US Indictments Handed Down Against PRC Hackers

Two PRC nationals were indicted for hacking to help their country’s security services and for financial gain in a wide-ranging complaint. The charges come during a time when the DOJ and other US agencies are accusing the PRC of a range of actions that threaten the US and its allies.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

The United States (US) Department of Justice (DOJ) made public two grand jury indictments of nationals of the People’s Republic of China (PRC) who allegedly led long term penetrations and hacking of a range of US public and private sector entities. The DOJ is claiming these hackers both worked closely with PRC government agencies in executing the hacks and sought to benefit financially from these activities. The indictments are the most recent development in the US-PRC dispute that continues to grow seemingly by the day. While it is very unlikely the US will ever succeed in extraditing or apprehending these hackers, many cybersecurity and national security experts see value in “naming and shaming” and filing charges as a means of shaping public opinion and rallying allies and like-minded nations against nations engaged in cyber attacks and hacking.

According to the materials released by the DOJ, these two PRC hackers were detected in trying to on the networks of Department of Energy’s Hanford Site which is engaged in cleanup from the production of plutonium during the Cold War. This suggests the hackers succeeded in penetrated these networks and possibly others at the Department of Energy. However, the DOJ stressed these hackers’ work in trying to access and exfiltrate information related to COVID-19 research, which echoes the claim made in a May unclassified public service announcement issued by the Federal Bureau of Investigation (FBI) and CISA that named the PRC as a nation waging a cyber campaign against U.S. COVID-19 researchers. It is possible these indictments and that claim are related. Moreover, the DOJ stressed the information these hackers stole from defense contractors and possibly universities involved with defense activities. Incidentally, if the claims are true, it would lend more weight to the Trump Administration’s previously made claims that the PRC is again violating the 2015 agreement struck to stop the “cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”

In the indictment against LI Xiaoyu (李啸宇) and DONG Jiazhi (董家志), the DOJ claimed:

LI and DONG, former classmates at an electrical engineering college in Chengdu, China, used their technical training to hack the computer networks of a wide range of victims, such as companies engaged in high tech manufacturing; civil, industrial, and medical device engineering; business, educational, and gaming software development; solar energy; and pharmaceuticals. More recently, they researched vulnerabilities in the networks of biotech and other firms publicly known for work on COVID-19 vaccines, treatments, and testing technology. Their victim companies were located all over the world, including among other places the United States, Australia, Belgium, Germany, Japan, Lithuania, the Netherlands, South Korea, Spain, Sweden, and the United Kingdom.

The DOJ further claimed

  • The Defendants stole hundreds of millions of dollars’ worth of trade secrets, intellectual property, and other valuable business information. At least once, they returned to a victim from which they had stolen valuable source code to attempt an extortion –threatening to publish on the internet, and thereby destroy the value of, the victim’s intellectual property unless a ransom was paid.
  • LI and DONG did not just hack for themselves. While in some instances they were stealing business and other information for their own profit, in others they were stealing information of obvious interest to the PRC’s Government’s Ministry of State Security (MSS). LI and DONG worked with, and were assisted by, and operated with the acquiescence of the MSS, including MSS Officer 1, known to the Grand Jury, who was assigned to the Guangdong regional division of the MSS (the Guangdong State Security Department GSSD).
  • When stealing information of interest to the MSS, LI and DONG in most instances obtained data through computer fraud against corporations and research institutions. For example, from victims including defense contractors in the U.S. and abroad, LI and DONG stole information regarding military satellite programs; military wireless networks and communications systems; high powered microwave and laser systems; a counter-chemical weapons system; and ship-to-helicopter integration systems.

The DOJ added in its statement on the case:

According to the indictment, to gain initial access to victim networks, the defendants primarily exploited publicly known software vulnerabilities in popular web server software, web application development suites, and software collaboration programs.  In some cases, those vulnerabilities were newly announced, meaning that many users would not have installed patches to correct the vulnerability.  The defendants also targeted insecure default configurations in common applications.  The defendants used their initial unauthorized access to place malicious web shell programs (e.g., the “China Chopper” web shell) and credential-stealing software on victim networks, which allowed them to remotely execute commands on victim computers.

The DOJ has filed the following charges and will seek these penalties per the agency’s press release:

  • The indictment charges the defendants with conspiring to steal trade secrets from at least eight known victims, which consisted of technology designs, manufacturing processes, test mechanisms and results, source code, and pharmaceutical chemical structures.  Such information would give competitors with a market edge by providing insight into proprietary business plans and savings on research and development costs in creating competing products.
  • The defendants are each charged with one count of conspiracy to commit computer fraud, which carries a maximum sentence of five years in prison; one count of conspiracy to commit theft of trade secrets, which carries a maximum sentence of ten years in prison; one count of conspiracy to commit wire fraud, which carries a maximum sentence of 20 years in prison; one count of unauthorized access of a computer, which carries a maximum sentence of five years in prison; and seven counts of aggravated identity theft, which each carries a mandatory sentence of two non-consecutive years in prison.

The indictments come a few days after US Attorney General William Barr and Assistant Attorney General for National Security John Demers made remarks at separate events that cast the activities of the PRC as existential threats to the US and western democracy. Their remarks continued the Trump Administration’s rhetoric, echoed by many Republicans in Congress, warning of the dangers posed by the PRC and sometimes explicitly or implicitly blaming the nation for the COVID-19 virus as a means of shifting the focus from the Trump Administration’s response that has left the US with higher infection and death rates per capita than any comparable nation. For example, earlier today, in London, in describing his talks with British Foreign Secretary Dominic Raab, Secretary of State Mike Pompeo contended

We of course began with the challenge presented by the Chinese Communist Party and the COVID-19 virus that originated in Wuhan, China.  On behalf of the American people I want to extend my condolences to the British people from your losses from this preventable pandemic.  The CCP’s exploitation of this disaster to further its own interests has been disgraceful.

Earlier this month, Federal Bureau of Investigation (FBI) Director Christopher Wray delivered a speech at a conservative think tank that continued the Trump Administration’s focus on the PRC that followed the late June speech by National Security Advisor Robert O’Brien at the occasion of the announcement that Taiwan Semiconductor Manufacturing Corporation (TSMC) would build a plant in Arizona. In mid-June at the Copenhagen Democracy Summit Pompeo urged European leaders to work together to address the malign intentions and actions of the PRC that also threaten Europe. And, tomorrow Pompeo will “deliver a speech on Communist China and the future of the free world” at the Richard Nixon Presidential Library in Yorba Linda, California.

In his remarks, Barr compared the US’s situation to the challenges the “free enterprise system” faced at the end of the 1960’s within the US and from the former Soviet Union and called on private sector companies to stand together against the economic hegemony Beijing is seeking to enforce in part by coopting these companies and their technology. He lauded the refusal of some large tech companies to cooperate with the PRC’s change in national security law in Hong Kong and urged US firms doing business in the PRC to diversify supply chains and rare earth supplies in order to blunt growing Chinese dominance. Barr called for greater cooperation between the public and private sectors in the name of protecting the US and fending off the PRC.

Barr claimed

  • The PRC is now engaged in an economic blitzkrieg—an aggressive, orchestrated, whole-of-government (indeed, whole-of-society) campaign to seize the commanding heights of the global economy and to surpass the United States as the world’s preeminent superpower.  A centerpiece of this effort is the Communist Party’s “Made in China 2025” initiative, a plan for PRC domination of high-tech industries like robotics, advanced information technology, aviation, and electric vehicles.  Backed by hundreds of billions of dollars in subsidies, this initiative poses a real threat to U.S. technological leadership.  Despite World Trade Organization rules prohibiting quotas for domestic output, “Made in China 2025” sets targets for domestic market share (sometimes as high as 70 percent) in core components and basic materials for industries such as robotics and telecommunications.  It is clear that the PRC seeks not merely to join the ranks of other advanced industrial economies, but to replace them altogether.
  • “Made in China 2025” is the latest iteration of the PRC’s state-led, mercantilist economic model.  For American companies in the global marketplace, free and fair competition with China has long been a fantasy.  To tilt the playing field to its advantage, China’s communist government has perfected a wide array of predatory and often unlawful tactics: currency manipulation, tariffs, quotas, state-led strategic investment and acquisitions, theft and forced transfer of intellectual property, state subsidies, dumping, cyberattacks, and espionage.  About 80% of all federal economic espionage prosecutions have alleged conduct that would benefit the Chinese state, and about 60% of all trade secret theft cases have had a nexus to China.

Barr added

Just as consequential, however, are the PRC’s plans to dominate the world’s digital infrastructure through its “Digital Silk Road” initiative.  I have previously spoken at length about the grave risks of allowing the world’s most powerful dictatorship to build the next generation of global telecommunications networks, known as 5G.  Perhaps less widely known are the PRC’s efforts to surpass the United States in other cutting-edge fields like artificial intelligence.  Through innovations such as machine learning and big data, artificial intelligence allows machines to mimic human functions, such as recognizing faces, interpreting spoken words, driving vehicles, and playing games of skill such as chess or the even more complex Chinese strategy game Go.  AI long ago outmatched the world’s chess grandmasters.  But the PRC’s interest in AI accelerated in 2016, when AlphaGo, a program developed by a subsidiary of Google, beat the world champion Go player at a match in South Korea.  The following year, Beijing unveiled its “Next Generation Artificial Intelligence Plan,” a blueprint for leading the world in AI by 2030.  Whichever nation emerges as the global leader in AI will be best positioned to unlock not only its considerable economic potential, but a range of military applications, such as the use of computer vision to gather intelligence.

The PRC’s drive for technological supremacy is complemented by its plan to monopolize rare earth materials, which play a vital role in industries such as consumer electronics, electric vehicles, medical devices, and military hardware.  According to the Congressional Research Service, from the 1960s to the 1980s, the United States led the world in rare earth production. “Since then, production has shifted almost entirely to China,” in large part due to lower labor costs and lighter environmental regulation.

The United States is now dangerously dependent on the PRC for these materials.  Overall, China is America’s top supplier, accounting for about 80 percent of our imports.  The risks of dependence are real.  In 2010, for example, Beijing cut exports of rare earth materials to Japan after an incident involving disputed islands in the East China Sea.  The PRC could do the same to us.

As China’s progress in these critical sectors illustrates, the PRC’s predatory economic policies are succeeding.  For a hundred years, America was the world’s largest manufacturer — allowing us to serve as the world’s “arsenal of democracy.”  China overtook the United States in manufacturing output in 2010.  The PRC is now the world’s “arsenal of dictatorship.”

American companies must understand the stakes.  The Chinese Communist Party thinks in terms of decades and centuries, while we tend to focus on the next quarterly earnings report.  But if Disney and other American corporations continue to bow to Beijing, they risk undermining both their own future competitiveness and prosperity, as well as the classical liberal order that has allowed them to thrive.

Barr asserted

  • During the Cold War, Lewis Powell — later Justice Powell — sent an important memorandum to the U.S. Chamber of Commerce.  He noted that the free enterprise system was under unprecedented attack, and urged American companies to do more to preserve it.  “[T]he time has come,” he said, “indeed, it is long overdue—for the wisdom, ingenuity and resources of American business to be marshaled against those who would destroy it.”
  • So too today.  The American people are more attuned than ever to the threat that the Chinese Communist Party poses not only to our way of life, but to our very lives and livelihoods.  And they will increasingly call out corporate appeasement.
  • If individual companies are afraid to make a stand, there is strength in numbers.  As Justice Powell wrote: “Strength lies in organization, in careful long-range planning and implementation, in consistency of action over an indefinite period of years, in the scale of financing available only through joint effort, and in the political power available only through united action and national organizations.” 
  • Despite years of acquiescence to communist authorities in China, American tech companies may finally be finding their courage through collective action.  Following the recent imposition of the PRC’s draconian national security law in Hong Kong, many big tech companies, including Facebook, Google, Twitter, Zoom, and LinkedIn, reportedly announced that they would temporarily suspend compliance with governmental requests for user data.  True to form, communist officials have threatened imprisonment for noncompliant company employees.  We will see if these companies hold firm.  I hope they do.  If they stand together, they will provide a worthy example for other American companies in resisting the Chinese Communist Party’s corrupt and dictatorial rule.
  • The CCP has launched an orchestrated campaign, across all of its many tentacles in Chinese government and society, to exploit the openness of our institutions in order to destroy them.  To secure a world of freedom and prosperity for our children and grandchildren, the free world will need its own version of the whole-of-society approach, in which the public and private sectors maintain their essential separation but work together collaboratively to resist domination and to win the contest for the commanding heights of the global economy.  America has done that before.  If we rekindle our love and devotion for our country and each other, I am confident that we—the American people, American government, and American business together—can do it again.  Our freedom depends on it. 

In his speech, Assistant Attorney General for National Security John Demers walked through the DOJ’s efforts in “working with our interagency partners to protect against adversaries that would exploit our country’s open investment climate to harm our national security interests,” most likely a reference to the PRC that echoes Barr’s claim Beijing is taking advantage of the US. Demers discussed recent statutory and regulatory changes in the Committee on Foreign Investment in the United States process, the newly established Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector (aka Team Telecom), and the DOJ’s National Security Division’s recently restructured and expanded Foreign Investment Review Section (FIRS) that is charged with crafting and overseeing agreements with companies seeking US government assent to deals involving significant foreign investment. Demers talked in generalities in explaining the Trump Administration’s approach as it pertains to the DOJ except when he referenced a Team Telecom recommendation to revoke the licenses to operate in the US of a PRC telecommunications company.

Demers explained

  • Looking at the numbers, only very few of the transactions we review are blocked.  That does not necessarily mean the others pose no national security risk; rather, for most transactions that involve national security risk, we are successful in working with companies to craft mitigation measures that enable us to resolve the risk without resort to barring the transaction.  Our ability to negotiate mitigation agreements with parties and then monitor compliance is often overlooked in public discussions of foreign investment review, but that part of our program is absolutely crucial.  For that reason, today I would like to focus on the “back end” or “compliance tail” of our reviewed transactions, and to provide what I hope are some helpful insights into our compliance priorities and how those priorities can inform your own approach to mitigation and compliance.
  • One of the major activities of DOJ’s National Security Division is working with our interagency partners to protect against adversaries that would exploit our country’s open investment climate to harm our national security interests.  This conference is devoted to that aspect of our work, and offers an opportunity to engage with the private sector about the threats we face, the steps taken to address those threats.
  • What I would like to discuss with you today is one specific element of our Division’s foreign investment review work, which is our increasing focus on compliance and enforcement.

Demers stated

the Department of Justice’s mitigation activities related to foreign investment arise chiefly in the context of two interagency groups: (1) the Committee on Foreign Investment in the United States; and (2) the newly minted Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector.  This new committee was established this past spring by Executive Order, and formalized the process known for years as Team Telecom, but unfortunately burdened it with the nearly unpronounceable acronym of CAFPUSTSS (pronounced caf-PUSS-tiss).  Here, for ease of our conversation, I will set aside this tongue twisting acronym and instead continue to refer to the committee as Team Telecom.

Demers added

  • In both of these interagency groups, the Department of Justice and our interagency partners can usually resolve national security and law enforcement risks by negotiating mitigation measures with the transaction parties.  Those measures can range from the relatively straightforward, such as routine notice requirements to the very complex – for example, imposing certain governance restrictions.  Once memorialized in a written agreement, we monitor compliance to ensure our identified concerns remain mitigated.
  • Since 2012, the number of mitigation agreements monitored by the Department of Justice has nearly doubled, and this upward trend shows no signs of abating.  Without effective mitigation monitoring by both the government and the parties themselves, the number of reviewed transactions able to clear CFIUS and Team Telecom would be far fewer.  For this reason, robust and effective compliance programs are in the mutual interest of both government and industry.

Finally, Demers remarked

I would like to make brief mention of recent enforcement activities regarding the U.S. subsidiary of China Telecom, which is a Chinese state-owned entity.  As you may be aware from our April 2020 recommendation to the FCC, the Executive Branch agencies identified substantial and unacceptable national security and law enforcement risks associated with China Telecom’s operations, which is why we recommended that the FCC revoke its licenses.  That recommendation was based on several factors, but many of them relate to the company’s failure to comply with a 2007 mitigation agreement.  Other factors include the company’s inaccurate statements concerning the storage of U.S. records and its cybersecurity policies.  The company’s operations also provided opportunities for P.R.C. state actors to engage in malicious cyber activity enabling economic espionage and disruption and misrouting of U.S. communications.  And, it followed logically that additional mitigation terms would give us no comfort with a party we cannot not trust to follow them.  The Foreign Investment Review Section identified those compliance issues through its mitigation monitoring program.  As a result, the Executive Branch agencies concluded that the national security and law enforcement risks associated with China Telecom’s international Section 214 authorizations could not be mitigated by additional mitigation terms.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s