Li Xiaoyu had a problem. At some point in his decade-long hacking spree with former college classmate Dong Jiazhi, as alleged in a recent Justice Department indictment, the Chinese national found himself unable to break into the mail server of a Burmese human rights group. The usual methods apparently hadn’t worked. For Li, the solution came from having a friend in high places: An officer with China’s Ministry of State Security handed him zero-day malware—unknown to security vendors, and so harder to defend against—to help finish off the job.
Other countries have long blurred the lines between criminal and state-sponsored hacking, particularly Russia, Iran, and North Korea. But in a detailed indictment unsealed by the Department of Justice Tuesday, the United States has for the first time officially accused China of belonging to that club. Since at least 2009, authorities say, Li and Dong have hacked hundreds of companies around the world. Their targets range from manufacturing and engineering companies to videogame and education software to solar energy to pharmaceuticals. More recently—and unsurprisingly, given the intense international interest—the pair has targeted firms working on Covid-19 vaccines and treatments. They’ve allegedly stolen invaluable intellectual property to pass along to their MSS handlers, while lining their own pockets along the way.
China is using cyberintrusions as part of its rob, replicate, and replace strategy to technological development, said assistant attorney general for national security John Demers at a press conference Tuesday. China is providing a safe haven for criminal hackers who, as in this case, are hacking in part for their own personal gain, but willing to help the state and on call to do so.
The indictment outlines at length how Li and Dong allegedly worked as a tag team. Dong would research victims and how they might be exploited; Li did the dirty work of compromising the networks and exfiltrating the data. The pair used the same general workflow regardless of the victim, which makes sense given the volume of attacks to which they have been linked. Efficiency at scale counts for a lot.
First, they would identify high-value targets, and attempt to get a foothold either through poorly configured networks or through fresh vulnerabilities that their targets hadn’t yet patched. On September 11, 2018, for instance, Adobe disclosed a critical bug in its ColdFusion platform; by October 20 of that year, Li had successfully exploited it to install a so-called web shell on the network of a US government biomedical research agency in Maryland.