Chinese hackers counted on no one clicking ‘update’ in decade-long spree

Uh, maybe stop asking your computer to remind you tomorrow. 

The Department of Justice unsealed an indictment Tuesday alleging two hackers worked in collaboration with the Chinese Ministry of State Security to steal everything from video game source code to weapons designs from hundreds of companies around the globe. And, if the indictment is to be believed, the hackers were able to do much of this by exploiting people’s natural laziness about updating their software. 

Notably, the indictment claims, the two hackers — Li Xiaoyu, 34, and Dong Jiazhi, 33 — had a decade-long spree that succeeded, in large part, because people and companies often don’t immediately download and install software patches as soon as they become available. 

“[To] gain initial access to victim networks, the defendants primarily exploited publicly known software vulnerabilities in popular web server software, web application development suites, and software collaboration programs,” reads a . “In some cases, those vulnerabilities were newly announced, meaning that many users would not have installed patches to correct the  vulnerability.”

The two stand accused of mixing profit-driven exploits in with more traditional state-sponsored hacks. In addition to supposedly attempting to extort at least one company for around $15,000 worth of cryptocurrency, they allegedly stole personally identifiable information (PII) from educational companies as well as info on military communications systems and counter-chemical weapons technology. They also, the indictment alleges, helped the Ministry of State Security break into email accounts belonging to peaceful dissidents, human rights groups, religious figures, and a former Tiananmen Square protester. 

Oh yeah, and the press release notes the two also “probed for vulnerabilities in computer networks of companies developing COVID-19 vaccines, testing technology, and treatments.”

SEE ALSO: Why you should absolutely worry about the anti-privacy EARN IT Act

The trade secrets supposedly stolen by Xiaoyu and Jiazhi, former college classmates, are said to be worth hundreds of millions of dollars. The two are charged with conspiracy to commit computer fraud, conspiracy to commit theft of trade secrets, conspiracy to commit wire fraud, unauthorized access of a computer, and seven counts of aggravated identity theft. 

While it’s unlikely the two will ever face jail time in the U.S., maybe now you’ll actually update your software the next time your computer prompts you.