People, particularly in Africa, were dying.
According to the World Health Organization, the Ebola virus was killing up to 90% of those infected in various outbreaks.
The Chinese were either alarmed by the outbreaks or saw it as some sort of opportunity. Regardless of the motivation, the nation wanted the data it did not have about the virus.
So, a Chinese Company named Hainan Xiandun Technology Development Ltd. stole it.
A newly unsealed indictment in U.S. Disctrict Court spells it out very clearly:
"Hainan Xiandum employed hackers who sought to and did steal such data from companies and universities involved in virus and vaccine research of the Ebola virus... and proprietary genetic-sequencing technology."
Who was this company? Who were these hackers? The U.S. Department of Justice says it was a government-run front company and the hackers were part of China's Ministry of State Security (MSS).
And check out how they operated: they involved legitimate researchers in China to help target researchers in the U.S.
From the U.S. Department of Justice:
"...the charged MSS officers coordinated with staff and professors at various universities in Hainan and elsewhere in China to further the conspiracy's goals. Not only did such universities assist the MSS in identifying and recruiting hackers and linguists to penetrate and steal from the computer networks of targeted entities, including peers at many foreign universities, but personnel at one identified Hainan-based university also helped support and manage Hainan Xiandun as a front company, including through payroll, benefits and a mailing address.
'These criminal charges once again highlight that China continues to use cyber-enabled attacks to steal what other countries make, in flagrant disregard of its bilateral and multilateral commitments,' said Deputy Attorney General Lisa Monaco."
Chinese nationals indicted in a global hacking spree
The DOJ named four Chinese nationals as wanted by the U.S. government and now indicted by a Grand Jury:
"The two-count indictment alleges that Ding Xiaoyang (丁晓阳), Cheng Qingmin (程庆民) and Zhu Yunmin (朱允敏), were HSSD officers responsible for coordinating, facilitating and managing computer hackers and linguists at Hainan Xiandun and other MSS front companies to conduct hacking for the benefit of China and its state-owned and sponsored instrumentalities.
The indictment alleges that Wu Shurong (吴淑荣) was a computer hacker who, as part of his job duties at Hainan Xiandun, created malware, hacked into computer systems operated by foreign governments, companies, and universities, and supervised other Hainan Xiandun hackers."
What are the names researchers gave this Chinese hacking spree?
Security researchers referred to the group as Advanced Persistent Threat (APT) 40 and a variety of other nicknames, including:
• BRONZE
• MOHAWK
• FEVERDREAM
• G0065, Gadolinium
• GreenCrash
• Hellsing
• Kryptonite Panda
• Leviathan
• Mudcarp
• Periscope
• Temp.Periscope
• Temp.Jumper
How did the Chinese hacking operation unfold?
The DOJ explains the general methods of this nation-state hacking attack launched by China.
"...to gain initial access to victim networks, the conspiracy sent fraudulent spearphishing emails, that were buttressed by fictitious online profiles and contained links to doppelgänger domain names, which were created to mimic or resemble the domains of legitimate companies.
In some instances, the conspiracy used hijacked credentials, and the access they provided, to launch spearphishing campaigns against other users within the same victim entity or at other targeted entities.
The conspiracy also used multiple and evolving sets of sophisticated malware, including both publicly available and customized malware, to obtain, expand and maintain unauthorized access to victim computers and networks.
The conspiracy's malware included those identified by security researchers as BADFLICK, aka GreenCrash; PHOTO, aka Derusbi; MURKYTOP, aka mt.exe; and HOMEFRY, aka dp.dll. Such malware allowed for initial and continued intrusions into victim systems, lateral movement within a system, and theft of credentials, including administrator passwords."
What kind of data did the Chinese hacking operation steal?
The DOJ says this operation went well beyond Ebola virus data—and that Chinese intelligence members hacked and stole trade secrets around unique technologies:
• submersibles
• autonomous vehicles
• specialty chemical formulas
• biomedical research
• aviation
• defense
And this effort extended far beyond the United States.
Targeted victims outside the U.S. included those in Austria, Cambodia, Canada, Germany, Indonesia, Malaysia, Norway, Saudi Arabia, South Africa, Switzerland, and the United Kingdom.
Paul Abbate, Deputy Director of the FBI, explains that this is just the latest example of how China says one thing and does another in cyber:
"We will not allow the Chinese government to continue to use these tactics to obtain unfair economic advantage for its companies and commercial sectors through criminal intrusion and theft. With these types of actions, the Chinese government continues to undercut its own claims of being a trusted and effective partner in the international community."
There is much more in the newly unsealed court documents and indictment. Read the 30-page document here.
