Sikov - stock.adobe.com

DOJ Accuses China of Targeted Hacking on COVID-19 Research Data

Two hackers are accused by DOJ of working with the Chinese government to target and hack hundreds of US entities, stealing more than a terabyte of data, including COVID-19 research.

The Department of Justice has indicted two hackers for allegedly working with the government of China to target and hack hundreds of US companies, governments, organizations, and others in a global intrusion campaign, designed to steal valuable information, including COVID-19 research. 

The cybercriminals are accused of stealing more than a terabyte of data through what DOJ officials described as a sophisticated and prolific threat to US networks. 

COVID-19 research data would be highly valuable on the dark web, given the global efforts focused on finding a vaccine or treatment for the coronavirus. In fact, the indictment comes on the heels of a report showing Russian hackers known as Cozy Bear targeting US COVID-19 research firms to steal or destroy valuable information in a similar fashion. 

DOJ filed an 11-count indictment  with a federal grand jury in Spokane, Washington, accusing the hackers LI Xiaoyu and Dong Jiazhi of both working with the Guangdong State Security Department (GSSD) of the Ministry of State Security, as well as targeting victims for their own financial gain. 

According to the release, the hackers were trained in computer application technologies and have conducted this global hacking campaign over the course of the last 10 years. They targeted companies from a wide range of countries, including the pharmaceutical, medical device, educational, and high tech manufacturing sectors, among others. 

“In at least one instance, the hackers sought to extort cryptocurrency from a victim entity, by threatening to release the victim’s stolen source code on the internet,” DOJ officials explained. 

In the most recent attacks, the hackers probed for computer network vulnerabilities of entities tasked with developing COVID-19 vaccines, testing technology, and treatments. 

While not outlined in the release, the FBI and the Department of Homeland Security Cybersecurity and Infrastructure Security Agency previously warned that hackers with ties to China were targeting COVID-19 research firms and had successfully compromised some of those networks. 

The attacks were first discovered on computers on the of Department of Energy’s Hanford Site in Eastern Washington, U.S. Attorney for the District Eastern District of Washington, William D. Hyslop, explained in the release. 

And the computer systems of many US businesses, agencies, and individuals have also been recently “hacked and compromised with a huge array of sensitive and valuable trade secrets, technologies, data, and personal information being stolen.”  

Hackers first gained access by primarily exploiting known vulnerabilities in popular web server software, web application development suites, and software collaboration programs. DOJ stressed that some of the exploited vulnerabilities were newly reported, which means that many users would not have been able to install those patches prior to the attack. 

Further, the threat actors allegedly targeted insecure default configurations in common applications. 

“The defendants used their initial unauthorized access to place malicious web shell programs (e.g., the ‘China Chopper’ web shell) and credential-stealing software on victim networks, which allowed them to remotely execute commands on victim computers,” DOJ officials explained. 

“To conceal the theft of information from victim networks and otherwise evade detection, the defendants typically packaged victim data in encrypted Roshal Archive Compressed files (RAR files), changed RAR file and victim documents’ names and extensions (e.g., from ‘.rar” to '.jpg') and system timestamps, and concealed programs and documents at innocuous-seeming locations on victim networks and in victim networks’ ‘recycle bins,’” they added. 

What’s more, the hackers would frequently return to networks of previous victims from where they’d already stolen data – in some cases years after the initial data exfiltration. Fortunately, some of those attempts were thwarted by the FBI and other network defenders. 

The hackers have been charged with conspiring to steal trade secrets, including pharmaceutical chemical structures, from at least eight known victims. The stolen data would “give competitors with a market edge by providing insight into proprietary business plans and savings on research and development costs in creating competing products.” 

“The hackers operated from China both for their own gain and with the assistance and for the benefit of the Chinese government’s Ministry of State Security,” Hyslop said in a statement. 

"The complicated nature of cyber investigations is only exacerbated when the criminal is backed by the resources of a foreign government,” said Special Agent in Charge of the FBI’s Seattle Division, Raymond Duda, said in a statement. “The nature and value of the material stolen by these hackers cannot just be measured in dollars and was indicative of being state driven." 

These attacks bring to light one common concern in the healthcare sector: a lack of expedient patch management processes. In fact, recent BitSight data found serious flaws in 17 biomedical companies publicly recognized for playing a role in the development of a COVID-19 vaccine. 

Given several critical vulnerabilities recently disclosed by DHS CISA, the indictment should serve as a warning to healthcare providers to patch those vulnerabilities as soon as possible.

Next Steps

Dig Deeper on Cybersecurity strategies