On July 7, 2020, a Grand Jury in Seattle was presented with evidence about the eleven year campaign of Computer Network Intrusion being conducted by two former classmates who hacked for personal profit and the benefit of the Chinese Ministry of State Security. Li Xiaoyu 李啸宇 and Dong Jiazhi 董家志. The pair met when they were studying Computer Application Technologies at the University of Electronic Science and Technology ("UEST") in Chengdu, China. UEST has as its motto: 求实求真 大气大为 -- "To Seek Facts and Truth, To Be Noble and Ambitious." This pair certainly "sought facts" and were "ambitious," though not in a way that many would consider "Noble." The University was admitted into Project 985 in 2001, a project that supported 34 top universities encouraging each to become a global leader in their chosen specialty, and incidentally kicking off a new ambitious era of global cyber espionage to help them gain competitive advantage.
Or maybe it was exactly the plan. In 2007, likely the year that Dong would have started his college experience at UEST, the School of Software boasted that as part of the 11th Five Year Plan, their textbook, 计算机病毒技术 (Computer Virus Technology), received national acclaim. The following year, they announced the completion of their Information Technology textbook series of 8 books, adding "Network and System Attack Technology" and "Network and System Defense Technology" to the series. In the United States, "Network and System Attack Technology" ( 网络与系统攻击技术) is mostly taught in the military and intelligence communities, not in undergrad computer science courses. In 2017 the course was taught by Li Hongwei (李洪伟), whose slides are online. In 2019 the instructors were 李洪伟 and 吴立军.
Network and System Attack Technology - Cao Yue and Yu Shengji |
The text explains one of the tools from the "experimental" portion of the class, "MS06040Scanner":
The working principle of MS06040Scanner is to first obtain the operating system type and open ports through port scanning and operating system scanning. If it is a windows2000 system, TCP 139 or TCP 445 port is opened, and the returned data packet matches the definition in the vulnerability library. It means that the host may have MS06040 vulnerabilities, we can use MS06040 exploit programs to carry out remote overflow attacks on it
The second slide demonstrates the "X-Scan" tool which would be used to find vulnerabilities allowing data exfiltration.
The Attacks
According to the Department of Justice Indictment, Dong was the one who researched victims and means of exploiting them while Li primarily did the hacking.
美国司法部对34岁的李晓宇(音译)和31岁的董佳芝(音译)提出11项指控称,称他们侵入了数百家公司、政府机构以及持不同政见者和神职人员的电脑系统。
Here's how the indictment describes the "Manner and Means of the Conspiracy" --
"The defendants research and identified victims possessing information of interest, including trade secrets, confidential business information, information concerning defense products and programs, and personal identifying information ("PII") of victim employees, customers, and others, using various sources of information including business news websites, consulting firm websites, and a variety of search websites.
The defendants then gained unauthorized access to victims possessing the information sought by the conspiracy. They stole source code from software companies, information about drugs under development, including chemical designs, from pharmaceutical firms; students' PII from an education company; and weapon designs and testing data from defense contractors.
The defendants usually gained initial access to victim networks using publicly known software vulnerabilities in popular products. Those vulnerabilities were sometimes newly announced, meaning that many users would not have installed patches to correct the vulnerability. ... They also targeted insecure default configurations in common applications."
The defendants used their initial access to place a "web shell" on the victim network, allowing remote execution of commands on a computer. The most frequently deployed was the "China Chopper" web shell. They most frequently did so by hiding the file with the name "p.jsp" in an obscure directory on a public-facing website. (They also sometimes named their webshell's "tst.jsp", "i.jsp", or "/SQLTrace/i.jsp".) The indictment includes a screenshot of China Chopper which is lifted from the FireEye blog post "Breaking down the China Chopper" ... if you are interested, you should also read the Talos Blog post: "China Chopper still active 9 years later"
(FireEye explains China Chopper) |
They would then plant software for stealing passwords, identifying computer users with Administrator access, and then studying the network for useful data. The data was compressed as a .RAR file, but then often renamed as a ".jpg" file and placed in the victim's recycle bin until it could be retrieved.
The Victims
The indictment makes clear that there were "hundreds" of victims between September of 2009 and early 2020, not only the ones listed in this indictment. To characterize the range of victims, they list types of companies, date ranges, amount of data stolen, and type of data gathered.
Victim 1: California-based technology and defense firm
Dec 2014-Jan 2015
200GB "Radio, laser, and antennae technology; circuit board and related algorithms designs for advanced antennae; testing mechanisms and results."
Victim 2: Maryland-based technology and manufacturing firm - 64GB
Victim 3: Hanford Site, Department of Energy, Washington State - information about network and personnel, including lists of authorized users and administrator accounts
Victim 4: Texas: 27GB of space and satellite application data
Victim 5: Virginia Federal Defense contractor - 140GB of project files, drawings and documents related to Air Force and FBI investigations. PII on 300+ employees
There were many more victims detailed, including:
a US Educational Software company with "millions of students and teachers' PII." breached from Nov 2018 to Feb 2019,
a California pharmaceutical company - 105GB of data in Feb and March 2019
a Massachusetts medical device company - 83 GB of source code just as the victim was engaging in a contract with a Chinese firm to produce some of their components.
Other victims were listed in other places, including a large electronics firm in the Netherlands, a Swedish online gaming company (169GB of files including source code and player usernames and passwords), a Lithuanian gaming company, and other companies in Germany, Belgium, the Netherlands, an Australian defense contractor (320GB of data!), a South Korean shipbuilding company, an Australian solar energy company, a Spanish defense firm, and a UK AI firm focused on cancer research.
The Hackers' MSS Connection
The DOJ indictment mentions the Ministry of State Security 19 times, specifically referring to an unnamed "MSS Officer 1."
"After stealing data and information from their victims and bringing that data and information back to China, Defendants then sold it for profit, or provided it to the MSS, including MSS Officer 1."
"Li and Dong did not just hack for themselves. While in some instances they were stealing business and other information for their own profit, in others they were stealing information of obvious interest to the PRC Government's Ministry of STate Security ("MSS"). LI and DONG worked with, were assisted by, and operated with the acquiescence of the MSS, including MSS Officer 1, who was assigned to the Guangdong regional division of the MSS (the Guangdong State Security Department, "GSSD").
"When stealing information of interest to the MSS, LI and DONG in most instances obtained that data through computer fraud against corporations and research institutions. For example, from victims including defense contractors in the US and abroad, they stole information regarding: military satellite programs; military wireless networks and communications systems; high powered microwave and laser systems; a counter-chemical weapons system; and ship-to-helicopter integration systems.
In other instances, the Defendants provide the MSS with personal data, such as the passwords for personal email accounts belonging to individual Chinese dissidents including:
- a Hong Kong community organizer
- the pastor of a Christian church in Xi'an
- a dissident and former Tiananmen Square protestor
- emails to and from the office of the Dalai Lama
- emails belonging to Chinese Christian "house" church pastor in Chengdu (who was later arrested)
- emails form a US professor and organizer
- two Canadian residents who advocate for freedom and democracy in Hong Kong
MSS Officer 1 assisted LI and other hackers. When LI had difficulty compromising the mail server of a Burmese human rights group, MSS Officer 1 provided him with 0day malware for a popular browser which exploited a bug not known to the software vendor or security researchers.
MSS Officer 1 claimed to be a researcher at the "Guangdong Province International Affairs Research Center" but in fact was an intelligence officer working for the GSSD at Number 5, 6th Crossroad, Upper Nonglin Road, Yuexiu Distring, Guangzhou.
Example Tools and Techniques
In several attacks, the attackers (in 2018) targeted ColdFusion vulnerabilities published in 2018 (CVE-2018-15961) attempting to gain access to CKEditor and the associated FileManager, using a ColdFusion web shell program named "cfm backdoor by ufo." (This tool was actually used in a cool Canadian Government Training on APT groups, although in their training it was an Iranian hacker group using the tool.)
In some cases, the hackers were clearly operating for personal profit. Sometimes sending emails with subjects like "Source Code To Be Leaked!" and demanding a ransom payment to prevent publication of their software.
COVID-19 Targeting
On January 25 and 27, 2020, Li searched for vulnerabilities at a Maryland biotech firm who had publicly announced their role in researching a potential COVID-19 vaccine.
On February 1, 2020, Li searched for vulnerabilities in the network of a California biotech firm that had announced the previous day they were researching antiviral drugs to treat COVID-19.
On May 12, 2020, Li searched for vulnerabilities in the network of a California diagnostics company publicly known to be developing COVID-19 testing kits.
On June 13, 2020, Li conducted reconnaisance related to a Virginia defense and cybersecurity contractor, Hong Kong protestors, a UK Messaging app used by HK protestors, a Webmail provider used by HK protestors, a Massachusetts biotech firm, and a California space flight firm.