Today in Spokane Washington Federal Court, the US Government unsealed indictments against two Chinese citizens for numerous charges related to hacking, gaining illegal access to systems, wire fraud, identity theft, and theft of trade secrets.
This ongoing attack against the US and European Union started way back in 2009. Yes, you read that right, 11 years ago, and continues even today. Known in the infosec community as “dark shadow,” today we know their real names : Li Xiaoyu (aka Oro0lxy) and Dong Jiazhi.
With the apparent blessing, support and guidance from the People's Republic of China Ministry of State, they hacked into hundreds of organizations across the US and Europe. Targeting some firms to get PII only, that would then be used to go after the real target.
How did they gain access to the targets so easily? Using publicly known vulnerabilities that the targets had not yet patched, and finding systems with default configurations (like admin/admin for example).
The indictment detailed a subset of known successful attacks, including Hanford Nuclear Site. The United States Government outlines there were hundreds of attacks over the course of the past eleven years and is continuing even today.
Of course, being Chinese nationals, today's indictment will not actually bring these two into US Courts to face charges, but it does show the US Government willingness to highlight that these attacks are ongoing, they are of a criminal pattern, and they are backed by the Chinese government itself. Much like the indictments against the Iranian citizens in 2018, it puts their government on notice.
The biggest takeaway is that basic security was not enforced by any of these firms attacked, including at DoD contractors, a Nuclear test facility run by the government, gaming companies, pharmaceutical firms, etc. These two, now indicted individuals, Li and Dong used publicly known unpatched vulnerabilities. In addition, clearly there was no form of current threat prevention, threat monitoring, or basic MDR services like monitoring of logs and systems such that they could have been noticed immediately before they were able to exfiltrate large amounts of data.