Two Chinese state-backed hackers have been issued with an 11-count indictment alleging attempts to steal COVID-19 vaccines as part of a hacking spree lasting more than 10 years.
LI Xiaoyu, 34, and Dong Jiazhi, 33, are accused of targeting IP in high-tech, medical, pharma, engineering, business and other sectors in the US, Australia, Belgium, Germany, Japan, Lithuania, the Netherlands, Spain, South Korea, Sweden and the UK.
Although sometimes acting for personal gain, such as trying to extort cryptocurrency by threatening to release stolen source code, they are said to have worked with the backing of the Chinese government.
Their targets over the 10+ year period included not only businesses but pro-democracy and human rights activists in the US, Hong Kong, China and elsewhere.
According to the indictment, they exploited vulnerabilities in web servers, web app development suites and software collaboration tools to gain a foothold into networks, sometimes targeting newly announced bugs. Web shells and credential harvesting tools were then deployed to enable remote code execution and persistence.
Data set to be exfiltrated was first packaged into RAR files, but the duo are said to have changed file names and extensions and system timestamps, and hidden documents in recycle bins and other locations, to stay hidden. On some occasions they revisited previously breached organizations years after the event, the DoJ claimed.
The two are charged with conspiring to steal IP from eight companies in the form of technology designs, manufacturing processes, test mechanisms and results, source code and pharmaceutical chemical structures.
Li and Dong would spend decades in prison if caught and convicted, although that’s unlikely to happen as long as they remain in China.
News of the indictment comes in the same week that the UK’s National Cyber Security Center (NCSC) warned that Kremlin hacking group APT29 (aka Cozy Bear) has been attempting to steal vaccine-related IP from organizations in the UK and North America.
Mandiant senior manager of analysis, Ben Read, argued that state-sponsored hackers have put a premium on stealing info on COVID-19 vaccines. He added that the pattern of conducting for-profit and for-government attacks is similar to “China-nexus” groups such as APT41.
“Mandiant has tracked this group since at least 2013, the targeting and description of their TTPs is consistent with what we have observed,” said Read.
“The Chinese government has long relied on contractors to conduct cyber-intrusions. Using these freelancers allows the government to access a wider array of talent, while also providing some deniability in conducting these operations.”