The alleged activities of two Chinese hackers outlined in a federal indictment unsealed Tuesday offer “concrete examples of two concerning trends,” U.S. Assistant Attorney General John Demers said, as U.S.-China relations further soured with the news of the charges.
Though not a new revelation, the first trend is that “China is using cyber-enabled theft as part of a global campaign to 'rob, replicate and replace' non-Chinese companies in the global marketplace,” Demers said. The targets of that campaign are biopharma, medical device and other high-tech industries outlined in the country’s 10-year Made in China 2025 plan.
The second trend is that China is turning a blind eye to criminals who are hacking, in part, for their own personal profit so long as they’re willing to help the state, Demers added.
The details of the 11-count grand jury indictment, which was handed down under seal earlier this month, immediately escalated the tension Tuesday between the U.S. and China, with the Trump administration retaliating for the hacking by giving China 72 hours to close its Houston consulate.
On July 22, China’s Foreign Ministry spokesperson Wang Wenbin called the demand “political provocation” and an “outrageous and unjustified move” that would sabotage China-U.S. relations. “We urge the U.S. to immediately withdraw its erroneous decision, otherwise China will make legitimate and necessary reactions,” he said, warning that China would take “firm countermeasures.”
According to the indictment, Chinese nationals Li Xiaoyu and Dong Jiazhi have conducted a hacking campaign for more than 10 years, both for themselves and for various Chinese government agencies. That campaign targeted companies in the U.S., Australia, Belgium, Germany, Japan, Lithuania, the Netherlands, Spain, South Korea, Sweden and the U.K. – as well as nongovernmental organizations, dissidents, clergy, and democratic and human rights activists in the U.S., China, Hong Kong and elsewhere.
More recently, the hackers allegedly “probed for vulnerabilities in computer networks of companies developing COVID-19 vaccines, testing technology and treatments,” according to the U.S. Department of Justice (DoJ).
Among those targeted by the hackers was an unnamed Massachusetts biopharma company, which suffered the theft of the chemical structure of anti-infective agents and the engineering processes for those agents. A California biopharma company had the chemical structure of its treatment for a common chronic disease stolen, along with the testing data for the treatment, Demers said.
In addition, Li and Dong allegedly stole source code and algorithms from a Massachusetts medical device engineering company at or about the time the company was trying to protect the data from a Chinese firm it had partnered with to produce device components.
In another instance, Demers said the defendants targeted a Maryland technology and manufacturing firm, obtaining competitive business intelligence – including testing mechanisms and results, product composition, manufacturing processes and supply chain data – that would have revealed to competitors what products the company was planning to bring to market. The "stolen information would have allowed competitors to save on research and development costs and time, thereby providing them a competitive edge in the global marketplace," Demers said.
For the most part, Li and Dong exploited publicly known software vulnerabilities in popular web server software, web application development suites and software collaboration programs, according to the indictment. In some cases, the vulnerabilities were newly announced, so many companies would not have yet installed patches to correct the problem. Insecure default configurations in common applications also were targeted.
Once the hackers gained access, they placed malicious web shell programs, such as the “China Chopper,” and credential-stealing software on the victim networks, so they could remotely execute commands. To conceal the theft and evade detection, they usually packaged the data in encrypted Roshal Archive Compressed (RAR) files, changing the names, extensions and system timestamps of the RAR files and company documents. They would then conceal the programs and documents at innocuous-seeming locations on the victim networks, including in recycle bins.
The thefts were not just one-time occurrences. “The defendants frequently returned to re-victimize companies, government entities and organizations from which they had previously stolen data, in some cases years after the initial successful data theft,” according to the DoJ.
The same day the indictment was unsealed, U.S. House Republican Leader Kevin McCarthy (R-Calif.) introduced the Defend COVID Research from Hackers Act, which would authorize sanctions against foreign hackers, those who sponsor such activities and those who receive or benefit from the stolen data.
“When we have a [COVID-19] vaccine, we will share it with the world, so that every nation can be better equipped in our fight against this virus,” McCarthy said. But, he added, "we refuse to allow our innovation to be exploited by China, Russia or any other hackers. We are going to protect the cure from falling into the wrong hands so that no one can use it as leverage for their own malicious ends.”