The U.S. Justice Department has charged two Chinese nationals over their role in a decade-long cyber espionage campaign that targeted hundreds of victims across the globe, including governments, defense contractors, COVID researchers, non-governmental organizations, human rights activists and other victims.
According to the 11-count indictment, the accused Li Xiaoyu and Dong Jiazhi operated both for their own profit and also for the main Chinese intelligence service, the Ministry of State Security. The hackers were involved in a decade-long cyber espionage campaign that was aimed at companies in countries with high technology industries, including the United States, Australia, Belgium, Germany, Japan, Lithuania, the Netherlands, Spain, South Korea, Sweden, and the United Kingdom.
“In at least one instance, the hackers sought to extort cryptocurrency from a victim entity, by threatening to release the victim’s stolen source code on the Internet. More recently, the defendants probed for vulnerabilities in computer networks of companies developing COVID-19 vaccines, testing technology, and treatments,” the DoJ said in a press release.
The indictment alleges that the accused gained access to victims’ networks using primarily publicly known vulnerabilities in popular web server software, web application development suites, and software collaboration programs, as well as targeting insecure default configurations in common applications. In some cases they exploited newly disclosed flaws that many users had yet to patch.
Upon compromising the target network, the hackers planted malicious web shells (China Chopper web shell), and infostealers to remotely execute commands on victim computers.
“To conceal the theft of information from victim networks and otherwise evade detection, the defendants typically packaged victim data in encrypted Roshal Archive Compressed files (RAR files), changed RAR file and victim documents’ names and extensions (e.g., from “.rar” to “.jpg”) and system timestamps, and concealed programs and documents at innocuous-seeming locations on victim networks and in victim networks’ “recycle bins,” the DoJ said.
According to the indictment, the hackers stole “hundreds of millions of dollars” worth of trade secrets and intellectual property. It is also alleged that the hackers stole data related to military satellite programs, military wireless networks and high-powered microwave and laser systems from defense contractors.
The indictment did not reveal whether the two hackers obtained information related to COVID-19 research. However, prosecutors said that the hackers “conducted reconnaissance” on several biotech companies known for researching a COVID-19 vaccine.