Breach, Americas, Content

DOJ Accuses Hackers of Stealing COVID-19 Research for Chinese Spy Services

The U.S. Justice Department (DOJ) has charged two Chinese nationals with conducting a decade-long hacking campaign to steal intellectual property for that nation’s spy services from hundreds of companies and industries, including technology manufacturing, industrial engineering, pharmaceuticals and defense.

In an 11-count indictment, the DOJ claimed that Li Xiaoyu and Dong Jiazhi, both trained in computer applications technologies at the same Chinese university, collaborated with the Guangdong State Security Department (GSSD) of the Ministry of State Security (MSS) to steal terabytes of data from U.S. networks. The defendants also simultaneously attacked victims worldwide for personal profit, the DOJ alleges.

Most recently, the cyber operatives allegedly probed into research facilities working to develop vaccines and treatments to derail the coronavirus (COVID-19) global pandemic. According to the indictment, in late January 2020 the hackers attempted to penetrate biotech firms located in Massachusetts and California researching COVID-19 vaccines and antiviral drugs, and two months ago, Li allegedly sought to break into a California diagnostic firm developing virus testing kits.

Homeland Security, FBI Warnings

The DOJ's accusations closely follow an advisory issued by the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) last May warning that Chinese state-backed hackers are seeking “valuable intellectual property and public health data through illicit means related to vaccines, treatments and testing.”

U.S. Assistant Attorney General John Demers
U.S. Assistant Attorney General John Demers

The hackers are said to have homed in on high tech manufacturing; medical device, civil, and industrial engineering; business, educational, and gaming software; solar energy; pharmaceuticals, and defense industries in the U.S., Australia, Belgium, Germany, Japan, Lithuania, the Netherlands, Spain, South Korea, Sweden, and the United Kingdom. The cyber duo also took aim at human rights activists, clergy and dissidents in the U.S. and elsewhere, including Hong Kong and China.

It’s yet another example of the importance of managed security service providers (MSSPs) to assist critical industries to harden their defenses against cyber attackers and to lock down their own systems as well. A year ago, hackers working for the MSS broke into the networks of eight major MSPs and technology services providers trying to steal commercial secrets from their customers.

In this case, DOJ officials called the suspects a blended threat in that they also stole intellectual property for their own financial gain. The indictment secured against them earlier this month and unsealed on July 21 was the first to target such a threat, Assistant Attorney General John Demers said. “China’s anti-competitive behavior and flagrant disregard for their promises not to engage in cyber-enabled intellectual property theft is not just a domestic issue; it is a global issue,” he said. “The indictment shows very clearly that no country is immune. Any country with a successful company or industry must be on guard and prepared to protect itself.”

Alleged Targets

The hacking effort was initially uncovered in the networks of the Department of Energy’s Hanford Site in Eastern Washington, where in 2015 the defendants reportedly stole information on Hanford personnel and lists of authorized accounts.

In the elaborate scheme to gain access to victims' networks that preceded and followed, the defendants primarily exploited publicly known software vulnerabilities in popular web server software, web application development suites and software collaboration programs, according to the indictment. In some cases, newly-released patches for those vulnerabilities may not have been installed. The defendants allegedly used their initial unauthorized access to place malicious web shell programs and credential-stealing malware on victims’ networks, enabling the pair to remotely execute commands on infected computers.

"The complicated nature of cyber investigations is only exacerbated when the criminal is backed by the resources of a foreign government,” said Raymond Duda, a special agent in the FBI’s Seattle Division. “The nature and value of the material stolen by these hackers cannot just be measured in dollars and was indicative of being state driven,” he said.

The suspects are unlikely to be brought to trial because China does not have an extradition treaty with the U.S.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.