William D. Hyslop United States Attorney Eastern District of Washington James A. Goeke Assistant United States Attorney Eastern District of Washington Scott K. McCulloch Department of Justice Trial Attorney National Security Division Post Of?ce Box 1494 Spokane, Washington 99210 1494 Telephone: (509) 353 2767 ECF No.1 filed 07/07/20 PageID.l Pagelof27 FILED IN THE US. DISTRICT COURT EASTERN DISTRICT OF WASHINGTON Jul 07, 2020 SEAN F. MCAVOY, CLERK UNITED STATES DISTRICT COURT FOR THE EASTERN DISTRICT OF WASHINGTON UNITED STATES OF ANEERICA, Plaintiff, v. LI XIAOYU (a/k/a ?Oroley?) and DONG JIAZHI, Defendants. INDICTMENT 1 INDICTMENT Vio.: l8 U.S.C. 371, 1030(a)(2)(B), Conspiracy to Access Without Authorization and Damage Computers (Count 1) 18 U.S.C. 1832(a)(5) Conspiracy to Commit Theft of Trade Secrets (Count 2) 18 U.S.C. 1030(a)(2)(B), Unauthorized Access to Computers (Count 3) 18 U.S.C. 1349, 1343, Conspiracy to Commit Wire Fraud (Count 4) ::ase ECF No. 1 filed 07/07/20 PagelD.2 Page 2 of 27 18 U.S.C. 1028A, 2 Aggravated Identity Theft (Counts 5-11) Criminal Forfeiture Allegations 18 U.S.C. 1030(i)(l) The Grand Jury charges: At all times relevant to this Indictment, unless otherwise stated: INTRODUCTION 1. Beginning no later than September 2009 and continuing until at least the date of this Indictment, together, Defendants LI XIAOYU (a/k/a ?Oroley?) (hereina?er and/or and DONG IAZHI (hereinafter and/or and collectively the ?Defendants,? each a hacker in the People?s Republic of China (?China? or gained unauthorized access to computers around the world and stole terabytes of data. 2. LI and DONG, former classmates at an electrical engineering college in Chengdu, China, used their technical training to hack the computer networks of a wide variety of victims, such as companies engaged in high tech manufacturing; civil, industrial, and medical device engineering; business, educational, and gaming software development; solar energy; and pharmaceuticals. More recently, they researched vulnerabilities in the networks of biotech and other ?rms publicly known for work on vaccines, treatments, and testing technology. Their victim companies were located all across the world, including among other places the United States, Australia, Belgium, Germany, Japan, Lithuania, the Netherlands, South Korea, Spain, Sweden, and the United Kingdom. INDICTMENT 2 A :ase ECF No. 1 filed 07/07/20 PagelD.3 Page 3 of 27 3. The Defendants stole hundreds of millions of dollars? worth of trade secrets, intellectual property, and other valuable business information. At least once, they returned to a victim from which they had stolen valuable source code to attempt an extortion?threatening to publish on the intemet, and thereby destroy the value of, the victim?s intellectual property unless a ransom was paid. 4. LI and DONG did not just hack for themselves. While in some instances they were stealing business and other information for their own pro?t, in others they were stealing information of obvious interest to the PRC Govemment?s Ministry of State Security LI and DONG worked with, were assisted by, and operated with the acquiescence of the MSS, including MSS Of?cer 1, known to the Grand Jury, who was assigned to the Guangdong regional division of the MSS (the Guangdong State Security Department, 5. When stealing information of interest to the MSS, LI and DONG in most instances obtained that data through computer fraud against corporations and research institutions. For example, from victims including defense contractors in the US. and abroad, LI and DONG stole information regarding military satellite programs; military wireless networks and communications systems; high powered microwave and laser systems; a counter-chemical weapons system; and ship-to? helicopter integration systems. 6. In other instances, the Defendants provided the MSS with personal data, such as the passwords for personal email accounts belonging to individual Chinese dissidents. For example, they provided the MSS with email accounts and passwords belonging to a Hong Kong community organizer, the pastor of a Christian church in Xi?an, and a dissident and former Tiananmen Square protestor. The Defendants also stole email account contents of obvious interest to the PRC Government, such as emails between that same dissident and the of?ce of the Dalai Lama; emails belonging to a Chinese Christian ?house? not PRC INDICTMENT 3 .Zase ECF No. 1 filed 07/07/20 PageID.4 Page 4 of 27 Govemment?approved) pastor in Chengdu, who was later arrested by the PRC government; and emails from a U.S. professor and organizer, and two Canadian residents, who advocated for freedom and democracy in Hong Kong. In some instances the Defendants reacted quickly to the PRC govemment?s perceived desires, targeting the above-mentioned Chengdu house pastor just days after the provincial government banned his church, and conducting reconnaissance on a webmail service and a messaging app when those were used by Hong Kong citizens protesting the PRC govemment?s recent steps to curtail freedoms there. 7. MSS Of?cer 1 assisted LI and other hackers. For example, when LI encountered dif?culty compromising the mail server of a Burmese human rights group, MSS Of?cer 1 provided him with malware?a computer program designed to compromise a victim computer system?to exploit a popular intemet browser. As LI had requested, MSS Of?cer 1 provided him ?Oday? malware, i.e. malware unknown to the software vendor and to security researchers. 8. MSS Of?cer 1 and other MSS of?cers known to the Grand Jury purported to be researchers at the ?Guangdong Province International Affairs Research Center.? In fact, they were intelligence of?cers working for the GSSD at Number 5, 6th Crossroad, Upper Nonglin Road, Yuexiu District, in Guangzhou, at the facility depicted in in these images: INDICTMENT 4 I0 0 00 \l Ab.) ?g 1] A pase ECF No. 1 filed 07/07/20 PagelD.5 Page 5 0f 27 INDICTMENT 5 A :ase ECF No. 1 filed 07/07/20 PageID.6 Page 6 of 27 9. The Defendants continued for years to target victims in the United States, Asia, Europe, and elsewhere from their PRC Govemment-provided safe- haven in China, for the bene?t of the MSS and for their own personal gain. COUNT ONE Conspiracy to Access Without Authorization and Damage Computers, and t0 Threaten t0 Impair Confidentiality of Information 10. From at least in or about September 1, 2009, and continuing through on or about July 7, 2020, in the Eastern District of Washington and elsewhere, the Defendants did knowingly conspire and agree with each other, and with others known and unknown to the Grand Jury including of?cers of the MSS and MSS Of?cer 1, to commit offenses against the United States, namely: OBJECTS OF THE CONSPIRACY 11. It was an object of the conspiracy for Defendants LI and DONG, to access computers without authorization, in the Eastern District of Washington and elsewhere, and thereby to obtain information from computers of departments and agencies of the United States and protected computers, for the purpose of commercial advantage and private ?nancial gain, and in furtherance of criminal and tortious acts in violation of the law of the United States, including 18 U.S.C. 641 theft of government property, and 18 U.S.C. and (5), theft of trade secrets, and where the value of the information did, and would if completed, exceed $5,000, in violation of 18 U.S.C. 1030(a)(2)(Bfurther object of the conspiracy for Defendants LI and DONG, to knowingly cause the transmission of programs, information, codes, and commands, in the Eastern District of Washington and elsewhere, and as a result of such conduct, to cause damage without authorization to computers of departments INDICTMENT 6 A ?ase ECF No. 1 filed 07/07/20 PagelD.7 Page 7 of 27 and agencies of the United States and protected computers, and where the offense did cause and would, if completed, have caused loss aggregating $5,000 in value to at least one person during a one-year period from a related course of conduct affecting a protected computer, and damage affecting at least 10 protected computers during a one-year period, and, did and would have affected a computer used by or for an entity of the United States Government in furtherance of the administration of national defense and national security, in violation of 18 U.S.C. 1030(a)(5)(A) and 1030(c)(4)(B). TI-IE DEFENDANTS 13. Defendant LI XIAOYU was a citizen of and resident of China. LI studied Computer Application Technologies at the University of Electronic Science and Technology in Chengdu, China. In the conspiracy, LI primarily compromised victim networks and stole information. 14. Defendant DONG JIAZI-II was a citizen of and resident of China. DONG studied Computer Application Technologies at the same time as LI at UEST. DONG primarily researched victims and potential means of exploiting them. MANNER AND MEANS OF THE CONSPIRACY TOOLS AND TECHNIQUES OF THE DEFENDANTS 15. The manner and means by which Defendants LI and DONG sought to accomplish the conspiracy included, among other things, the following: a. Defendants researched and identi?ed victims possessing information of interest, including trade secrets, con?dential business information, information concerning defense products and programs, and personal identifying information of victim employees, customers, and others, using various sources of information including business news websites, consulting ?rm websites, and a variety of search websites. INDICTMENT 7 A 1? .ase ECF No. 1 filed 07/07/20 PageID.8 Page 8 of 27 Defendants then gained unauthorized access to victims possessing the information sought by the conspiracy. Defendants typically stole the kinds of information with which their victims were most closely associated. That is, they stole source code from software companies; information about drugs under development, including chemical designs, from pharmaceutical ?rms; students? PII from an education company; and weapon designs and testing data from defense contractors. In some instances the Defendants targeted companies that possessed information belonging to other, partner companies?for example, the Defendants targeted a scienti?c research and testing company and, from it, stole information belonging to a range of that company?s clients, including Victims 10 and 11. The Defendants usually gained initial access to victim networks using publicly known software vulnerabilities in popular products. Those vulnerabilities were sometimes newly announced, meaning that many users would not have installed patches to correct the vulnerability. The Defendants exploited vulnerabilities in commonly used web server software, web application deve10pment suites, and software collaboration programs. They also targeted insecure default con?gurations in common applications. The Defendants used their initial access to place malicious programs known as ?web shells? on victim networks without authorization. Web shells are programs that allow the remote execution of commands on a computer. The Defendants frequently employed variants of the China Chopper web shell. China Chopper is publicly available and commonly INDICTMENT 8 n?dI?II??r?r?lt?Ib?II??t?d mwomwa?t A :ase ECF N0. 1 filed 07/07/20 PagelD.9 Page 9 of 27 employed by hackers working in China. It provides an easy-to-use interface through which the user can control web shells installed on multiple victim computers, as shown in this publicly-available sample image: Thursday 00110020 717 m1102.1os.33.13s 20100014095055 Defaul .1121 Wl192.163.33.138 if? Cdendar Remindu .1121 12700.1 (DADOOTEDD 2013.00.00 23:43:50 Show, um :51 127 0.0 1 201300-00 07:10:34 127 I . 2013-0000 07:50:34 Search List human lmpon dams: comm category I 1111181451; uh?, . JV 43?: - - 4;.21 ml ?e?hh?b??t Addresszl http://l 9216?33135/shell I Pass I Victim I Password Notestr IDefault Ll Ll _vj Add 3 Ready 0.Defadt(5) g. Defendants frequently disguised web shells they placed on victim networks by giving the associated ?les innocuous names. For example, they placed a China Chopper web shell employed against one victim under the name ?p.jsp? and hid it at URL ?http:// [redacted] .com/builds/fragments/p.j Sp.? INDICTMENT 9 ase ECF No. 1 filed 07/07/20 PagelD.10 Page 10 of 27 That, combined with the large number of China Chopper variants available, made the web shells dif?cult for victims to discover. Defendants also sometimes secured access to their web shells with passwords. In addition to web shells, Defendants frequently uploaded credential- stealing software programs to victim computer networks and then used and attempted to use the resulting stolen passwords, including passwords belonging to real, authorized network users, to gain further access to victim network. Once Defendants gained access to and surveilled victim networks, they typically packaged victim data in compressed, Roshal Archive Compressed ?les The Defendants changed ?le names and extensions on documents and ?les they stole from victims computers, to make it more dif?cult for victims and law enforcement to identify the theft. For example, the Defendants frequently changed ?le names associated with the RAR ?les they created to extensions such as ?.jpg? to make those ?les appear to appear to be images. The Defendants frequently operated within the ?recycle bin? on victim networks. The folder where recycle bin ?les are stored is hidden by default in the Windows operating system, and system administrators can thus be less likely to discover ?les saved there. Defendants often loaded malicious programs into folders they created within the recycle bin, saved RAR ?les they created there, and stole such ?les, and the data contained therein, from victim computers? recycle bins. TNDICTMENT 10 u16. .ase ECF No. 1 filed 07/07/20 PagelD.11 Page 11 of 27 After stealing data and information from their victims and bringing that data and information back to China, Defendants then sold it for pro?t or provided it to the M83, including MSS Officer 1. The Defendants frequently returned to re-victimize companies, government entities, and organizations from which they had previously stolen data. In some cases the Defendants retumed years after a successful data theft. INTRUSIONS During the approximate time periods identified, and from the victims whose identities are known to the Grand Jury, the defendants stole the approximate quantity and type of data as described in the table below: U.S. VICTIMS Approx. Approx. Time Quantity . Victim Frame of of Data Nature of Data Stolen (Not lncluswe) Activity Stolen Victim 1: Dec. 200 GB Radio, laser, and antennae technologyCalifornia 3.014 :iicuit bpaidjmd ielc'litedtalgoritigmt. 7 technology and 72311.5 631%1?15. 01 a vciince Ian ennae, es mg defense firm - meCianisms an iesu s. Victim 2: Jan. 64 GB Testing mechanisms and results, product 7 . . .. aiyl an -015 composmon, and manufactuiing . Apr. processes related to high-tech materials technology and 7015 l' ld It . manufacturing an compOSites, vt 11C ?1 wou ievea 0 rm competitors what products the Victim was working on and allow competitors to save on research and development costs. Information related to supply chains for raw materials, such as a global shortage ofa key component. INDICTMENT ::ase ECF No. 1 filed 07/07/20 PageID.12 Page 12 of 27 Victim 3: Mar. <1 GB Reconnaissance information about Hanford Site, 2015 Hanford?s network and its personnel, Department of such as lists of authorized user and Energy in the administrator accounts. Eastern District of Washington (?Hanford?) Victim 4: Apr. 27 GB Business proposals and other documents Texas 2015- concerning space and satellite engineering June; applications. and technology 201 ?rm Victim 5: Sept. 140 GB Presentations, project ?les, drawings, and Virginia 2015- other documents relating to projects for federal and Feb. the US. Air Force and Federal Bureau of defense 2016 Investigation; PII belonging to more than contractor 300 Victim 5 employees and contractors. Victim 6: Mar. 76 GB Proprietary and sensitive data including Massachusetts 2017 software source code. software ?rm Victim 7: Mar. 22 GB Source code for two Victim 7?s games, California 2018 (:16 ofbwhich had not yet been released to software Pu IC- gaming company and subsidiary of a Japanese company INDICTMENT - 12 base ECF 1:07. 1 filed 07/07/20 PagelD.13 Page 13 of Victim 8: Apr. 1.2 TB Proprietary and sensitive data held in the Mechanical 2018- US. and Japan, including component engineering May engineering drawings and speci?cations company 2013; for h1gh-ef?c1ency gas turbines. operating in the Mar. US. and Japan 2020 Victim 9: Nov. 10 GB Proprietary and sensitive data, including, US. 2018- among other things, millions of students educational Feb. and teachers? PII. so?ware 2019 company Victim 10: Feb. 2 GB Chemical structure of anti-infective Massachusetts 2019- agents, the chemical engineering pharmaceutical Mar. processes needed to create those agents, company 2019 and test results from Victim 10?s research, all of which would enable a competitor to focus research on areas of higher potential investment return without making the same research and development expenditures as the victim. Victim 11: Feb. 105 GB Chemical structure and design of a California 2019- treatment for a common chronic disease, - Mar. and testing, toxicity, and dosing research pharmaceutical company 2019 related to that treatment, all of would allow a competitor to leverage the victim?s research and development expenditures. Victim 12: Feb. 83 GB Source code for Victim 12?s medical Massachusetts 2019- devices, and algorithms essential to the medical device Mar. operation of those dev10es. At or about engineering 2019; this time, the Victim had partnered With a company Jan. Chinese ?rm to produce various 2020 components for similar devices, taking care not to permit access to the victim?s source code or algorithms. INDICTMENT 13 QIx.) 00 Ease ECF No. 1 filed 07/07/20 PagelD.14 Page 14 of 27 Victim 13: Mar. 128 GB Proprietary and sensitive data including US. subsidiary 201.9- designs, testing data, and manufacturing ofa Japanese API. plans for internal medical dev1ces, as well medical device 2019 as chigns for machinery needed to and supplies fabricate those dev1ces. company 17. The Defendants targeted victims around the world. They tended to target companies in countries with successful technology industries. As when targeting U.S. victims, the Defendants stole data associated with the knowledge areas for which those overseas victims were best known. The Defendants? overseas victims included, among others: OVERSEAS VICTIMS Approx. Victim Time Frame Defendant Conduct of Activity Victim 14: Feb. 2016 Compromised Victim 14?s computer network. Large electronics ?rm in the Netherlands Victim 15: Mar. 2017 Stole approximately 169 gigabytes of data Swedish online concerning, among other things, development build - code for Victim 15?s products; developer keys and gaming . .. certificates; usernames and passwords; and code company . . . assoc1ated With in-game upgrades. Victim 16: Apr. 2017 Stole approximately 38 gigabytes of data Lithuanian concerning, among other things, programming data, - Java files, and encoding ?les. gaming company INDICTMENT 14 :ase ECF No. 1 filed 07/07/20 PagelD.15 Page 15 of 27 Victim 17: May 2017 Stole approximately 1 GB of, among other things, German source code for Victim 17?s products. construction so?ware company Victim 18: Apr. 2017 Stole approximately 2 gigabytes of data from German company that creates products designed to manage, software among other things, wireless networks and Internet engineering of Things platforms. ?rm Victim 19: Mar. Stole approximately 142 gigabytes of documents Belgian 2018- including, among other things, source code for engineering Apr. 2018 Victim 19?s products, imaging tools, and so?ware algorithms, associated with computational ?uid company dynamics. Victim 20: Feb. 2019- Compromised Victim 20?s computer network. Civil and July 2019 transportation engineering ?rm in the Netherlands Victim 21: Apr. Stole approximately 320 gigabytes of documents Australian 2019-June including, among other things, source code for defense 2019 Victim 21?s products; engineering schematics; and contractor technical manuals. Victim 22: June Stole approximately 842 megabytes of documents South Korean 2019-July concerning, including, among other things, shipbuilding 2019 software and smart factory development. and engineering ?rm INDICTMENT 15 ase ECF No. 1 filed 07/07/20 PagelD.16 Page 16 of 27 Victim 23: Jan. 2020 Compromised Victim 23?s network and conducted Australian additional network reconnaissance. solar energy engineering concern Victim 24: Mar. 2020 Stole approximately 900 GB of documents from a Spanish company that engineers technology solutions in electronics and 01v111an and defense sectors. defense ?rm Victim 25: Apr. 2020 Compromised the network of Victim 25. UK. arti?cial intelligence and cancer research ?rm 18. These numbered victims represent only a small percentage of the Defendants? offense conduct. The Defendants and their co-conspirators compromised hundreds of victims. OVERT ACTS 19. In ?thherance of the conspiracy, and to affect its unlawful objects, LI and DONG committed and caused to be committed the following overt acts, among others, in the Eastern District of Washington and elsewhere. 20. On or about December 3, 2014, L1 conducted reconnaissance on a US. Navy contracting portal containing information about companies including Victim 5. 21. On or about December 26 and 30, 2014, DONG conducted reconnaissance on Victim 5 by a variety of means, including viewing data about the company that was available on the website of a consulting ?rm. INDICTMENT 16 :lase ECF No. 1 filed 07/07/20 PageID.17 Page 17 of 27 22. On or about December 4, 2015 LI accessed a China Chopper web shell program on Victim 5?s network at 23. On or about December 4, 2015, LI used a Victim 5?s employee?s credentials without authorization and obtained information that the employee was authorized to access. 24. On or about August 10, 2019, LI attempted but failed to again access Victim 5?s network, using the usemames and passwords of three company personnel. 25. In or about December 2014, L1 compressed Victim 1?s ?les into RAR ?les, divided those RAR ?les into smaller sub-?les, and then removed the RAR ?les. 26. On or about December 29, 2014, DONG accessed Victim 1?s stolen RAR ?les. 27. On or about January 16, 2015, L1 conducted reconnaissance on Victim 2?s network, including scanning IP addresses associated with the network, attempting to access network administrator tools, and browsing subdomains. 28. During the Victim 2 intrusion, LI saved a Javascript, password- protected web shell to Victim 2?s network under ?lename chengshu_j sp.java. 29. On or about April 25, 2015, L1 transferred ?les stolen from Victim 2?s network to China. 30. On or about August 5, 2019, L1 attempted unsuccessfully to regain unauthorized access to Victim 2?s network. 31. In or around March 2015, L1 accessed a web shell program named ?lm.aspx? on the Hanford computer network. 32. L1 also hid another web shell from Hanford?s network defenders, naming the other and password protecting it. INDICTMENT 17 :ase 4:20-cr-06019-SM- ECF N0. 1 filed 07/07/20 PagelD.18 Page 18 of 27 33. On or about March 16, 2015, L1 used a web shell to execute command ?whoami? (to list the usemame of the account that he was using to run commands) on Hanford?s network. 34. That same day, LI used a web shell to execute command ?net localgroup administrators? on Hanford?s network, to print the list of user accounts possessing administrator-level privileges. 35. On or about November 15, 2018, LI attempted to exploit an Adobe ColdFusion vulnerability that had been publicly identi?ed and patched in September 2018 (9 CVE-2018-15961) by navigating to the ?le manager on Hanford?s network associated with text editing program CKEditor, at 36. The Defendants failed to access this CKEditor ?le manager. But Hanford was not the only entity Defendants sought to exploit using CVE-2018-15961. a. On or about October 20, 2018, L1 navigated to the network of another victim?a US. government biomedical research agency in Maryland. b. There, too, LI navigated to the ?le manager at [redacted]ckeditor/? LI successfully accessed the ?le manager. 0. Then, he used that access to upload a ColdFusion web shell program named ?cfm backdoor by ufo? to the ckeditor ?le manager. d. One minute later, he used that ColdFusion web shell to upload another, China Chopper web shell to the victim?s network. 37. In or around April 2015, DONG conducted reconnaissance on US engineering and technology companies, including Victim 4. 38. In the course of that reconnaissance, DONG employed a third-party network research tool to analyze Victim 4?s computer network. INDICTMENT 18 :ase ECF No. 1 filed 07/07/20 PagelD.19 Page 19 of 27 39. On or about June 15 and 16, 2016, L1 compressed and Victim 4?s documents into RAR ?les falsely labeled with ?.jpg? ?le extensions to mimic image ?les. 40. On or about February 29, 2016, LI accessed a web shell on Victim 14?s network at scripts/error.cfm. 41. On or about March 16, 2017, L1 used a China Chopper web shell to change the last-modi?ed time of Victim 15?s ?les (a technique known as ?timestomping?). 42. On or about April 21, 2017, LI compromised Victim 18?s network by exploiting a vulnerability in web application development software running on Victim 18?s server. 43. On or about April 29, 2017, L1 compressed a Victim 16?s network directory into a ?tarball,? a compressed ?le format in the Linux operating system. 44. On or about May 22, 2017, L1 downloaded a RAR ?le from Victim 17?s network, and transferred it to China. 45. L1 emailed several Victim 6?s personnel on or about December 6, 2017, with the subject line ?Source Code To Be Leaked!? a. LI emailed them using a compromised mail server and an email account hosted on the network of another company. b. In his email, LI demanded Victim 6 pay $15,000 in c. In that same email, LI threatened to ?publish all [Victim 6?s] source code? to the intemet unless he was paid. (1. LI also attached a ?le containing a folder named ?demo pro source code? to his email, containing source code stolen from Victim 6 in or around March 2017. INDICTMENT l9 :ase ECF No. 1 filed 07/07/20 PageID.20 Page 20 of 27 46. On or about March 8, 2018, L1 downloaded three RAR ?les with pg? ?le extensions from Victim 7?s network. 47. On or about March 21, 2018, LI accessed a China Chopper web shell he had placed on the network of Victim 19, at 48. On or about April 30, 2018, L1 used stolen, valid credentials to access Victim 8?s mail server in Tokyo, Japan. 49. On or about March 10, 2020, L1 used stolen, valid system account credentials to access Victim 8?s webmail server. 50. On or about December 1, 2018, LI transferred 649 megabytes of data stolen from Victim 9 to China. 51. On or about December 2, 2018, LI transferred 9.5 gigabytes of data stolen from Victim 9 to China. 52. On or about February 27, 2019, L1 accessed Victim 12?s network via a China Chopper web shell at URL 53. On or about the same day, LI accessed Victim 12?s web server using stolen, valid credentials. 54. On or about May 11, 2020, LI navigated to the same URL at which he had placed the web shell on Victim 12?s network, but the web shell was no longer present. 55. On or about March 17, 2019, L1 logged in to a Chinese, invitation- only criminal hacking forum. 56. On or about February 7, 2019, L1 accessed a China Chopper web shell he had placed on the network of Victim 20, at /i.jsp. INDICTMENT 20 I :ase ECF No. 1 filed 07/07/20 PagelD.21 Page 21 of 27 57. On or about March 21, 2019, L1 used the valid credentials of a Victim 13 network user to create a subfolder within Victim 13?s network recycle bin, and then created RAR ?les containing Victim 13 ?5 data in the recycle bin. 58. On or about April 18, 2019, L1 accessed a China Chopper web shell on Victim 21?s network at i. jsp. 59. On or about June 26, 2019, L1 timestomped Victim 22?s ?les to disguise his actions on Victim 22?s network. 60. On or about January 25 and 27, 2020, LI searched for vulnerabilities at a Maryland biotech ?rm. That ?rm had announced less than a week earlier that it was researching a potential vaccine. 61. On or about January 27, 2020, LI conducted reconnaissance on the computer network of a Massachusetts biotech ?rm publicly known to be researching a potential vaccine. 62. On or about January 28, 2020, L1 accessed Victim 23?s network via a China Chopper web shell. 63. L1 then executed commands on Victim 23?s network that enabled him to view reconnaissance information such as directory contents and user privileges. 64. On or about February 1, 2020, L1 searched for vulnerabilities in the network of a California biotech ?rm that had announced one day earlier that it was researching antiviral drugs to treat COVID-19. 65. On or about March 17, 2020, L1 accessed Victim 24?s network and browsed 40 RAR ?les, named with ?.jpg? image-?le extensions, in folder 66. On or about April 1, 2020, L1 accessed a China Chopper web shell on Victim 25?s network at INDICTMENT 21 :ase ECF No. 1 filed 07/07/20 PagelD.22 Page 22 of 27 67. On or about May 12, 2020, L1 searched for vulnerabilities in the network of a California diagnostics company that is publicly known to be involved in the development of testing kits. 68. On or about June 13, 2020, LI conducted reconnaissance on the network of a Virginia defense and cybersecurity contractor. 69. On or about June 13, 2020, L1 conducted reconnaissance on Hong Kong protestor communication methods. 70. On or about June 13, 2020, L1 conducted reconnaissance on the network of Hong Kong webmail provider Netvigator. 71. On or about June 13, 2020, L1 conducted reconnaissance on a UK. messaging application frequently used by Hong Kong protestors. 72. On or about June 13, 2020, LI conducted reconnaissance on the network of a Massachusetts biotech firm focused on cancer treatment. 73. On or about June 13, 2020, L1 searched for vulnerabilities in the network of a California space ?ight and aerospace engineering ?rm. All in violation of Title 18, United States Code, Section 371. COUNT TWO Conspiracy to Commit Theft of Trade Secrets 74. The allegations contained in paragraphs 1 through 9 and 13 through 73 are realleged and incorporated as if set forth herein. 1 75. From at least on or about September 1, 2009, until on or about July 7, 2020, Defendants LI and DONG, intending to convert trade secrets to the economic bene?t of someone other than their owners, and intending and knowing that the offense would injure such owners, conspired with each other and with others known and unknown to the Grand Jury to: INDICTMENT 22 :ase ECF No. 1 filed 07/07/20 PagelD.23 Page 23 of 27 a. Knowingly and without authorization steal, appropriate, take, and by fraud, arti?ce, and deception obtain trade secrets that were related to a product or service used in and intended to be used in interstate and foreign commerce; b. Knowingly and without authorization copy, duplicate, alter, replicate, transmit, deliver, send, communicate, and convey trade secrets that were related to a product or service used in and intended to be used in interstate and foreign commerce; and c. Knowingly receive, buy, and possess trade secrets that were related to a product or service used in and intended to be used in interstate and foreign commerce, knowing the same to have been stolen, appropriated, obtained, and converted without authorization. 76. L1 and DONG conspired to steal trade secret information from Victim 1, Victim 2, Victim 6, Victim 7, Victim 10, Victim 11, Victim 12, and Victim 13. Each of the victims took reasonable measures to keep this information secret, and such information derived independent economic value from not being generally known, and not being readily ascertainable through proper means by, another person who can obtain economic value from the disclosure or use of the information. 77. In furtherance of the conspiracy, and to effect the purpose and objects thereof, Defendants LI and DONG, and others, committed various overt acts in the Eastern District of Washington and elsewhere, including, but not limited to, the overt acts identi?ed in paragraphs 25 through 30, 45 through 46, 52 through 54, and 57, in violation of 18 U.S.C. all in violation of 18 U.S.C. 1832(a)(5). INDICTMENT 23 :ase ECF No. 1 filed 07/07/20 PagelD.24 Page 24 of 27 COUNT THREE Computer Fraud and Abuse: Unauthorized Access 78. The allegations contained in paragraphs 1 through 9 and 13 through 73 are realleged and incorporated as if set forth herein. 79. In or about November 2018, in the Eastern District of Washington and elsewhere, Defendants LI and DONG, aided and abetted by each other and others known and unknown to the Grand Jury, attempted to access and accessed computers of the United States, speci?cally the Department of Energy, and protected computers, in the Eastern District of Washington, without authorization to obtain information, in furtherance of violations of the United States, including, inter alia, 18 U.S.C. 641, all in violation of 18 U.S.C. 1030(a)(2)(B), and COUNT FOUR Conspiracy to Commit Wire Fraud 80. The allegations contained in paragraphs 1 through 9 and 13 through 73 are realleged and incorporated as if set forth herein. 81. From at least on or about September 1, 2009, until on or about July 7, 2020, in the Eastern District of Washington and elsewhere, the Defendants, LI and DONG, did knowingly and intentionally conspire with each other and others known and unknown to the Grand Jury, including of?cers of the MSS including MSS Of?cer 1, to devise a scheme and arti?ce to defraud and to obtain property from the United States and others, by means of materially false and fraudulent pretenses, representations and promises?including among others the presentation of false identi?cation to gain unauthorized access to computers?and did knowingly transmit and cause to be transmitted by means of wire communication in interstate and foreign commerce, writings, signs, signals, pictures, and sounds, namely malicious code, for the purpose of executing and attempting to execute INDICTMENT 24 Iiase ECF No. 1 filed 07/07/20 PageID.25 Page 25 of 27 such scheme and arti?ce, in violation of 18 U.S.C. 1343, all in violation of 18 U.S.C. 1349. COUNTS FIVE through ELEVEN Aggravated Identity Theft 82. The allegations contained in paragraphs 1 through 73 and 78 through 81 are realleged and incorporated as if set forth herein. 83. On or about the dates set forth below, in the Eastern District of Washington and elsewhere, the Defendants, LI and DONG, aided and abetted by each other and by others known and unknown to the Grand Jury, during and in relation to the crime of Unauthorized Access to Computers, in violation of 18 U.S.C. 1030(a)(2)(B), and the crime of Conspiracy to Commit Wire Fraud, in Violation of 18 U.S.C. 1343 and 1349, did knowingly transfer, possess, and use, without lawful authority, the means of identi?cation of another person: COUNT ON OR ABOUT IDENTIFICATION OF ANOTHER PERSON Five December 4, 2015 L1 accessed the network of Victim 5 using usemame and that real user?s password. Six March 16, 2017 L1 accessed the network of Victim 6 with username and that real user?s password. Seven March 26, 2017 L1 accessed the network of Victim 6 with usemame and that real user?s password. Eight February 26, 2019 L1 stole and possessed two usernames and associated passwords associated with real users from Victim 12. INDICTMENT 25 ktase ECF No. 1 filed 07/07/20 PagelD.26 Page 26 of 27 Nine March 21, 2019 L1 stole and possessed four usemames and associated passwords associated with real users from Victim 13. Ten March 21, 2019 L1 accessed the network of Victim 13 with usemame and that real user?s password. Eleven August 10, 2019 L1 attempted to access the network of Victim 5 using three Victim 5 usemames and associated passwords all associated with real users. All in violation of 18 U.S.C. 1028A and 2. CRIMINAL FORFEITURE ALLEGATIONS 84. As a result of committing one or more of the offenses alleged in Counts One through Eleven of this Indictment, Defendants LI and DONG, shall forfeit to the United States, pursuant to 18 U.S.C. 982(a)(2)(B) and 103 the Defendants? interests in any personal property that was used or intended to be used to commit or facilitate the commission of such offenses, and any property constituting, or derived from, proceeds obtained directly or indirectly as a result of one or both of the said offenses, including but not limited to the sum of money representing the amount of proceeds obtained as a result of one or both of the said offenses. 85. If any one of the above-described forfeitable property, as a result of any act or omission of the Defendants: a. cannot be located upon the exercise of due diligence; b. has been transferred or sold to, or deposited with, a third person; 0. has been placed beyond the jurisdiction of the Court; (1. has been substantially diminished in value; or INDICTMENT 26 A :ase 4: 20 cr- 06019 ECF No.1 filed 07/07/20 PagelD. 27 Page 27 of 27 e. has been commingled with other property which cannot be subdivided without dif?culty; it is the intent ofthe United States, pursuant to 18 U.S.C. 982(b)(1) and 21 U.S.C. 853(p), to seek forfeiture of any other property of said defendants up to the value of the above forfeitable property. DATED this lday ofJuly, 2020. A TRUE BILL F01 upubuu William D. Hyslop United States Attorney 2242/72/25 a es G.oeke Scott K. McCulloch Assistant United States Attorney Department of Justice Trial Attorney National Security Division INDICTMENT 27