Two college friends-turned-prolific hackers allegedly tried to steal COVID vaccine data for China
They were former classmates who studied computer technologies at an electrical engineering college in southwestern China’s Sichuan province. But instead of a conventional post-college career path, Li Xiaoyu and Dong Jiazhi embarked on a global hacking spree that became one of the most prolific ever tracked by the FBI, according to Justice Department officials and an indictment unsealed Tuesday.
The duo engaged in criminal hacking for their own personal profit, stealing trade secrets worth hundreds of millions of dollars, the indictment alleges. But they also worked to further the goals of China’s Ministry of State Security, stealing foreign military secrets and targeting opponents of the Chinese state, according to the U.S.
Over the course of more than ten years, Li and Dong allegedly stole secrets related to military satellite programs, wireless networks, and counter-chemical weapons system. They also targeted computer games companies, a cancer research organization, a solar energy company and the private emails of Chinese dissidents, according to the indictment.
Senior Justice Department officials stressed that the case showed how China was using criminal hackers to do some of its dirtiest work – including stealing research on possible vaccines and treatments for COVID-19, which was among the duo’s most recent alleged targets.
“China has now taken its place alongside Russia, Iran and North Korea, in that shameful club of nations that provide a safe haven for cybercriminals in exchange for those criminals being on call for the benefit of the state,” John C. Demers, assistant attorney general for national security, said at a press conference on Tuesday.
Asked for comment, officials at China’s embassy in Washington pointed to remarks made by Hua Chunying, a spokesperson for the country’s foreign ministry, on July 17. “China is a staunch defender of cybersecurity,’’ Hua said at the time. “China has long been a major victim of cyberthefts and attacks.’’
“Some U.S. politicians seem to be alleging that China is waging cyber-attacks to steal U.S. research on COVID-19 vaccines,” Hua added. “It’s just absurd.”
The 27-page indictment lays out in surprising detail much of the hackers’ career — and it demonstrates how carefully U.S. intelligence and law enforcement agencies are tracking some of China’s most prolific cyberspies.
Li, 34, and Dong, 33, had studied computer application technologies at the University of Electronic Science and Technology of China, in Chengdu. They formed an efficient partnership. Dong would research victims and find potential methods of remotely breaking into computer systems. Li would then compromise the networks and steal the information, according to the indictment.
At one point, Li was having difficulty penetrating the email server of a Burmese human rights group, the indictment alleges, so his MSS handler helped out by providing specially developed software that would allow him to slip into the group’s computers unnoticed.
That detail appears to provide a smoking-gun link between the hackers and China’s Ministry of State Security, one likely made possible because U.S. spy agencies had access to the hackers’ communications.
Such access is now likely to be cut off, according to Laura Galante, founder of the cybersecurity firm Galante Strategies, as the hackers review their own security to find out how they were monitored.
According to U.S. officials, they first became aware of the hackers’ operations when they targeted the Department of Energy’s Hanford site in the eastern district of Washington. U.S. Attorney William D. Hyslop said on Tuesday that a firm working with the Department of Energy in Hanford notified the FBI of the activity, which took place in March 2015, according to the indictment.
As the FBI learned more, they found the duo was among the “the most prolific hacker groups the FBI has ever investigated,” Raymond P. Duda, a FBI special agent, said. Their victims were located all across the world, including the U.S., Australia, Belgium, Germany, Japan, Lithuania, Netherlands, South Korea, Spain, Sweden and U.K., according to the indictment.
“A government hacker shows up 9 to 5 and takes holidays off,” according to Galante, who formerly served in the Defense Intelligence Agency. “These guys were probably making a lot of money, so they had a different incentive structure.”
Although China has made criminal prosecutions of hackers a point of pride, in this case the duo’s activities bought them protection from Chinese authorities, according to the indictment. The idea of hacker working on the state’s behalf and for personal profit is a model normally associated with Russia.
“The Russians use criminals as proxies. They coerce good hackers into cooperating,’’ said James Lewis, director of the Technology Policy Program at the Center for Strategic and International Studies, a Washington think tank. “So the Chinese people have picked up on that.’’
“It’s a way to get talent without putting them in uniform,’’ he said.
After stealing source code from one victim, Li allegedly emailed the company and threatened to make the code public unless he was paid $15,000 in untraceable Bitcoin, Demers said in remarks prepared for the press conference. Demers accused China of carrying out its business like an “organized criminal syndicate.”
More recently, the indictment alleges, the hackers researched vulnerabilities in the networks of biotechnology and other firms publicly known for work on COVID-19 vaccines, treatments and testing technology. Between January and February, for instance, Li allegedly searched for vulnerabilities in the computer networks of firms that were researching COVID-19 vaccines and antiviral drugs in Massachusetts, Maryland and California. It wasn’t clear whether the hackers ultimately penetrated these companies’ systems and obtained COVID-related data.
China’s theft of corporate secrets has been known for some time, but Tuesday’s indictment adds details likely to further embarrass the country and its spies. The indictment even gives the address of a secret MSS facility in Guangzhou, along with a photo. Spies everywhere prefer to work in the shadows, not in an MSS facility across from Hong Kong whose location was broadcast to the world.
Lewis said it sends a signal “that they’re not invisible anymore.’’ “When you see the pictures and address it tells the Chinese that, one, you have to pick up your game, and, two, that we’re coming after you legally,’’ he said.
Lewis said that while indictments like the one unsealed Tuesday were once relatively rare, the Justice Department has signaled that is likely to change.
“The Chinese hate being indicted, because if they go overseas they never know if they’re going to find an Interpol red notice,’’ Lewis said. “So indictments are effective.’’