of nations that provide a safe haven for cyber criminals in exchange for those criminals being 'on call' to work for the benefit of the state," he said. Demers described today's indictments as the first ever the US has issued where the defendants have been charged with criminal hacking both for their own gain and on behalf of a government.

Li Xiaoyu, 34, and Dong Jiazhi, 33, are accused of hacking into computer systems belonging to companies in industries that are of strategic importance to Beijing's "Made in China 2025" initiative. The list includes organizations in high-tech manufacturing, pharmaceuticals, defense, medical devices, and the solar energy sectors across multiple countries, including the United States, Germany, Japan, Spain, the United Kingdom, and Australia.

Beginning in at least 2009 and continuing until today, Li and Dong are alleged to have stolen hundreds of millions of dollars worth of trade secrets and other proprietary data from these companies. The data would have given rivals valuable insight into the work going on at the victim organizations while also saving them substantial research and development costs, the DoJ said.

The data that the pair is alleged to have stolen includes military secrets, weapons design, and testing data from defense contractors, source code from software companies, research on drugs under development, and personal identity information. Recently, Li and Dong also have been attempting to steal data from organizations that are developing COVID-19 vaccines or are involved in COVID-19 testing products and treatments.

The two individuals face long prison sentences if convicted on all charges, but the chances of that ever happening are dim. "The indictments of foreign state actors are part of a name-and-shame process that the United States government uses to let countries know that they are aware of this kind of activity," says Charles Ragland, security engineer at Digital Shadows. "It is unlikely that many of these individuals will ever be extradited or stand trial in the United States to receive a punishment. Due to this, indictments as a deterrent are probably not very effective."

Indicting papers show that Li and Dong typically have gained initial access to a victim's network by probing for and exploiting vulnerabilities in commonly used web server software, web application development suites, collaboration software, and weak or default configuration settings, the indictment noted. In at least a few cases, Li and Dong were able to exploit newly disclosed vulnerabilities before a targeted organization had an opportunity to patch the issue.

They have then used the initial access to drop difficult-to-discover web shells — with innocuous sounding names — on the compromised network for remotely executing malicious commands. One web shell the pair has used frequently is called "China Chopper" — a tool commonly used by other China-based hackers to remotely control multiple systems on a compromised network.

In addition to web shells, Li and Dong also have typically deployed malware for stealing credentials, which they have then used to escalate privileges and burrow themselves deeper in a victim network. Their tactic for extracting information from a network has included changing extensions and names on stolen documents and files and storing them in compressed fashion in unexpected locations, such as a computer's recycle bin, the indictment said. Often, the two hackers retargeted victims from whom they had previously stolen data, but they usually were unsuccessful in these attempts.

Mounting Pressure
The latest indictments continue the US strategy of putting pressure on China by publicly identifying individuals and groups it believes are working for the government and for its Ministry of State Security. Earlier this year, the DOJ handed down similar indictments against four members of China's People's Liberation Army for their alleged role in the Equifax breach in May 2017. In May 2019, the government similarly charged a Chinese national on charges related to a 2015 breach at health insurer Anthem.

Of course, China is not the only government that the US has accused of sponsoring malicious cyber activity or of endangering national security. In recent years, the Justice Department has accused Russia, Iran, and North Korea of backing similar cyber-espionage campaigns. It has indicted numerous individuals and groups from these countries and in some cases has been able to prosecute them as well.

"China has a long history of economic espionage, and these allegations are yet another example," Digital Shadows' Ragland says. "By stealing proprietary information, Chinese-owned companies can reduce their research and development overhead and produce competitive products for a fraction of the price."

Last year, research by security vendor CrowdStrike showed how the theft of IP and trade secrets from numerous companies around the world helped China accelerate development of its first domestically built commercial airplane.

Ben Read, senior manager of analysis at FireEye's Mandiant Threat Intelligence group, says the pattern the DoJ described today about Li and Dong working both for their own gain and for their government sponsors is consistent with what the company has seen. According to Read, though Li and Dong's activity is not linked to any publicly known group, Mandiant has been tracking their activities internally and has notified customers of the threat.

He says it's unclear how such threat actors interact with government. "We don't know the precise mechanism by which the groups interact with the government, we just see some operations resulting in financial gain and some in information that is not financially valuable, but would be of high interest to a sponsor government."

Related Content:



Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
7/22/2020 | 10:37:06 AM
I get it but still....
I've referenced this in other articles that I understand the importance of making money. But can an event such as a pandemic qualify as grave enough that we instead focus on the sharing of information to get a solution quicker, safer, and more widespread? Why even have a cause to hack IP for COVID 19 Research?

It just shows where our priorities are as a society and its somewhat sickening. 
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.