The US government today announced indictments against two Chinese nationals for allegedly stealing intellectual property and confidential information — including COVID-19-related research data — from hundreds of companies worldwide, both for financial gain and on behalf of China's spy agency.
In a press conference announcing the indictments Tuesday, US Justice Department officials used unusually blunt language to accuse the Chinese government of allegedly providing safe harbor for such individuals in return for helping the state. "China is using cyber-enabled theft as part of a global campaign to 'rob, replicate and replace' non-Chinese companies in the global marketplace," Assistant Attorney General John Demers said in a press release from the DoJ.
"China has now taken its place, alongside Russia, Iran and North Korea, in that shameful club of nations that provide a safe haven for cyber criminals in exchange for those criminals being 'on call' to work for the benefit of the state," he said. Demers described today's indictments as the first ever the US has issued where the defendants have been charged with criminal hacking both for their own gain and on behalf of a government.
Li Xiaoyu, 34, and Dong Jiazhi, 33, are accused of hacking into computer systems belonging to companies in industries that are of strategic importance to Beijing's "Made in China 2025" initiative. The list includes organizations in high-tech manufacturing, pharmaceuticals, defense, medical devices, and the solar energy sectors across multiple countries, including the United States, Germany, Japan, Spain, the United Kingdom, and Australia.
Beginning in at least 2009 and continuing until today, Li and Dong are alleged to have stolen hundreds of millions of dollars worth of trade secrets and other proprietary data from these companies. The data would have given rivals valuable insight into the work going on at the victim organizations while also saving them substantial research and development costs, the DoJ said.
The data that the pair is alleged to have stolen includes military secrets, weapons design, and testing data from defense contractors, source code from software companies, research on drugs under development, and personal identity information. Recently, Li and Dong also have been attempting to steal data from organizations that are developing COVID-19 vaccines or are involved in COVID-19 testing products and treatments.
The two individuals face long prison sentences if convicted on all charges, but the chances of that ever happening are dim. "The indictments of foreign state actors are part of a name-and-shame process that the United States government uses to let countries know that they are aware of this kind of activity," says Charles Ragland, security engineer at Digital Shadows. "It is unlikely that many of these individuals will ever be extradited or stand trial in the United States to receive a punishment. Due to this, indictments as a deterrent are probably not very effective."
Indicting papers show that Li and Dong typically have gained initial access to a victim's network by probing for and exploiting vulnerabilities in commonly used web server software, web application development suites, collaboration software, and weak or default configuration settings, the indictment noted. In at least a few cases, Li and Dong were able to exploit newly disclosed vulnerabilities before a targeted organization had an opportunity to patch the issue.
They have then used the initial access to drop difficult-to-discover web shells — with innocuous sounding names — on the compromised network for remotely executing malicious commands. One web shell the pair has used frequently is called "China Chopper" — a tool commonly used by other China-based hackers to remotely control multiple systems on a compromised network.
In addition to web shells, Li and Dong also have typically deployed malware for stealing credentials, which they have then used to escalate privileges and burrow themselves deeper in a victim network. Their tactic for extracting information from a network has included changing extensions and names on stolen documents and files and storing them in compressed fashion in unexpected locations, such as a computer's recycle bin, the indictment said. Often, the two hackers retargeted victims from whom they had previously stolen data, but they usually were unsuccessful in these attempts.
The latest indictments continue the US strategy of putting pressure on China by publicly identifying individuals and groups it believes are working for the government and for its Ministry of State Security. Earlier this year, the DOJ handed down similar indictments against four members of China's People's Liberation Army for their alleged role in the Equifax breach in May 2017. In May 2019, the government similarly charged a Chinese national on charges related to a 2015 breach at health insurer Anthem.
Of course, China is not the only government that the US has accused of sponsoring malicious cyber activity or of endangering national security. In recent years, the Justice Department has accused Russia, Iran, and North Korea of backing similar cyber-espionage campaigns. It has indicted numerous individuals and groups from these countries and in some cases has been able to prosecute them as well.
"China has a long history of economic espionage, and these allegations are yet another example," Digital Shadows' Ragland says. "By stealing proprietary information, Chinese-owned companies can reduce their research and development overhead and produce competitive products for a fraction of the price."
Last year, research by security vendor CrowdStrike showed how the theft of IP and trade secrets from numerous companies around the world helped China accelerate development of its first domestically built commercial airplane.
Ben Read, senior manager of analysis at FireEye's Mandiant Threat Intelligence group, says the pattern the DoJ described today about Li and Dong working both for their own gain and for their government sponsors is consistent with what the company has seen. According to Read, though Li and Dong's activity is not linked to any publicly known group, Mandiant has been tracking their activities internally and has notified customers of the threat.
He says it's unclear how such threat actors interact with government. "We don't know the precise mechanism by which the groups interact with the government, we just see some operations resulting in financial gain and some in information that is not financially valuable, but would be of high interest to a sponsor government."