US authorities have charged two Chinese hackers for allegedly hacking into the systems of hundreds of companies, governments and individual dissidents, as well as firms developing COVID-19 vaccines, testing technology, and treatments, the U.S. Department of Justice (DOJ) announced this week.
An 11-count indictment alleges Li Xiaoyu, 34, and Dong Jiazhi, 33, conducted a hacking campaign lasting more than ten years to the present, targeting companies in countries with high-technology industries, including the United States, Australia, Belgium, Germany, Japan, Lithuania, the Netherlands, Spain, South Korea, Sweden, and the United Kingdom. Both hackers were trained in computer application technologies at the same Chinese university, according to the DOJ’s press release.
Allegedly backed by the Chinese government, the duo targeted industries like high-tech manufacturing, and medical device, civil, and industrial engineering, as well as business, educational, gaming, solar energy, pharma and defense. Starting around Sept. 1, 2009, and continuing through July 7, 2020, they exfiltrated sensitive data and intellectual property saving their (Chinese) sponsors precious time and resources in key areas of research and development.
“In at least one instance, the hackers sought to extort cryptocurrency from a victim entity, by threatening to release the victim’s stolen source code on the Internet. More recently, the defendants probed for vulnerabilities in computer networks of companies developing COVID-19 vaccines, testing technology, and treatments,” the DOJ said.
Li and Dong typically gained footholds in targeted infrastructures by exploiting publicly known / unpatched software vulnerabilities in popular web server software, web application development suites, and software collaboration programs. They also leveraged insecure default configurations in common applications and their initial foothold to steal access credentials and deploy malware to remotely execute commands on victim computers.
They allegedly packaged victim data in encrypted RAR archives, changed the extensions to .jpg, altered system timestamps, and concealed programs and documents at innocuous-seeming locations on victim networks and in victim networks’ ‘recycle bins,’ according to the indictment. The duo frequently re-victimize targets that were slow to patch their entry points – in some cases returning years after the original breach, the DOJ said.
The defendants are charged with conspiracy to commit computer fraud, conspiracy to commit theft of trade secrets, conspiracy to commit wire fraud, unauthorized access of a computer, and aggravated identity theft, which – if the hackers are caught and prosecuted in a U.S. court of law – in total carry more than 40 years of prison for each individual.