U.S. charges two Chinese hackers with a decade of international cyber theft

Jenna McLaughlin
·National Security and Investigations Reporter
·5 min read

Officials from the Department of Justice and the Eastern District of Washington on Tuesday unsealed a criminal indictment against two Chinese citizens—former classmates who, for personal profit and on behalf of the Chinese Ministry of State Security, waged a years-long campaign to hack hundreds of victims around the world

While the Department of Justice has since 2018 ramped up its caseload investigating Chinese economic espionage and theft of intellectual property, these are the first public charges aimed at what Assistant Attorney General for National Security John Demers described as the “blended threat,” or Chinese hackers who work for the state and profit, he explained during a press conference on Tuesday morning.

“These intrusions are yet another example of China’s brazen willingness to engage in theft through computer intrusions contrary to their international commitments,” said Demers.

The hackers, who are based in China, stole “hundreds of millions of dollars” worth of intellectual property and digital currency, said Special Agent Ray Duda of the FBI Seattle Field Office during the Tuesday press conference. The hackers’ alleged victims include defense contractors, medical institutions, dissidents, government agencies, technology firms and gaming companies.

Li and Dong, whose activities the government first uncovered at a Department of Energy facility in Washington, have been working since at least 2009. Most recently, government prosecutors allege, Li probed the digital defenses of a California diagnostics company involved in developing testing kits for COVID-19 amidst the global pandemic. The Justice Department did not conclude in the indictment that the hackers successfully compromised coronavirus research but “were looking to obtain it,” Demers said.

And as recently as mid-June, Li “conducted reconnaissance” on Hong Kong protestors, according to the indictment, just weeks before China announced a sweeping new national security law criminalizing “subversion of state power” among other acts.

The level of detail revealed about the hackers’ victims, including the decision to include such recent examples, is practically unprecedented, according to cybersecurity experts outside the government. “Usually we find out about things that happened years and years ago,” said John Hultquist, director of intelligence analysis at cyber threat intelligence firm FireEye during a phone interview with Yahoo News. “It’s kind of rare to see this sort of thing for incidents that are so recent, even ongoing,” he said.

Today’s announcement follows increasing government warnings about foreign espionage directed at coronavirus research, while also adding a new level of specificity and urgency to that threat. “These are state actors who don’t historically have the world’s best interests at heart,” Hultquist said. “They can take this information and use it for geopolitical leverage. It’s something we have to consider.”

Li and Dong frequently compromised and stole from victims in a variety of sectors, including “high tech manufacturing; civil, industrial and medical device engineering; business, educational and gaming software development; solar energy; and pharmaceuticals,” according to the indictment. The hackers also stole credentials belonging to Chinese dissidents living in China and overseas, including email accounts and passwords belonging to a Christian pastor, a former Tiananmen Square protester and a Hong Kong community activist, government investigators alleged.

The Justice Department also outlined specific details about technical tools and methods Li and Dong used to conduct and disguise their activities, including renaming and storing files they had stolen and planned to exfiltrate in the victims’ recycling bin where it might go unnoticed. In at least one instance, according to the indictment, a Ministry of State Security official provided the defendants with a sophisticated “0day” hacking tool, previously unknown malware that the company had “zero days” to discover and defend against.

The tool allowed them to compromise a Burmese human rights group. Demers declined to comment on why the Justice Department did not charge the state security official who allegedly assisted Li and Dong.

John Demers
Assistant Attorney General for National Security John Demers. (via Reuters TV)

Cybersecurity researchers noted that it’s likely the defendants worked with the support of larger hacking groups that have been operating for years. Declining to comment on knowledge of specific victims, Ben Read, senior manager of analysis at cyber threat firm Mandiant Threat Intelligence, told Yahoo News that his company “has tracked activity related to these actors for at least 7 years,” noting that several groups, including APT 41, a prolific Chinese hacking group, “have combined financially motivated activity and activity conducted on behalf of the PRC.”

Since the Obama administration, the Department of Justice has pursued a strategy of naming and shaming foreign hackers who commit cyber crimes against the United States, in an effort to try to extradite them, deter future activity or force changes in behavior, and to expose the threat to the public, particularly potential victims.

The charges also renew questions about whether China or other adversaries accused by the U.S. of cyber crime will ultimately retaliate for the exposure of their tools and techniques. Former intelligence officials have repeatedly raised concerns that foreign governments will charge U.S. government hackers who routinely spy and launch attacks against foreign targets, particularly as the U.S. ramps up its own covert cyber operations.

Demers, in response to questions from journalists about the decision to unseal the indictment, explained that the Justice Department believes it’s unlikely Li and Dong will travel anytime soon and expose themselves to potential extradition. Consequently, Demers said the department determined there was “more value to unsealing this indictment to highlight for the public, for the private sector generally, the problems and the threats that are facing them.”

_____

Read more from Yahoo News: