Four Chinese hackers were recently indicted in the U.S. for targeting multiple U.S. organisations, including universities and government agencies, with cyber attacks between 2011 and 2018 with full support from Chinese government agencies.
The four hackers were indicted in May by a federal grand jury in San Diego, California. The indictment, which was unsealed today, alleges that the hackers carried out a series of cyber attacks targeting U.S. organisations with the aim of obtaining information that was of significant economic benefit to China’s companies and commercial sectors, including information that would allow the circumvention of lengthy and resource-intensive research and development processes.
While one of those indicted was a computer hacker experienced in creating malware, supervising other hackers, and hacking into computer systems operated by foreign governments, companies, and universities, the three others were members of the Hainan State Security Department (HSSD) and were responsible for coordinating, facilitating and managing hackers and linguists at various Chinese entities for the benefit of China.
The hackers operated through a front company named Hainan Xiandun Technology Development Co., Ltd. to obfuscate the Chinese government’s role in intellectual property theft and to enable the Chinese government to deny its role in cross-border cyber crime.
Explaining how the cyber criminal operation was carried out on an industrial scale, the U.S. Department of Justice said that members of China’s Ministry of State Security (MSS) “coordinated with staff and professors at various universities in Hainan and elsewhere in China” to hire skilled hackers and linguists capable of stealing sensitive information from foreign entities and universities. One Hainan-based university also helped create a fake profile of the front company using payroll, benefits and a mailing address and also managed the company.
The four hackers have been categorized by U.S. agencies and threat hunters as members of APT40. They used spear-phishing emails and masqueraded as employees of well-known and legitimate companies to form working relationships with targeted organisations. Once victims clicked on malicious links in emails sent by the hackers, the links downloaded various malware variants, such as Badflick, Photo, Murkytop, and Homefry, that enabled persistent access into victims’ systems, lateral movement within a system, and theft of credentials, including administrator passwords.
Using this technique, the hackers targeted individuals and organisations located in multiple countries, namely the United States, Austria, Cambodia, Canada, Germany, Indonesia, Malaysia, Norway, Saudi Arabia, South Africa, Switzerland, and the United Kingdom. Industries targeted by the hackers for intellectual property theft included aviation, defense, education, government, health care, biopharmaceutical and maritime.
According to indictment papers, the hackers succeeded in stealing vast amounts of trade secrets and confidential business information between 2011 and 2018. The stolen data included technologies used for submersibles and autonomous vehicles, specialty chemical formulas, commercial aircraft servicing, proprietary genetic-sequencing technology and data, and foreign information to support China’s efforts to secure contracts for state-owned enterprises within the targeted country. They also stole information about infectious-disease research related to Ebola, MERS, HIV/AIDS, Marburg, and tularemia.
“This indictment alleges a worldwide hacking and economic espionage campaign led by the government of China. The defendants include foreign intelligence officials who orchestrated the alleged offenses, and the indictment demonstrates how China’s government made a deliberate choice to cheat and steal instead of innovate,” said Acting U.S. Attorney Randy Grossman for the Southern District of California.
“These offenses threaten our economy and national security, and this prosecution reflects the Department of Justice’s commitment and ability to hold individuals and nations accountable for stealing the ideas and intellectual achievements of our nation’s best and brightest people.”
Commenting on the indictment of the four Chinese nationals, the White House released a statement today, stating that the DOJ documents outline how MSS hackers pursued the theft of Ebola virus vaccine research and demonstrate that the PRC’s theft of intellectual property, trade secrets, and confidential business information extends to critical public health information.
“Much of the MSS activity alleged in the Department of Justice’s charges stands in stark contrast to the PRC’s bilateral and multilateral commitments to refrain from engaging in cyber-enabled theft of intellectual property for commercial advantage,” it said.
The White House also accused China of using the services of contract hackers who also conduct unsanctioned cyber operations worldwide, including for their own personal profit. “Hackers with a history of working for the PRC Ministry of State Security (MSS) have engaged in ransomware attacks, cyber-enabled extortion, crypto-jacking, and rank theft from victims around the world, all for financial gain.
“The PRC’s unwillingness to address criminal activity by contract hackers harms governments, businesses, and critical infrastructure operators through billions of dollars in lost intellectual property, proprietary information, ransom payments, and mitigation efforts,” it added.