This past week, the U.S. Department of Justice (DoJ) revealed charges against two Chinese nationals. These charges related to their alleged involvement in a decade-long period of hacking which targeted dissidents, government agencies, and hundreds of organizations in 11 countries.
The 11-count indictment announced on Tuesday alleges LI Xiaoyu and DONG Jiazhi stole terabytes of sensitive data from companies, including COVID-19 research. The stolen data related to the development of COVID-19 vaccines, testing technology, and treatments. Their goal here being to relay this back to China’s Ministry of State Security, as well as personal financial gain for both hackers. This depicts China as a nation willing to provide a safe place for criminals in exchange for stolen intellectual property these hackers provided.
The two individuals that are currently wanted by the U.S. Federal Bureau of Investigation (FBI), purportedly have been behind a multitude of malicious breaches. They compromised a U.S. Department of Energy network in Hanford, which housed a decommissioned nuclear production complex. This breach was what placed them under the FBI’s radar.
The pair has also been accused of infiltrating the networks of companies in various industries. This includes high tech manufacturing, industrial engineering, defense, educational, gaming software, and pharmaceutical sectors. Their objective being to steal trade secrets and other confidential business information.
Unfortunately, victimized organizations do not include only American ones. Other victim entities are based in Australia, Belgium, Germany, Japan, Lithuania, the Netherlands, Spain, South Korea, Sweden, and the U.K. The DoJ mentioned that these cyber attacks lasted for over a decade. They started around September of 2009 and continued through July of 2020.
The Hackers Exploited Unpatched Vulnerabilities in Web Applications
The indictment mentions that the hackers initially gained access to the companies by exploiting insecure default configurations or recently disclosed security flaws in unpatched software. After the initial access, the suspects installed credential-stealing software in order to gain deeper access, and leveraged web shells to execute malicious programs. The data were transferred in the form of compressed RAR files. The pair made sure to change their extensions to “.JPG” to create an illusion that the stolen data were innocuous images.
Our Incident Response Team handles data breach response and emergency situations with military precision throughout the entire life cycle of an incident.
The DoJ stated that the hundreds of gigabytes of stolen data consisted of source code, information about drugs under active development, weapon designs, and personally identifiable information (PII). Additionally, these malicious activities were performed on the Recycle Bin of the targeted Windows systems. It was used to load the executable into specific folders and save the RAR files.
The DoJ notes that these hackers have also attempted to extort cryptocurrency from a victim entity, by threatening to release the victim’s stolen source code on the Internet.
Li and Dong are charged with identity theft, conspiracy to commit wire fraud, theft of trade secrets, and violating anti-hacking laws. This all adds up to a maximum sentence of over 40 years.
This is all the more concerning considering there have been mounting tensions between the U.S. and China over national security concerns. The FBI and Homeland Security had also warned that China was actively trying to steal data from organizations working on COVID-19 research.
Unfortunately, China isn’t the only nation alleged to be stealing coronavirus research. Iran-backed hackers allegedly targeted U.S. drug maker Gilead back in May. Gilead’s antiviral drug remdesivir has been proven to trigger an immune response in patients with COVID-19.
The U.K.’s National Cyber Security Centre (NCSC) disclosed that unnamed companies researching a coronavirus vaccine in the U.S., U.K., and Canada were targeted by hackers linked to Russian intelligence services (APT29 or CozyBear). It’s not clear whether any information was stolen, and Russia has denied these allegations.