US authorities
have charged two Chinese hackers for allegedly hacking into the systems of
hundreds of companies, governments and individual dissidents, as well as firms developing
COVID-19 vaccines, testing technology, and treatments, the U.S. Department of
Justice (DOJ) announced this week.
An 11-count indictment alleges Li Xiaoyu, 34, and Dong Jiazhi, 33, conducted a hacking campaign lasting more than ten years to the present, targeting companies in countries with high-technology industries, including the United States, Australia, Belgium, Germany, Japan, Lithuania, the Netherlands, Spain, South Korea, Sweden, and the United Kingdom. Both hackers were trained in computer application technologies at the same Chinese university, according to the DOJ’s press release.
Allegedly
backed by the Chinese government, the duo targeted industries like high-tech
manufacturing, and medical device, civil, and industrial engineering, as well
as business, educational, gaming, solar energy, pharma and defense. Starting
around Sept. 1, 2009, and continuing through July 7, 2020, they exfiltrated
sensitive data and intellectual property saving their (Chinese) sponsors
precious time and resources in key areas of research and development.
“In at least
one instance, the hackers sought to extort cryptocurrency from a victim entity,
by threatening to release the victim’s stolen source code on the Internet. More recently, the defendants probed for
vulnerabilities in computer networks of companies developing COVID-19 vaccines,
testing technology, and treatments,” the DOJ said.
Li and Dong typically
gained footholds in targeted infrastructures by exploiting publicly known /
unpatched software vulnerabilities in popular web server software, web
application development suites, and software collaboration programs. They also leveraged
insecure default configurations in common applications and their initial
foothold to steal access credentials and deploy malware to remotely execute
commands on victim computers.
They allegedly packaged victim data in encrypted RAR archives, changed the extensions to .jpg, altered system timestamps, and concealed programs and documents at innocuous-seeming locations on victim networks and in victim networks’ ‘recycle bins,’ according to the indictment. The duo frequently re-victimize targets that were slow to patch their entry points – in some cases returning years after the original breach, the DOJ said.
The
defendants are charged with conspiracy to commit computer fraud, conspiracy to
commit theft of trade secrets, conspiracy to commit wire fraud, unauthorized
access of a computer, and aggravated identity theft, which – if the hackers are
caught and prosecuted in a U.S. court of law – in total carry more than 40
years of prison for each individual.