Four hackers indicted for Chinese R&D: 'cheat and steal instead of innovate'

Today the government revealed a grand jury in San Diego indicted four Chinese hackers back in May. The four hackers are all part of the Hainan State Security Department which is a regional branch of the Ministry of State Security (MSS). The hacking targeted companies around the world in an effort to steal intellectual property including, curiously, some research on deadly viruses.

Stolen trade secrets and confidential business information included, among other things, sensitive technologies used for submersibles and autonomous vehicles, specialty chemical formulas, commercial aircraft servicing, proprietary genetic-sequencing technology and data, and foreign information to support China’s efforts to secure contracts for state-owned enterprises within the targeted country (e.g., large-scale high-speed railway development projects). At research institutes and universities, the conspiracy targeted infectious-disease research related to Ebola, MERS, HIV/AIDS, Marburg and tularemia.

What’s most interesting, at least to me, about this effort is that the state security hackers apparently worked closely with several universities in the region (the photo above is one of Hainan’s major universities, though I don’t know if it was specifically involved).

As alleged, the charged MSS officers coordinated with staff and professors at various universities in Hainan and elsewhere in China to further the conspiracy’s goals. Not only did such universities assist the MSS in identifying and recruiting hackers and linguists to penetrate and steal from the computer networks of targeted entities, including peers at many foreign universities, but personnel at one identified Hainan-based university also helped support and manage Hainan Xiandun as a front company, including through payroll, benefits and a mailing address…

According to the indictment, to gain initial access to victim networks, the conspiracy sent fraudulent spearphishing emails, that were buttressed by fictitious online profiles and contained links to doppelgänger domain names, which were created to mimic or resemble the domains of legitimate companies. In some instances, the conspiracy used hijacked credentials, and the access they provided, to launch spearphishing campaigns against other users within the same victim entity or at other targeted entities.

That’s certainly a very different approach to research and development. Chinese academics may not be coming up with much original work but they are in a position to know who the leading figures are in their field, i.e. academics at universities in the US and Europe. In this case they simply put together a shopping list of data they wanted to steal and then helped the state security goons identify ways to target the right people. Acting U.S. Attorney Randy Grossman said of the attacks, “the indictment demonstrates how China’s government made a deliberate choice to cheat and steal instead of innovate.”

Also today, the US, EU and the UK are blaming China for recent ransomware attacks that impacted about 30,000 organizations. The hacks exploited a flaw in Microsoft’s Exchange server software that allowed hackers to infiltrate computers and later to install ransomware.

Hackers who were quickly identified by U.S. government and private cybersecurity experts as likely to be affiliated with China’s Ministry of State Security, or MSS, began using the flaw in January to start hacking into companiesseemingly as part of China’s conventional spying operations. Other hackers believed by the U.S. to be tied to the MSS later launched ransomware attacks using the flaw…

“In some cases, we’re aware where [People’s Republic of China] government-affiliated cyber operators have conducted ransomware operations against private companies that have included ransom demands of millions of dollars,” the official said.

The statements represent a show of unity in the face of China’s aggressive behavior but there is no plan for sanctions like the ones put in place in response to recent Russian cyberattacks.

Condemnation from NATO and the European Union is unusual, because most of their member countries have been deeply reluctant to publicly criticize China, a major trading partner. But even Germany, whose companies were hit hard by the hacking of Microsoft Exchange…cited the Chinese government for its work…

Despite the broadside, the announcement lacked sanctions similar to ones that the White House imposed on Russia in April, when it blamed the country for the extensive SolarWinds attack that affected U.S. government agencies and more than 100 companies.

This is a bit disappointing. We’ve caught China red-handed (pun intended) and all we have to show for it are some indictments against hackers who will never set foot in the US and therefore will never face any real punishment for their crimes. Part of me hopes this non-response is simply what the CIA and NSA are telling the public while, behind the scenes, we are fighting back in ways that we don’t want to announce. I hope that’s what is happening because a non-response to behavior this egregious and widespread looks a lot like weakness.