Hackers allegedly worked with Chinese government, stealing from companies, governments, NGOs
In what appears to be a massive and decade-long data heist, the Justice Department has successfully indicted two hackers allegedly working both with China’s Ministry of State Security and for their own profit, who DOJ said stole terabytes (and hundreds of millions of dollars worth) of intellectual property, confidential business information and personal information over 10 years and in over 10 different countries, including the U.S.
The ll-count indictment, which was returned by a grand jury in Spokane, Wash., charges Li Xiaoyu (李啸宇), 34, and Dong Jiazhi (董家志), 33, with conducting the hacking campaign, targeting industries as divergent as high tech manufacturing, gaming software and solar energy, as well as COVID-19 research.
The hacks involved hundreds of companies, governments, non-governmental organizations (NGOs), dissidents, clergy, and human rights activists, often targeting companies in countries with strong tech industries.
DOJ said they conducted the hacks from a safe haven provided by the Chinese government, and with help from the government.
One hack involved a California software gaming company (not identified other than as a subsidiary of a Japanese company). They allegedly stole the source code for two games, one of which had not yet been released. Another was of a U.S. educational software company and included the personally identifiable information (PII) of millions of teachers and students.
There were also gaming software hacks of companies in Sweden and Lithuania.
“China has now taken its place, alongside Russia, Iran and North Korea, in that shameful club of nations that provide a safe haven for cyber criminals in exchange for those criminals being ‘on call’ to work for the benefit of the state, here to feed the Chinese Communist party’s insatiable hunger for American and other non-Chinese companies’ hard-earned intellectual property, including COVID-19 research,” said Assistant Attorney General for National Security John Demers in announcing the indictments.
The hack was first identified on Department of Energy computers in Eastern Washington state.
The hackers allegedly placed malicious shell programs and credential-stealing software on the computers they hacked–often hiding them in the recycle bin–allowing them to hijack those computers.
The indictment charges the hackers with “conspiring to steal trade secrets from at least eight known victims, which consisted of technology designs, manufacturing processes, test mechanisms and results, source code, and pharmaceutical chemical structures.”
The defendants could face up to 50 years in prison. They are each charged with one count of conspiracy to commit computer fraud (a maximum of five years in prison); one count of conspiracy to commit theft of trade secrets (a maximum of ten years); one count of conspiracy to commit wire fraud, (20 years maximum; one count of unauthorized access of a computer (five years maximum) and seven counts of aggravated identity theft (a mandatory sentence of two non-consecutive years).