COVID-19 has led to a large uptick in cyber espionage. Last May, I reported on the joint statements from the U.S. and the U.K., formally accusing China, Russia, and Iran of trying to hack into Covid-19 research institutions.

Now the U.S. Department of Justice has accused two Chinese nationals of hacking into various U.S. departments over the past decade, including Covid-19 vaccine research facilities. Li Xiaoyu and Dong Jiazhi have been charged with identity theft, conspiracy to commit wire fraud, and violating anti-hacking laws (BBC, July 21, 2020). The former electrical engineering students are believed to have worked with the Guangdong State Security Department of the Ministry of State Security, China’s secretive international intelligence department. According to the FBI’s media release, they also worked independently for their own financial gain.

Li and Dong’s targets are said to have included “companies engaged in high-tech manufacturing, pharmaceuticals, and gaming software development” and “dissidents, clergy and human rights activists in the United States, China, and Hong Kong”:

“China has now taken its place, alongside Russia, Iran and North Korea, in that shameful club of nations that provide a safe haven for cybercriminals in exchange for those criminals being ‘on call’ to work for the benefit of the state, here to feed the Chinese Communist Party’s insatiable hunger for American and other non-Chinese companies’ hard-earned intellectual property, including covid-19 research,” said John C. Demers, head of the Justice Department’s National Security Division. He called the accused hackers “a prolific threat to U.S. and foreign networks.”

Ellen Nakashima and Devlin Barrett, “U.S. Accuses China of Sponsoring Criminal Hackers Targeting Coronavirus Vaccine Research” at The Washington Post (July 21, 2020)

They are also believed to have exploited software vulnerabilities in research firms working on Covid-19 in Australia, Belgium, Germany, Japan, Lithuania, the Netherlands, Spain, Sweden, and the U.K., as well as the U.S.
This is the first time the U.S. has accused the Chinese government of sheltering and working with known cybercriminals. The indictment cites eleven counts of hacking and fraud that began a decade ago. But the focus seems to have shifted recently to companies known to be working on COVID-19 research, including biotechnology firms in California, Maryland, Washington State, Texas, Virginia, and Massachusetts. That was, however, only a small fraction of Li and Dong’s work. Wired catalogs some of Li and Dong’s biggest thefts:

They allegedly stole 200GB from a California firm, including radio, laser, and antennae technology. Another 140GB from a Virginia defense contractor, comprising both details of projects for the US Air Force and the personal information of hundreds of employees and contractors. Over a terabyte of data from a mechanical engineering company at work on high-efficiency gas turbines. Not to mention a hit list that included multiple videogame and pharmaceutical companies, an educational software firm, Covid-19 research, and hundreds of other victims worldwide.”

Brian Barrett, “Chinese Hackers Charged in Decade-Long Crime and Spying Spree” at Wired (July 21, 2020)

Notably, many of the industries targeted by Li and Dong were specified in the CCP’s “Made in China 2025” initiative to turn China into a high-tech manufacturer.

Neither Chinese cyber espionage nor attempts by foreign powers to hack into COVID-19 research facilities are a surprise. Two weeks ago, the U.S., U.K., and Canada accused Russia of trying to steal information on COVID-19 vaccine research. Last May, the U.S. accused China of endangering COVID-19 vaccine research.

Iran is also known to have tried to hack U.S.-based Gilead Sciences Inc, which had been researching a COVID-19 vaccine:

In one case, a fake email login page designed to steal passwords was sent in April to a top Gilead executive involved in legal and corporate affairs, according to an archived version on a website used to scan for malicious web addresses. Reuters was not able to determine whether the attack was successful. Ohad Zaidenberg, lead intelligence researcher at Israeli cybersecurity firm ClearSky, who closely tracks Iranian hacking activity and has investigated the attacks, said the attempt was part of an effort by an Iranian group to compromise email accounts of staff at the company using messages that impersonated journalists.

Jack Stubbs, Christopher Bing, “Exclusive: Iran-Linked Hackers Recently Targeted Coronavirus Drugmaker Gilead–Sources” at Reuters (May 8, 2020)

Two other cybersecurity researchers confirmed that the attacks came from Iran.

What’s new about this most recent indictment of Li and Dong is the acknowledgment that China is working with known cybercriminals. China also uses the intellectual property that it steals as leverage to silence countries that call out its actions. FBI Deputy Director David Bowdich told media recently:

China steals intellectual property and research, which bolsters its economy. And then they use that illicit gain as a weapon to silence any country that would dare challenge their illegal actions. This type of economic coercion isn’t what we expect from a trusted world leader. It’s what we expect from an organized criminal syndicate.

News, “FBI Deputy Director David Bowdich’s Remarks at Press Conference Announcing Charges Against Chinese Hackers” at FBI (July 21, 2020)

FBI Director Christopher Wray also told the BBC that the FBI is opening a new China-related counterintelligence case every 10 hours: “Of the nearly 5,000 active counterintelligence cases currently underway across the country, almost half are related to China” (BBC, July 21, 2020).

Aside from hacking into COVID-19 research, Chinese hackers have also been using methods used by state-sponsored hackers to infiltrate the Vatican’s network since May, according to U.S. cybersecurity firm Recorded Future. The hackers specifically targeted the Catholic diocese of Hong Kong, including the head of the Hong Kong Study Mission. China and the Vatican are set to renew their 2018 agreement in September 2020.

China denies all allegations of state-sponsored hacking or hiring cybercriminals.

However, the Chinese Communist party (CCP) is not winning many allies with its Wolf Warrior strategy and cyber theft. The basic strategy has been described as rob, replicate, and replace, that is, the CCP first robs other countries of their intellectual property and technology, then they replicate it, and finally replace it with their own technology. We saw this happen with facial recognition technology. China is thought to be seeking to replicate U.S. DNA forensic technology as well, for the purpose of collecting DNA from tens of millions of men and boys.

Perhaps China senses a need to move quickly in these matters. Its clout has been waning on the global stage. Britain has changed its mind about working with Huawei’s 5G network, and a number of parliamentary democracies are banding together to protect themselves. The CCP might want to keep in mind an ancient proverb: He who rides a tiger can never dismount.

Also by Heather Zeiger on hacking and China:

The new cyber Cold War with China: Cybersecurity strategist Peter Singer told Wired that there has never been a better time than the COVID-19 pandemic to be a government hacker.

and

The Age of the Wolf Warrior: China’s post-pandemic strategy: The younger diplomats take their cue from a Chinese Rambo-style movie and the rewritten history they learned at school.