Before an abundance of encrypted messaging apps, “trash” email folders were often used to communicate without leaving a trace.
The tactic, common among al-Qaeda terrorists – and teenagers – involved setting up an email account which two people could access, and write and read deleted messages. The technique caused the downfall of former CIA director General Petraeus, who resigned after he was caught by the FBI talking to his lover through draft emails.
The tactic resurfaced this week when the US government said it had caught two Chinese hackers pillaging the recycling bins of employees at “hundreds” of companies, stealing trade and business secrets worth “hundreds of millions” during a ten-year spree.
The humble icon, which we largely ignore on computer desktops, was used both to hide malicious software that could steal computer files, and to hoover up anything that was deleted. The folder where recycle bin files are stored is hidden by default on Windows machines, “and system administrators can thus be less likely to discover files saved there,” Washington claimed.
The Department of Justice claimed that the hackers were focused on stealing intellectual property for profit when they began their spree back in September 2009.
Cyber attacks allegedly carried out by the pair were carefully carried out to try to hide any chance of their entry into computer networks being detected.
It’s claimed that as well as hiding files inside recycle bins, they also renamed stolen files to make it look as if they were actually just a series of innocent image files being transferred outside of computer networks.
In reality, these were confidential files which could be of great value to the Chinese military.
What we know about the alleged hackers
Li Xiaoyu and Dong Jiazhi were friends who met during their computer science course in Chengdu, China.
Their alleged spoils ranged from radio and antennae technology from a California based technology and defence company, to information on supply chains from a manufacturing firm which revealed a global shortage of a key component.
Satellite business proposals, military workers’ personal information and the source code for two games, one of which is yet to be released, from a California game-maker and subsidiary of a Japanese company were also allegedly stolen. The hackers attempted to extort one of their victims by threatening to leak the stolen material online, according to the indictment.
More recently, the suspects are accused of infiltrating pharmaceutical and biotech companies, grabbing years of research and development which would allow a rival under different laws to produce a treatment without any of the initial costs.
Somewhere along the line, it’s believed they became entangled in the Chinese military, handing over email accounts and passwords belonging to a community organiser in Hong Kong, the pastor of a Christian church and a dissident and former Tiananmen Square protestor. Emails from a US professor and organiser, and two Canadian residents, who advocated for freedom and democracy in Hong Kong, were also stolen, according to the indictment.
The attacks weren’t limited to the US, either. The indictment, revealed by the US government on Tuesday, shows that the hackers also broke into computer networks of businesses in the UK, Australia, Germany and Japan, among other countries.
Chester Wisniewski, principal research scientist at Sophos, said the coordinated campaign “reads like a state sponsored attack textbook”, and that “pillaging people’s trash cans and hiding things there is both an evasion and an obfuscation tactic”.
What is unusual, however, is that the suspects appear to be freelance hackers who apparently received numerous state requests, “and probably cannot say no,” Wisniewski says. This blurs the lines of what is a civilian and what is military with regard to the criminal status, and the diplomatic row that will ensue following the charges.
It is unclear why the Department of Justice waited until the pair allegedly started spying on Covid-19 research to blow the cover of the investigation, but it comes just days after Foreign Minister Dominic Raab revealed that vaccine researchers on British soil had been the target of Russian hackers. The British Government has not confirmed if any vaccine data was stolen.
The news will be a wake-up call to employees working remotely and those working within IT departments at companies working with confidential material. The hackers depended on corporations failing to update their software, the US said.
The suspects’ ability to get into the corporate network, and access recycling bins, relied heavily on known software glitches in common corporate software and they would act quickly on vulnerabilities that had just been announced before companies had time to patch their systems.
But sometimes the hackers hit roadblocks, such as when they found they were unable to break into the emails of a Burmese human rights group. They turned to their Government handlers inside China’s Ministry of State Security for help and were given a valuable piece of malware which even advanced security systems couldn’t guard against.
The indictment shows the full range of tools used by the hackers, including the use of services which can scan a target computer system to search for any weak points with outdated software that could be used as an entry point into the organisation.
Experts say the uncovering of the hacking campaign underscores the need for businesses and organisations to make sure their systems are kept up to date.
“Patching now has never been more important,” says Jake Moore, a cyber security specialist at ESET. “Persistent threats are becoming more advanced on a daily basis, and businesses and government agencies are struggling to keep them at bay to a greater extent than we have ever seen before.”
Hackers have recently found it easier than ever to sneak into supposedly secure computer networks because of the rise in the number of people working from home during the pandemic.
This has allowed them to blend in with unusual traffic on networks, and has let them take advantage of flaws in virtual private network software used by employees to log in from home.
Cyber espionage is widely accepted as fair game among cyber security experts, with the understanding that the UK and US gives as much as it gets.
But this apparent surge in activity where individuals – and states – are exploiting the coronavirus pandemic and targeting researchers working tirelessly to help, may spark retaliation.