The Department of Justice announced charges against two Chinese hackers who, among other things, targeted companies developing COVID-19 vaccines, testing technology and treatments. “The campaign targeted intellectual property and confidential business information held by the private sector, including COVID-19-related treatment, testing, and vaccines,” Assistant Attorney General John C. Demers said. Their hacking campaign lasted more than ten years and targeted companies in countries with high technology industries, including the US, Australia, the UK, Belgium, Germany, Japan, and South Korea. The DOJ has brought 11 charges against them.

The campaign was discovered when the hackers targeted the Department of Energy’s Hanford Site in Eastern Washington, US Attorney William D. Hyslop for the Eastern District of Washington said.

Who are the hackers? The two hackers — Li Xiaoyu and Dong Jiazhi — worked with the Guandong State Security Department (GSSD) of the Ministry of State Security (MSS) — China’s intelligence, security and secret police agency.

Why did they hack? As per the DOJ, the two hackers at times acted for their own personal financial gain, and at times for the benefit of MSS and other Chinese government agencies. The nature of the material stolen indicates that the hacking was state-driven, Raymond Duda, special agent in charge of the FBI’s Seattle division, said.

What did they steal? “The hackers stole terabytes of data which comprised a sophisticated and prolific threat to U.S. networks.” The hackers also provided MSS with personal data on certain targets, including passwords for email accounts of Chinese dissidents, including a Hon Kong protestor and a former Tiananmen Square protestor.

Whom did they target? Demers said that the intrusions targeted industries that were outlined in China’s ten-year plan — Made in China 2025 — that seeks to leverage advanced technology manufacturing industries for development. Of the 10 industries identified in the plan, eight were targeted, he said.

  • The hackers targeted computers of “hundreds of victim companies, governments, non-governmental organizations, and individual dissidents, clergy, and democratic and human rights activists in the United States and abroad, including Hong Kong and China”.
  • Targeted industries included high tech manufacturing, medical device, civil, and industrial engineering; business, educational, and gaming software, solar energy, pharmaceuticals, and defence.
  • The indictment included a list of 25 unnamed companies including: a Maryland technology and manufacturing firm, a Massachusetts pharmaceutical company, a California pharmaceutical company, a Massachusetts medical device engineering company, a Virginia defence contractor.
  • Apart from targeting companies conducting COVID-19 research, they threatened to release the source code of a victim entity on the internet if they weren’t paid in cryptocurrency.

What was their modus operandi? The hackers exploited:

  • Publicly known software vulnerabilities in popular web server software, web application development suites, and software collaboration programs. In many cases, the hackers exploited the newly-announced vulnerabilities before users had installed patches for them. (This is reminiscent of the MO in the cyberattack on Australia.)
  • Insecure default configurations in common applications.

Using their unauthorized access, the hackers placed “malicious web shell programs”, like China Chopper, and credential-stealing software on victim networks to remotely execute commands.

To conceal the theft of information and evade detection, the hackers usually packaged the stolen data in encrypted RAR files, changed their names, extensions and timestamps, and concealed them in innocuous locations on the victim networks and their recycle bins.

They often returned to re-victimise victims, even years after successful thefts.

Chinese government was stealing intellectual property, claims DOJ

Demers called this hacking campaign an example of two “concerning” trends related to China:

  1. China’s global campaign that uses cybercrime to “rob, replicate, and replace” non-Chinese companies in the global marketplace.
  2. China provides a safe haven for “criminals” who hack in part for their own personal gain and their willingness to help the Chinese state.

This safe haven, Demers said, feeds “the Chinese Communist Party’s insatiable hunger for American and other non-Chinese companies’ hard-earned intellectual property, including COVID-19 research”.

This is not the first time that the United States has accused China of wanting to steal its intellectual property. In December 2018, the DOJ had announced criminal indictments against two hackers, associated with the MSS, for a massive hacking campaign that sought to steal trade secrets and technologies.

In an interview with CNN-News18, former American National Security Advisor John Bolton had said that China has not behaved responsibly in the World Trade Organisation (WTO) and continues to steal intellectual property. Earlier, White House adviser Peter Navarro had said that TikTok and other apps developed by Chinese-owned companies are obligated to share information with the Communist Party of China and “agencies which want to steal our intellectual property”.

Not the first DOJ indictment against Chinese nationals

In January 2020, a federal grand jury in Atlanta had indicted 4 Chinese military personnel for hacking into the credit reporting agency Equifax between at least May and June 2017 and for stealing Americans’ personal data and Equifax’s trade secrets. According to the DOJ and the FBI, the four men are members of the 54th Research Institute of the People’s Liberation Army (PLA), that is, the Chinese armed forces.

China may be behind other cyber attacks as well

In June, Australian Prime Minister Scott Morrison had announced that a “sophisticated state-based cyber actor” is targeting Australian organisations across a range of sectors, “including all levels of government, industry, political organisation, education, health, essential service providers and operators of other critical infrastructure”. Both government agencies and the private sector were targeted. The scale and nature of the targeting and “tradecraft” used, prove that a “state-based cyber actor” is at work, he said. Although Morrison had not attributed the attack to any particular nation, multiple media reports had suggested that China was behind the attacks, a suggestion that Morrison neither confirmed nor denied during the press conference.

India, too, has been wary of Chinese apps and infrastructure, especially after the Indo-China border clashes in June. A number of Indian politicians and political organisations have long claimed that data from Chinese apps or data routed through servers located in China is shared with the Chinese government.