A grand jury in the US has indicted two alleged Chinese hackers for a decade-long career of cyber espionage and intellectual property theft targeting organisations in 10 countries including an Australian defense contractor.

Li Xiaoyu (李啸宇) and Dong Jiazhi (董家志) were indicted this month on 11 counts relating to computer hacking, theft of trade secrets, wire fraud, and identity theft.

Of the 26 companies allegedly hit by the pair of hackers, two were based in Australia.

One was a defense contractor which had 320GB of data stolen including product source code, “engineering schematics, and technical manuals”.

The other was an Australian solar energy firm whose network was allegedly compromised by Li and Dong.

In an announcement on Tuesday night, US assistant attorney general, John Demers said Ji and Dong worked with the Chinese Ministry of State Security on a “sweeping global computer intrusion campaign” as part of plans to “rob, replicate, and replace non-Chinese companies in the global marketplace”.

“As the indictment shows, the hackers targeted technology companies in countries with high technology industries, including in Australia, Belgium, Germany, Japan, Lithuania, the Netherlands, Spain, South Korea, Sweden, the United Kingdom, and the United States,” Demers said.

“These intrusions are yet another example of China’s brazen willingness to engage in theft through computer intrusions contrary to their international commitments.

“China’s anti-competitive behavior and flagrant disregard for their promises not to engage in cyber-enabled intellectual property theft is not just a domestic issue; it is a global issue.”

Australia’s official response was markedly less heated.

Four government agencies – the Australian Signals Directorate, Australian Cyber Security Centre, Department of Foreign Affairs and Trade, and Department of Home Affairs – published a joint statement about the US allegations.

There was no mention of China. Instead, the government “[expressed] its concern over reports of global malicious cyber intrusions” detailed in the US indictments.

“Australia reiterates our call to all countries to refrain from behaviour which violates their international commitments,” the statement said.

“We welcome actions designed to hold malicious cyber actors to account.”

An industry panel advising Australia’s 2020 Cyber Security Strategy has recommended the government adopt a “more forward leaning posture” when it comes to attributing state-based cyber attacks.

Political dissidents, COVID-19 research targeted

Aside from trade and technological espionage, the pair of hackers allegedly assisted the China’s Ministry of State Security with information on political dissidents.

According to the indictment documents, Li and Dong provided online credentials belonging to a Hong Kong organiser, the pastor of a Christian church, and a former Tiananmen Square protestor.

On one occasion, an officer from the Ministry allegedly helped Li by providing a malware targeting a zero-day browser vulnerability to compromise “the mail server of a Burmese human rights group”.

The US indictments against Li and Dong also included allegations that the pair targeted organisations researching COVID-19.

This is the second public accusation about cyber attacks on COVID-19 research facilities in the past week after the US, UK, and Canada publicly denounced Russia for attempting to steal information about vaccine development.

Assistant attorney general Demers was scathing of the Chinese government’s involvement with freelance hackers like Li and Dong.

“China has now taken its place, alongside Russia, Iran, and North Korea, in that shameful club of nations that provide a safe haven for cyber criminals in exchange for those criminals being ‘on call’ to work for the benefit of the state,” he said.

This isn’t the first time US authorities have indicted Chinese hackers.

In February this year, four individuals were charged for breaching US credit agency Equifax.

That followed the 2018 indictments of two members believed to be part of advanced persistent threat (APT) group APT10.

Analyst with cybersecurity firm Mandiant Threat Intelligence, Ben Read, said it is common for the Chinese state to use contractors for offensive cyber activities.

“Using these freelancers allows the government to access a wider array of talent, while also providing some deniability in conducting these operations,”

“The pattern described in the indictment where the contractors conducted some operations on behalf of their government sponsors, while others were for their own profit, is consistent with what we have seen from other China-nexus groups such as APT41.”