Our blogs and alerts have reported on the increasing legislative and regulatory requirements to promote the security of the U.S. supply chain, including its cybersecurity. In the public sector, these requirements are being imposed to facilitate defense against activities that threaten the operations of the Government, its contractors and their industrial base supply chains, as well the economic and public safety of us all.
Among recent events justifying the need for increased vigilance in cybersecurity is the indictment of two Chinese nationals for extreme hacking activities. This month a Federal Grand Jury in Spokane, Washington handed down an eleven-count indictment against two Chinese nationals residing in China, LI Xiaoyu and DONG Jiazhi, for allegedly engaging in a hacking campaign carried out over eleven countries, including the United States, Australia, and the United Kingdom. The Department of Justice (DOJ) press release states this cybercrime was first discovered on computers at the Department of Energy’s Hanford Site; Hanford is a known nuclear clean-up site. In addition, the press release states that the hackers recently sought to find vulnerabilities in the computer networks of companies involved with COVID-19 vaccine development, testing, and treatment. Developing a vaccine and ensuring proper medical treatment is available for those at risk is critical to our nation. Efforts to tamper or steal this kind of vital information poses an asymmetrical threat to our national security, as well as public safety and economic prosperity.
Their hacking took place from China. The indictment alleges that over the past ten years, these individuals sought to hack into high technology companies, including those in defense, manufacturing, medical device, pharmaceutical, civil and industrial engineering, software, and solar energy industries. The hackers’ methods included theft of data, including source code, extortion to gain cryptocurrency from the victim, and probing of computer networks for vulnerabilities to gain access to those systems.
According to the DOJ press release “The hackers stole terabytes of data which comprised a sophisticated and prolific threat to U.S. networks.” These hackers were not ordinary criminals. In addition to seeking personal financial gain from their activities, the indictment says that they hacked for the benefit of Chinese government agencies, including the Guangdong State Security Department of the Ministry of State Security. “China has now taken its place, alongside Russia, Iran and North Korea, in that shameful club of nations that provide a safe haven for cyber criminals in exchange for those criminals being ‘on call’ to work for the benefit of the state, here to feed the Chinese Communist party’s insatiable hunger for American and other non-Chinese companies’ hard-earned intellectual property, including COVID-19 research.”
Wondering how they did it? The press release alleges that the hackers exploited known vulnerabilities, including ones that were recently discovered and therefore would not yet have been patched by the users. This allowed them to steal credentials from users, allowing them to execute remote commands on victims’ computers.
While hackers are presumed innocent until proven guilty, the message here is clear: We all need to use sound cyber hygiene now! That means installing appropriate cyber controls and keeping up with updates. It also means training your personnel to know the risks, what they have to do, and what to do if an actual or suspected cyber incident occurs.
If you are involved in government contracting, you are facing increased requirements for your systems and for those of your supply chain. The Cybersecurity Maturity Model Certification (CMMC) program is kicking off and solicitations have already started to include requirements to ensure that contractors meet cybersecurity requirements. If you have questions about this article, the CMMC, or other government contracting matters, contact the author or your Stinson counsel.