author photo
By Clare O’Gara
Wed | Jul 22, 2020 | 8:04 AM PDT

When a hacker's list of victims includes hundreds of organizations, you know they're serious.

But so was the U.S. judge who charged them.

What did the Chinese cybercriminals hack?

Li Xiaoyu and Dong Jiazhi carried a long list of cyber victims, including hundreds of companies, governments, non-governmental organizations, and individual dissidents, clergy, and democratic and human rights activists in the United States and abroad, including Hong Kong and China.

In some cases, they attacked for personal gain. In others, they worked directly for MSS or other Chinese government agencies.

A federal grand jury in Spokane, Washington, recently charged the pair on 11 counts. And while the list of targeted entities and industries is lengthy, one of their more recent hacks is particularly striking.

"More recently, the defendants probed for vulnerabilities in computer networks of companies developing COVID-19 vaccines, testing technology, and treatments."

Stories like this are quickly becoming commonplace. SecureWorld News continues to cover individual and nation-state attacks on COVID-19 research, particularly from China and Russia.

Assistant Attorney General for National Security John C. Demers captured this sentiment in his response to the case:

"China has now taken its place, alongside Russia, Iran and North Korea, in that shameful club of nations that provide a safe haven for cyber criminals in exchange for those criminals being 'on call' to work for the benefit of the state, here to feed the Chinese Communist party's insatiable hunger for American and other non-Chinese companies' hard-earned intellectual property, including COVID-19 research."

And what's worse? For most of their attacks, these hackers targeted publicly known vulnerabilities:

"In some cases, those vulnerabilities were newly announced, meaning that many users would not have installed patches to correct the vulnerability. 

The defendants also targeted insecure default configurations in common applications. The defendants used their initial unauthorized access to place malicious web shell programs (e.g., the 'China Chopper' web shell) and credential-stealing software on victim networks, which allowed them to remotely execute commands on victim computers."

Each hacker is set to serve a maximum sentence of 54 years in prison.