The 2 hackers were also linked to attempts to hack American biotech firms working on a Coronavirus (COVID-19) vaccine.
The US govt. recently laid charges against 2 Chinese hackers for IP theft &/or targeting coronavirus vaccine information.
Indictment
In an indictment from earlier this month unsealed in the US District Court for the Eastern District of Washington last week, the US Department of Justice charged Li Xiaoyu & Dong Jiazhi for hacking into computers around the world, & stealing terabytes of data.
The indictment alleges the suspects had previously stolen data on human rights activists.
Redacted
Jiazhi’s name was redacted from a copy of the indictment last week, but it appeared in a press release issued by the DOJ on Tues.
The 2 did not discriminate as to targets. Victims included companies in high tech manufacturing, civil, industrial, & medical device engineering, business, educational & gaming software, solar energy & pharmaceuticals, says the filing. Recently, the 2 had infiltrated international companies working on COVID-19 vaccines.
It is unsurprising that attackers based in China were linked to attacks seeking COVID-19 treatment data. The FBI & the US Cyber-security & Infrastructure Security Agency (CISA) both warned firms in May that APT groups were looking for IP & public health data related to vaccines, treatments, & other COVID-19 related research.
Trade Secrets
“The Defendants stole 100s of millions of dollars’ worth of trade secrets, intellectual property, & other valuable information,” said the indictment.
While the companies are not named in this indictment, the DOJ claims that it was Xiaoyu in particular who was looking for vulnerabilities at several biotech firms – 1 in Maryland, 1 in Massachusetts, 2 in California.
COVID-19 vaccines
All companies had previously revealed they were researching potential COVID-19 vaccines. It is unclear if the pair managed to steal anything from these firms – Xiaoyu was performing reconnaissance.
At some other firms, named Victim 1, Victim 2, etc. in the document, the 2 managed to do some damage, compromising networks & stealing data at a prolific rate between 2014 & 2020.
2 TB
In the US, the pair’s hacking was prolific, stealing just over 2 TB of data from over a dozen companies.
The company hit the hardest, a mechanical engineering company that does business in the US & Japan, was twice targeted, both in 2018 & again in March 2020. The hackers made-away with proprietary & sensitive data, including drawings & specifications for high-efficiency gas turbines.
Victims also included an education software company, with millions of students & teachers’ personally identifiable information being taken, a software company, where source code was taken, & a Virginia-based federal & defence contractor, where PIIs of more than 300 employees & contractors, in addition to project files & presentations were removed.
In the rest of the world, the 2 stole nearly as much, 2414 gigabytes, or 2.4 TB.
Spanish
They stole 900 gigabytes of data from a Spanish electronics & defence firm, 320 gigabytes, including source code & engineering schematics, from an Australian defence contractor, 142 gigabytes of documents, including source code for products, imaging tools & algorithms for fluid dynamics, belonging to a Belgian engineering software company.
The 2 also made off with source code from a German construction company, & data belonging to gaming companies in Sweden & Lithuania
While the two stole & sold data for profit, in some situations they provided it to the PRC Government’s Ministry of State Security (MSS). They gave the MSS passwords for Chinese dissidents, for example, & worked with the group to disperse malware.
Vulnerabilities
To get access to companies, they used product vulnerabilities, e.g. web server software, web app development suites, & software collaboration programs, in addition to default configurations in apps.
When in, they placed web shells e.g. China Chopper, to carry out remote commands, used credential stealing programs to steal passwords, & took data, often from a machine’s recycle bin to make it less obvious after it was taken. To cover this, they changed filed names & extensions.
Conspiring
For conspiring to steal trade secrets from at least 8 victims, they are each being charged with 1 count of conspiracy to commit computer fraud, 1 count of conspiracy to commit theft of trade secrets, 1 count of conspiracy to commit wire fraud, 1 count of unauthorised access of a computer, & 7 counts of aggravated identity theft.
This indictment occurred the same week that US senators introduced legislation to counter Chinese actions, including intellectual property theft.
Scope
One aim of a US bill introduced last Wed., the Strengthening Trade, Regional Alliances, Technology, and Economic and Geopolitical Initiatives Concerning China (Strategic) Act, is to stop China’s theft by exposing “the full scope & scale of intellectual property theft & mass subsidisation of Chinese firms, & the resulting harm to the United States, foreign markets, & the global economy.”
