The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

US Indicts Two Chinese Hackers Following Theft of Trade Secrets

by Chris Brook on Tuesday July 28, 2020

Contact Us
Free Demo
Chat

The two hackers were also linked to attempts to hack American biotech firms working on a coronavirus (COVID-19) vaccine.

The U.S. government recently levied charges against two Chinese hackers for IP theft and for targeting coronavirus vaccine information.

In an indictment from earlier this month unsealed in the United States District Court for the Eastern District of Washington last week, the Department of Justice charged Li Xiaoyu and Dong Jiazhi for hacking into computers around the world and stealing terabytes of data. The indictment alleges the suspects had previously stolen data on human rights activists.

While Jiazhi’s name was redacted from a copy of the indictment that made the rounds last week, it appeared in a press release issued by the DOJ on Tuesday.

The two didn't discriminate when it came to the verticals they targeted - the victims included companies in high tech manufacturing, civil, industrial, and medical device engineering, business, educational and gaming software, solar energy and pharmaceuticals, according to the court filing. Recently, the two had infiltrated international companies working on COVID-19 vaccines.

It's certainly not a surprise that attackers based in China were connected to attacks seeking COVID-19 treatment data. The FBI and the Cybersecurity and Infrastructure Security Agency both warned firms in May that APT groups were on the prowl for IP and public health data related to vaccines, treatments, and other COVID-19 related research.

"The Defendants stole hundreds of millions of dollars' worth of trade secrets, intellectual property, and other valuable information," the indictment reads.

While none of the companies are named in the indictment, the DOJ claims that it was Xiaoyu in particular who poked around, looking for vulnerabilities at several biotech firms - one in Maryland, one in Massachusetts, two in California - all companies had previously disclosed they were researching potential COVID-19 vaccines. It’s worth noting that it’s not clear the two managed to steal anything from these firms; Xiaoyu was simply performing reconnaissance.

At a handful of other firms, named Victim 1, Victim 2, and so on in the document, the two managed to do some damage, compromising networks and stealing data at an almost prolific rate from 2014 to 2020.

In the US, the pair's hacking was widespread, pilfering just over 2 TB of data from a baker’s dozen of companies.

The company hit the hardest, a mechanical engineering company that does business in the U.S and Japan, was targeted twice, in 2018 and again in March this year. The hackers absconded with proprietary and sensitive data, including drawings and specifications for high-efficiency gas turbines. Other victims included an education software company - millions of students and teachers' personally identifiable information was taken, a software company - source code was taken, and a Virginia-based federal and defense contractor - PII of more than 300 employees and contractors, in addition to project files and presentations were taken.

Across the rest of the world, the two stole almost the same amount, 2414 gigabytes, or 2.4 TB.

The pair stole 900 gigabytes of data from a Spanish electronics and defense firm, 320 gigabytes, including source code and engineering schematics, from an Australian defense contractor, 142 gigabytes of documents, including source code for products, imaging tools and algorithms for fluid dynamics, belonging to a Belgian engineering software company. The two also made off with source code from a German construction company and data belonging to gaming companies in Sweden and Lithuania

While the two stole and sold data for profit, in some scenarios they provided it to the PRC Government's Ministry of State Security, or MSS. The two provided the MSS with passwords for Chinese dissidents, for example, and worked with the group to disperse malware.

To secure access to companies, the two exploited vulnerabilities in products, like web server software, web app development suites, and software collaboration programs, in addition to default configurations in apps. Once in, they placed web shells - like China Chopper - to carry out remote commands, used credential stealing programs to steal passwords, and took data, oftentimes from a machine's recycle bin to make it less obvious after it was taken. To cover their tracks, the two changed filed names and extensions.

For conspiring to steal trade secrets from at least eight victims, the two are each being charged with one count of conspiracy to commit computer fraud, one count of conspiracy to commit theft of trade secrets, one count of conspiracy to commit wire fraud, one count of unauthorized access of a computer, and seven counts of aggravated identity theft.

The indictment was handed down the same week that US senators introduced legislation to counter actions made by China, including intellectual property theft. One goal of a bill introduced last Wednesday, the Strengthening Trade, Regional Alliances, Technology, and Economic and Geopolitical Initiatives Concerning China (Strategic) Act, is to curb China's theft by exposing "the full scope and scale of intellectual property theft and mass subsidization of Chinese firms, and the resulting harm to the United States, foreign markets, and the global economy.”

Tags: hacking

Recommended Resources


  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives
  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.