somartin - Fotolia

US charges Chinese nationals with Covid-19 research hacking

The two hackers allegedly worked with the Chinese Ministry of State Security, targeting intellectual property and confidential business information

Two Chinese nationals, named as Xiaoyu Li and Jiazhi Dong, have been indicted in the US on charges of running a global hacking campaign that targeted intellectual property, including Covid-19 research, on behalf of the Guangdong State Security Department (GSSD) of China’s Ministry of State Security (MSS).

The indictment, which was returned in Spokane, Washington state, earlier in July 2020, alleges that both Li and Dong broke into the IT systems of hundreds of companies, governments, NGOs and individuals including Chinese dissidents, clergy and human rights activists in the US, Hong Kong and China.

The US claims that in some instances, the two – who were trained in computer applications technology at the same university – acted for their own personal gain and in others for the benefit of the MSS and other Chinese agencies.

It says that over the past 10 years they stole terabytes of data, representing a “sophisticated and prolific threat” to US networks, as well as conducting attacks in other countries, including the UK, Australia, Germany, Japan, the Netherlands, South Korea, Spain and Sweden.

Their targets included organisations in high-tech manufacturing, medical technology, civil and industrial engineering, computer software, energy, pharmaceuticals and defence. In recent months, they pivoted to probing for vulnerabilities in the networks of organisations working on Covid-19 treatments and vaccines.

“Today’s indictment demonstrates the serious consequences the Chinese MSS and its proxies will face if they continue to deploy malicious cyber tactics to either steal what they cannot create or silence what they do not want to hear,” said FBI deputy director David Bowdich.

“Cyber crimes directed by the Chinese government’s intelligence services not only threaten the United States but also every other country that supports fair play, international norms and the rule of law, and it also seriously undermines China’s desire to become a respected leader in world affairs. The FBI and our international partners will not stand idly by to this threat, and we are committed to holding the Chinese government accountable.”

Exploiting vulnerabilities

Li and Dong exploited publicly known, unpatched software vulnerabilities in web server software, web app development suites and collaboration software, as well as insecure default configurations in common applications. Having gained access, they placed malicious web shell programs and credential-stealing software on their target networks, which gave them remote execution capabilities.

To obfuscate their activities, the two typically packaged data in encrypted .rar files, changed the file and victim document names and extensions and timestamps, and concealed programs and documents at innocuous-seeming locations on victim networks or in their “recycle bins”. They frequently returned to the scenes of previous crimes, in some cases years later.

This came to light when intrusions were discovered on systems at the Department of Energy’s Hanford Site, a former nuclear facility in southeast Washington that was instrumental in the development of the atom bombs that the US used to destroy the cities of Hiroshima and Nagasaki.

It went on to produce plutonium for more than 60,000 nuclear weapons, but after it was found to have leaked vast amounts of radioactive materials into the air and the nearby Columbia River, it is now the site of one of the largest nuclear clean-up operations in the world.

The indictment charges them with conspiracy to steal trade secrets, conspiracy to commit computer fraud, conspiracy to commit wire fraud, unauthorised access to a computer and aggravated identity theft.

The widespread publicising of the indictments is another example of a trend towards being more willing to openly attribute blame for cyber crime among western governments, particularly when the activity emanates from hostile governments.

Just last week, the UK government openly accused Russian government-sponsored threat groups of hacking into the systems of organisations working on Covid-19 research, and the publication this week of the long-awaited Russia Report has gone further still, revealing the extent of Russian cyber intrusion into the UK’s domestic affairs.

Read more about nation state cyber crime

John Demers, assistant attorney general for national security, said: “China has now taken its place, alongside Russia, Iran and North Korea, in that shameful club of nations that provide a safe haven for cyber criminals in exchange for those criminals being ‘on call’ to work for the benefit of the state, here to feed the Chinese Communist Party’s insatiable hunger for American and other non-Chinese companies’ hard-earned intellectual property, including Covid-19 research.”

Ben Read, senior manager of analysis at Mandiant Threat Intelligence, part of FireEye, said: “This indictment shows the extremely high value that all governments, including China, place on Covid-19 related information. It is a fundamental threat to all governments around the world and we expect information relating to treatments and vaccines to be targeted by multiple cyber espionage sponsors. Mandiant has tracked this group since at least 2013, the targeting and description of their TTPs is consistent with what we have observed.

“The Chinese government has long relied on contractors to conduct cyber intrusions,” said Read. “Using these freelancers allows the government to access a wider array of talent, while also providing some deniability in conducting these operations.

“The pattern described in the indictment where the contractors conducted some operations on behalf of their government sponsors, while others were for their own profit, is consistent with what we have seen from other China-nexus groups such as APT41.”

Read more on Hackers and cybercrime prevention