A US federal grand jury has indicted four Chinese nationals for their alleged participation in a global computer hacking campaign to steal intellectual property and confidential business information related to various research areas, including chemicals and infectious diseases. The indictment, announced by the US Department of Justice (DOJ) on 19 July and unsealed just days before, accuses the defendants of being part of a plot to break into the computer systems of dozens of companies, universities and government agencies worldwide between 2011 and 2018.
The four suspects belong to a Chinese state-sponsored hacking group known as APT40, and they created a front company in China to pull off their plan, according to the DOJ. Their goal was to install malware and hacking tools on protected computers all over the world so that they could steal valuable information from foreign governments, universities and companies for use by the Chinese government, including its state-sponsored and private biopharmaceutical companies, the agency says.
Organisations in a dozen countries – including the US, UK, Canada, Germany and Saudi Arabia – were targeted, initially though spear phishing emails. The stolen trade secrets confidential information included approximately 900 files of speciality chemical formulas from an unnamed company, which were then copied to a Dropbox account and password protected. At research institutes and universities, the campaign targeted infectious disease research related to Ebola, Mers, HIV/Aids, Marburg and tularemia.
Information about proprietary genetic-sequencing tools and sensitive technologies used for submersibles and autonomous vehicles was also among the materials that the cyberattack campaign lifted from unsuspecting governments, academia and industry.
Victims of the cybertheft operation included the National Institutes of Health, which is the US’s principal biomedical research agency, as well as research facilities in Florida and California involved in viral therapies and vaccines R&D, several US universities with applied physics laboratories or maritime research programmes, and a Swiss chemicals company whose products include maritime paints.
The four Chinese defendants face up to 20 years in prison. They are each charged with one count of conspiracy to commit computer fraud, which carries a maximum sentence of five years in prison, and one count of conspiracy to commit economic espionage, for which the maximum sentence is 15 years imprisonment.
‘The breadth and duration of China’s hacking campaigns, including these efforts targeting a dozen countries across sectors ranging from healthcare and biomedical research to aviation and defence, remind us that no country or industry is safe,’ said US deputy attorney general Lisa Monaco. ‘Today’s international condemnation shows that the world wants fair rules, where countries invest in innovation, not theft.’
Researchers at US institutions with ties to China are increasingly being targeted, not only by the DOJ but also by the State Department. The head of Harvard University’s chemistry department, Charles Lieber, was arrested last year over apparent undisclosed affiliations with Wuhan University of Technology in China and the Chinese government. In March, dozens of prominent researchers – including many Nobel prize winners – came to Charles Lieber’s defence in an open letter. They called the DOJ case against him ‘unjust’ and urged the agency to drop it.