Source: United States Department of Justice
Today, the Justice Department unsealed charges in a significant national security cyber matter. The U.S. Attorney’s Office for the Eastern District of Washington (EDWA) and the National Security Division (NSD) have charged two Chinese hackers working with the Chinese Ministry of State Security (MSS), including the Guangdong State Security Department (GSSD) of the MSS, with a sweeping global computer intrusion campaign. In making this announcement, I’m joined here by Dave Bowdich, Deputy Director of the FBI, Bill Hyslop, United States Attorney for the Eastern District of Washington, and Raymond Duda, Special Agent in Charge of the FBI’s Seattle Field Division.
The campaign targeted intellectual property and confidential business information held by the private sector, including COVID-19-related treatment, testing, and vaccines. The hackers also targeted the online accounts of non-governmental organizations and individual dissidents, clergy, and democratic and human rights activists in the United States, China, Hong Kong, and abroad. Targeted industries included high tech manufacturing; medical device, civil, and industrial engineering; business, educational, and gaming software; solar energy; pharmaceuticals; and defense. According to the indictment, these malicious cyber activities began more than ten years ago and were ongoing as of the date of the indictment. During that time, the hackers stole terabytes of data from hundreds of targets, establishing themselves as a prolific threat to U.S. and foreign networks.
The activities outlined in the indictment are concrete examples of two concerning trends: first, and one we’ve seen for some time, China is using cyber-enabled theft as part of a global campaign to “rob, replicate, and replace” non-Chinese companies in the global marketplace, and second, and one that is perhaps less appreciated by the public and international partners, China is providing a safe haven for criminals who, as in this case, are hacking in part for their own personal profit but willing to help the state.
As the indictment shows, the hackers targeted technology companies in countries with high technology industries, including in Australia, Belgium, Germany, Japan, Lithuania, the Netherlands, Spain, South Korea, Sweden, the United Kingdom, and the United States. These intrusions are yet another example of China’s brazen willingness to engage in theft through computer intrusions contrary to their international commitments – such as their 2015 understanding with the United States, and similar understandings with other countries, not to “conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information,” with the intent of providing competitive advantages to companies or commercial sectors.
Unsurprisingly, the intrusions targeted industries outlined in “Made in China 2025” – China’s ten-year plan for targeting strategic advanced technology manufacturing industries for development. While the plan calls for an innovation-driven approach, cases like this one show it is as much a roadmap to theft as it is guidance to innovate. The intrusions in this case targeted 8 of the 10 technology sectors identified in the plan: next generation information technology, robotics and automated machine tools, aircraft and aircraft components, maritime vessels and marine engineering equipment, clean energy vehicles, new materials, biotechnology, and advanced rail.
The indictment specifically outlines how stealing intellectual property from companies in these high-tech industries could help Chinese companies replicate the targeted technology and eventually edge out their non-Chinese competitors.
For example, from one target, a Maryland technology and manufacturing firm, the defendants obtained competitive business intelligence, in the form of testing mechanisms and results, product composition, manufacturing processes, and supply chain data that would have revealed to competitors what products the firm was intending to bring to the market. The same stolen information would have allowed competitors to save on research and development costs and time, thereby providing them a competitive edge in the global marketplace. Similar concrete examples of stolen research and development data include a Massachusetts pharmaceutical company, which suffered the theft of the chemical structure of, and engineering processes for, anti-infective agents, and a California pharmaceutical company, which suffered the theft of the chemical structure of, and testing data for, the treatment for a common chronic disease.
The business context for some of these intrusions is also noteworthy. For example, one target, a Massachusetts medical device engineering company saw the defendants steal source code and algorithms at or about the time it had sought to protect such data from a Chinese firm with which it had partnered to produce device components.
China’s anti-competitive behavior and flagrant disregard for their promises not to engage in cyber-enabled intellectual property theft is not just a domestic issue; it is a global issue. The indictment alleges activity against companies in at least 10 countries around the world. The indictment shows very clearly that no country is immune. Any country with a successful company or industry must be on guard and prepared to protect itself.
The indictment also highlights how the Chinese government is willing to turn a blind eye to prolific criminal hackers operating within China’s borders. Although the indictment alleges that the defendants conducted activity on behalf of the MSS, some of the defendants’ alleged criminal activities were conducted for personal profit. For example, in one instance, Defendant LI is alleged to have e-mailed a target and threatened to expose the target’s stolen source code on the internet unless he was paid $15,000 in cryptocurrency.
In this manner, China has now taken its place, alongside Russia, Iran, and North Korea, in that shameful club of nations that provide a safe haven for cyber criminals in exchange for those criminals being “on call” to work for the benefit of the state, here to feed the Chinese Communist Party’s insatiable hunger for American and other non-Chinese companies’ hard-earned intellectual property, including COVID-19 research. With the top cover provided by state officials, these criminals are given free rein to victimize law abiding citizens around the world. All of these activities – state-sponsored theft of intellectual property and knowingly providing a safe havens for cyber criminals – run afoul of norms of acceptable state behavior in cyberspace, which the international community must address.
These charges reflect the Department’s continued determination and ability to hold individuals and nations accountable for cyber-enabled crimes. In addition to disrupting the activities of a group that was not being tracked as an organized threat by the private sector, we hope the indictment will raise broader awareness of China’s malicious cyber activities.
We are grateful for the willingness of our international law enforcement partners to cooperate with us in the investigation and disruption of cyber threats. This is yet another example of how like-minded countries can stand together to counter malicious state-sponsored cyber activities.
Before I turn this over to Dave Bowdich, I’d like to thank all the tremendous work done by the agents at the FBI’s Spokane resident agency and San Antonio field office that led the investigation; the many FBI agents and professionals at FBI’s Cyber Division, in Norfolk, and in Portland who provided essential assistance; the FBI Legal Attachés and Cyber Assistant Legal Attachés stationed around the world who led the coordination with our foreign partners; and the prosecutors both in Spokane and here in the National Security Division.
 White House, “FACT SHEET: President Xi Jinping’s State Visit to the United States,” September 25, 2015, https://obamawhitehouse.archives.gov/the-press-office/2015/09/25/fact-sheet-president-xi-jinpings-state-visit-united-states.
 See, e.g., Department of Justice, “Two Chinese Hackers Associated with the Ministry of State Security Charged with Global Computer Intrusion Campaigns Targeting Intellectual Property and Confidential Business Information,” December 20, 2018, https://www.justice.gov/opa/pr/two-chinese-hackers-associated-ministry-state-security-charged-global-computer-intrusion.