Cyber Incident Victim: Hanford Site
Date:
Mar 2015
Location:
United States of America
Summary
Two Chinese nationals linked to China's Ministry of State Security conducted cyber intrusions targeting U.S. entities, including a Department of Energy nuclear waste facility, exploiting software vulnerabilities to deploy malware, steal credentials, and exfiltrate sensitive data. Their activities involved compromising defense contractors to obtain military satellite and communications information, pharmaceutical firms developing COVID-19 vaccines and treatments, and educational software companies, resulting in the theft of trade secrets, intellectual property, drug testing results, and personal student data. The hackers employed techniques such as disguising stolen files within archive formats and hiding malware in system recycle bins to evade detection, with some breaches enabling follow-on access years after initial compromise. The operation was uncovered after a private security firm detected their intrusion at the nuclear facility, prompting FBI investigation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 3 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
The Hanford Site breach occurred in March 2015 when Chinese nationals Li Xiaoyu and Dong Jiazhi infiltrated networks at the Department of Energy's nuclear waste complex in Benton County, Washington. This intrusion formed part of a broader cyberespionage campaign dating back to September 2009, during which the hackers targeted hundreds of entities across multiple sectors and nations. A private security firm monitoring Hanford's systems detected the unauthorized access and alerted the FBI, marking the first known instance where authorities identified the hackers' activities. Investigators subsequently uncovered that Li and Dong had compromised defense contractors, pharmaceutical manufacturers, educational software companies, and medical equipment producers across the United States, Australia, Germany, Japan, and South Korea. The attackers exploited publicly disclosed vulnerabilities in web servers and software collaboration programs, frequently leveraging newly announced security flaws before patches could be applied. After initial network access, they deployed malware enabling remote command execution, installed password-stealing tools to expand lateral movement, and concealed exfiltrated data by compressing files into archives with altered extensions. Stolen materials included military satellite program details, drug testing results, proprietary software code, and students' personal information, with prosecutors estimating the theft involved "hundreds of millions of dollars" in trade secrets and intellectual property.
The Hanford intrusion proved pivotal in exposing the hackers' decade-long operation, leading to a July 2020 indictment from the Eastern District of Washington. FBI and DOJ investigations revealed the hackers maintained persistent access to victim networks, sometimes returning years after initial breaches to steal additional data. Their activities escalated in early 2020 when they targeted three U.S. biotech firms in Maryland, Massachusetts, and California conducting COVID-19 vaccine research, along with a California-based coronavirus testing kit manufacturer. Prosecutors documented collaboration between the hackers and an officer from China's Ministry of State Security, noting instances where stolen data aligned with Chinese government interests, including military communications systems and credentials of Hong Kong human rights activists. The DOJ characterized the campaign as state-sponsored economic espionage designed to undermine U.S. technological advantages. Impacts included research delays at compromised organizations, as scientists paused work to assess potential data manipulation and strengthen network defenses. U.S. Attorney William Hyslop and FBI Deputy Director David Bowdich publicly attributed the attacks to China during a press conference, while the DHS Cybersecurity and Infrastructure Security Agency issued alerts about ongoing threats to COVID-19 research infrastructure. The case became part of broader U.S. government accusations regarding China's alleged theft of American intellectual property.