30 July 2020

DOJ says Chinese hackers targeted coronavirus vaccine research

By ERIC GELLER and BETSY WOODRUFF SWAN

Federal prosecutors on Tuesday charged two Chinese men with hacking hundreds of U.S. and foreign companies, nongovernmental organizations and human rights activists, as well as trying to hack three U.S. firms researching the coronavirus, in an escalation of Washington’s war with Beijing over intellectual property theft and espionage.

Beginning in September 2009, the two men, Li Xiaoyu and Dong Jiazhi, stole “hundreds of millions of dollars’ worth of trade secrets, intellectual property, and other valuable business information,” according to an indictment unsealed in the Eastern District of Washington. Their alleged victims included high-tech manufacturing firms, pharmaceutical companies and the makers of educational software and medical equipment. Victim companies were located in the U.S., Australia, Germany, Japan, South Korea and other countries.

In some cases, the men allegedly acted out of self-interest, in one instance attempting to extort a victim into paying a ransom by threatening to publish their intellectual property. In other cases, prosecutors said, “they were stealing information of obvious interest” to the Chinese government. The hackers “worked with, were assisted by, and operated with the acquiescence of” an officer in China’s Ministry of State Security, according to the indictment.

“China is determined to use every means at its disposal, including the theft of intellectual property from U.S. companies, laboratories and our universities, to degrade the United States’ economic, technological and military advantages,” FBI Deputy Director David Bowdich said at a press conference.


Bowdich said that the scale and scope of Chinese government-directed hacking “is unlike any other threat we’re facing today.”

The hackers allegedly breached defense contractors and stole sensitive military information, prosecutors said, including about military satellite programs and communications systems.

Other operations also showed signs of foreign-policy motivations. Li and Dong allegedly provided their Chinese government contact with the passwords of human rights activists, including a community organizer in Hong Kong and a former Tiananmen Square protester.

In late January and early February, as the coronavirus ravaged China, Li tried to find security vulnerabilities in the networks of biotech firms in Maryland, Massachusetts and California that were studying coronavirus vaccines and treatments, according to the indictment. The hackers also allegedly targeted a California firm producing coronavirus testing kits.

The case epitomizes what senior Trump administration officials have called the “blended threat” — an emerging trend of foreign governments using private hackers as proxies. The U.S. has previously charged Russian, Iranian and North Korean hackers for such operations. This is the first case charging independent Chinese hackers with cyber operations on behalf of Beijing.

“China has now taken its place, alongside Russia, Iran and North Korea, in that shameful club of nations that provide a safe haven for cyber criminals in exchange for those criminals being ‘on call’ to work for the benefit of the state, here to feed the Chinese Communist party’s insatiable hunger for American and other non-Chinese companies’ hard-earned intellectual property, including COVID-19 research,” John Demers, who heads the Justice Department’s National Security Division, said in a statement.

The inclusion of coronavirus-related victims in the latest case comes as U.S. security agencies warn that China is seeking to gain the upper hand in the global race for a vaccine.

Chinese government hackers “have been observed attempting to identify and illicitly obtain valuable intellectual property (IP) and public health data related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research,” the FBI and the DHS Cybersecurity and Infrastructure Security Agency said in a May alert. “The potential theft of this information jeopardizes the delivery of secure, effective, and efficient treatment options.”

Cyber intrusions into research labs can slow down their critical work, officials say, by forcing scientists to pause vital research, raise the alarm among colleagues and review their data to determine if the hackers tampered with it.

The hackers often breached their targets by exploiting publicly disclosed vulnerabilities in widely used software, according to the indictment. When possible, the two men took advantage of newly announced vulnerabilities before companies had had time to patch them. Targeted systems included web servers and “software collaboration programs,” according to the indictment.

The MSS officer occasionally helped the hackers breach their targets, prosecutors said. In one case, when Li was trying to hack a Burmese human-rights group, the officer allegedly gave him a zero-day exploit — a highly valuable piece of code designed to compromise a previously unknown flaw — for a popular web browser.

After gaining an initial foothold, the men allegedly planted software that let them send further commands to victim computers. They also frequently deployed password-stealing programs and tried to access more parts of their victims’ networks with the stolen credentials.

To exfiltrate the files undetected, Li and Dong employed a tried-and-true technique: compressing the stolen data into archive files, then changing those archives’ file extensions so security software wouldn’t spot them leaving the companies’ networks. In some cases, the two men stashed their malware and stolen files in computers’ recycle bins, an often-overlooked location.

The stolen data included software code, drug testing results and students’ personal information, according to the indictment.

Li and Dong sometimes returned to their victims several years after the initial intrusion to steal more data, prosecutors said.

Authorities discovered Li and Dong’s long-running campaign after they breached the Hanford Site, a Department of Energy nuclear waste complex in Benton County, Wash., in March 2015, according to William Hyslop, the U.S. attorney for the Eastern District of Washington. A private security firm working for the facility spotted the hackers and alerted the FBI, Hyslop said at the press conference.

Senior administration officials and congressional Republicans have highlighted the cyberattacks targeting coronavirus research to bolster President Donald Trump’s broader case against China, which remains locked in a long-running trade war with the U.S.

In May, Secretary of State Mike Pompeo called the intrusions “an extension of [China’s] counterproductive actions throughout the COVID-19 pandemic.”

Days later, Sen. Marsha Blackburn (R-Tenn.) tweeted, “The Chinese Communist Party is notorious for stealing American technology to make up for China’s inability to self-innovate. A cure for COVID-19 is next on their list of things to steal.”

Lawmakers have requested briefings about the intrusions and introduced legislation to respond.

Beijing has consistently denied hacking into companies researching the virus.

China has conducted a broader effort to steal intellectual property to benefit its domestic industries in recent years. Chinese agents have aggressively targeted third-party IT contractors known as “managed service providers,” leap-frogging from these contractors into the networks of their high-value clients. In December 2018, the U.S. charged two Chinese cyber criminals with a 12-year campaign that hit MSPs, dozens of tech firms and multiple government agencies.

At the press conference, Bowdich described China’s political and economic espionage as “the greatest long-term threat to our nation’s information, intellectual property and its economic vitality.”

“We’re bringing these charges today to put the Chinese leaders directing these cyberattacks on notice,” he said. “There are serious consequences and risks for stealing our technological and our intellectual property.”

No comments: