Two Chinese hackers have been indicted today by the US Department of Justice (DOJ) for a prolific, 11-year global campaign that allegedly saw them steal software source code, weapons design material and pharmaceutical intellectual property.
Starting in September 2009, through to July 2020, the two allegedly stole “terabytes” of sensitive data. Among their most recent alleged global victims: an unnamed UK “Artificial Intelligence and cancer research firm”, dubbed “Victim 25”.
The 11-count indictment alleges that LI Xiaoyu (李啸宇), 34, and DONG Jiazhi (董家志), 33 hacked a range of technology industries in the UK, US, Australia, Belgium, Germany, Japan, Lithuania, the Netherlands, Spain, South Korea and Sweden.
The two, who went to the same college, exploited known software vulnerabilities in popular web server software, web application development suites, and software collaboration programs.
They then used a wide range of variants on the “China Chopper” web shell to manipulate compromised web servers into acting as network gateways, packaged victim data in compressed RAR files that they disguised as jpgs, and saved them in victim’s recycle bins for later exfiltration, a DOJ indictment published today reveals.
(The indictment is the latest sign that western intelligence services are being increasingly organised and bullish in conducting counter-intelligence work that can lead to detailed, highly public indictments with the potential for political impact. The DOJ thanked the NSA and FBI for leading the investigation).
US, Partners “will not stand idly by to this threat”
“Today’s indictment demonstrates the serious consequences the Chinese MSS and its proxies will face if they continue to deploy malicious cyber tactics to either steal what they cannot create or silence what they do not want to hear,” said FBI Deputy Director David Bowdich. “Cybercrimes directed by the Chinese government’s intelligence services… seriously undermine China’s desire to become a respected leader in world affairs. The FBI and our international partners will not stand idly by to this threat, and we are committed to holding the Chinese government accountable.”
“The cybercrime hacking occurring here was first discovered on computers of the Department of Energy’s Hanford Site in Eastern Washington” the DOJ said.
“The computer systems of many businesses, individuals and agencies throughout the United States and worldwide have been hacked and compromised with a huge array of sensitive and valuable trade secrets, technologies, data, and personal information being stolen. The hackers operated from China both for their own gain and with the assistance and for the benefit of the Chinese government’s Ministry of State Security.”
Ben Read, Senior Manager of Analysis, Mandiant Threat Intelligence, noted: “This indictment shows the extremely high value that all governments, including China, place on COVID-19 related information. It is a fundamental threat to all governments around the world and we expect information relating to treatments and vaccines to be targeted by multiple cyber espionage sponsors.
He added: The Chinese government has long relied on contractors to conduct cyber intrusions. Using these freelancers allows the government to access a wider array of talent, while also providing some deniability in conducting these operations. The pattern described in the indictment where the contractors conducted some operations on behalf of their government sponsors, while others were for their own profit is consistent with what we have seen from other China-nexus groups such as APT41.”
Banner image shows the Guangzhou facility the two allegedly worked from. Credit: DOJ