US charges Chinese nationals with Covid-19 research hacking

Exploiting vulnerabilities

Li and Dong exploited publicly known, unpatched software vulnerabilities in web server software, web app development suites and collaboration software, as well as insecure default configurations in common applications. Having gained access, they placed malicious web shell programs and credential-stealing software on their target networks, which gave them remote execution capabilities.

To obfuscate their activities, the two typically packaged data in encrypted .rar files, changed the file and victim document names and extensions and timestamps, and concealed programs and documents at innocuous-seeming locations on victim networks or in their “recycle bins”. They frequently returned to the scenes of previous crimes, in some cases years later.

This came to light when intrusions were discovered on systems at the Department of Energy’s Hanford Site, a former nuclear facility in southeast Washington that was instrumental in the development of the atom bombs that the US used to destroy the cities of Hiroshima and Nagasaki.

It went on to produce plutonium for more than 60,000 nuclear weapons, but after it was found to have leaked vast amounts of radioactive materials into the air and the nearby Columbia River, it is now the site of one of the largest nuclear clean-up operations in the world.

The indictment charges them with conspiracy to steal trade secrets, conspiracy to commit computer fraud, conspiracy to commit wire fraud, unauthorised access to a computer and aggravated identity theft.

The widespread publicising of the indictments is another example of a trend towards being more willing to openly attribute blame for cyber crime among western governments, particularly when the activity emanates from hostile governments.

Just last week, the UK government openly accused Russian government-sponsored threat groups of hacking into the systems of organisations working on Covid-19 research, and the publication this week of the long-awaited Russia Report has gone further still, revealing the extent of Russian cyber intrusion into the UK’s domestic affairs.

John Demers, assistant attorney general for national security, said: “China has now taken its place, alongside Russia, Iran and North Korea, in that shameful club of nations that provide a safe haven for cyber criminals in exchange for those criminals being ‘on call’ to work for the benefit of the state, here to feed the Chinese Communist Party’s insatiable hunger for American and other non-Chinese companies’ hard-earned intellectual property, including Covid-19 research.”

Ben Read, senior manager of analysis at Mandiant Threat Intelligence, part of FireEye, said: “This indictment shows the extremely high value that all governments, including China, place on Covid-19 related information. It is a fundamental threat to all governments around the world and we expect information relating to treatments and vaccines to be targeted by multiple cyber espionage sponsors. Mandiant has tracked this group since at least 2013, the targeting and description of their TTPs is consistent with what we have observed.

“The Chinese government has long relied on contractors to conduct cyber intrusions,” said Read. “Using these freelancers allows the government to access a wider array of talent, while also providing some deniability in conducting these operations.

“The pattern described in the indictment where the contractors conducted some operations on behalf of their government sponsors, while others were for their own profit, is consistent with what we have seen from other China-nexus groups such as APT41.”