US charges 3 Chinese security firm hackers with corporate cyber espionage

The Department of Justice charged three Chinese nationals working for an internet security firm in China with hacking three companies and stealing hundreds of gigabytes of data and trade secrets from Siemens AG, Moody’s Analytics and GPS maker Trimble between early 2011 and May 2017. Both the malware and the organization to which defendants Wu Yingzhuo, Dong Hao and Xia Lei belonged have previously been linked to the Chinese government.

Soo C. Song, acting U.S. Attorney for Western Pennsylvania, charged the Chinese men with conspiracy to commit computer fraud and abuse, conspiracy to steal trade secrets, wire fraud, and aggravated identity theft. Yingzhuo, Hao and Lei, according to the Justice Department, worked to steal “hundreds of gigabytes of data regarding the housing finance, energy, technology, transportation, construction, land survey, and agricultural sectors.”

The indictment, filed in September, was unsealed on Monday. The federal charges indicate that the trio used spearphishing emails to gain access to the companies’ computers, used malware to infect the networks, and used third-party networks as “hop points” to hide their tracks.

“These conspirators masked their criminal conspiracy by exploiting unwitting computers, called ‘hop points,’ conducting ‘spearphish’ email campaigns to gain unauthorized access to corporate computers, and deploying malicious code to infiltrate the victim computer networks,” Song said.

FBI Special Agent in Charge Bob Johnson said investigators relied on “missteps” to identify the hackers, but he would not elaborate on those mistakes because it potentially “could jeopardize future investigations.”

While the Justice Department maintains that the Chinese trio worked for the Chinese internet security firm Guangzhou Bo Yu Information Technology Company, according to TribLIVE, Song said, “There does not appear to be a link between the cyber attacks alleged in the most recent indictment and the Chinese government or military.”

It’s interesting that Song claimed there didn’t appear to be a link between the Chinese government or military and the cyber attacks alleged in the indictment — especially since the Justice Department’s press release claims, “The three Chinese hackers work for the purported China-based Internet security firm Guangzhou Bo Yu Information Technology Company Limited (a/k/a ‘Boyusec’).”

Links to Chinese government-sponsored APT3

Boyusec, according to the anonymous group Intrusion Truth, was a front for APT3, aka Gothic Panda, Buckeye, UPS Team and TG-0110. The group traced domain name registration data from APT3 tools and domains to Wu Yingzhuo.

In May 2017, the security firm Recorded Future agreed that Boyusec is a Chinese government contractor linked to the APT3 group. The company attributed “APT3 to the Chinese Ministry of State Security and Boyusec with a high degree of confidence.”

Although the Justice Department doesn’t come right out and say the hackers were working for the Chinese government-sponsored APT3, the press release did state, “In many instances, the co-conspirators sought to conceal their activities, location and Boyusec affiliation by using aliases in registering online accounts, intermediary computer servers known as ‘hop points’ and valid credentials stolen from victim systems.”

The Chinese internet security firm Boyusec was disbanded this month, according to the Wall Street Journal.

Hacking allegations

The hackers allegedly used spearphishing campaigns, exploited vulnerabilities or used malware to obtain and maintain unauthorized access. The DOJ said they used “hop points” to misrepresent their IP addresses and locations while “identifying, collecting, packaging and stealing data from the victims.”

The indictment also claims the defendants used UPS Backdoor Malware “to remotely access and control infected computers within the victims’ networks.” The defendants “used multiple versions of the UPS Backdoor Malware to misrepresent their status as authorized users of the victims’ computers in order to issue commands to search, identify, copy, package and steal data stored on such computers.”

The DOJ claims Hao hacked Siemens’ network and obtained usernames and passwords of employees in 2014. In 2015, the hackers managed to steal “407 gigabytes of proprietary commercial data pertaining to Siemens’s energy, technology and transportation businesses.” Siemens refused to comment upon internal security measures, only telling the Trib that it “’rigorously’ monitors and protects its infrastructure.”

By 2011, the defendants allegedly gained access to Moody’s Analytics email server in order to forward all emails sent to the employee used as the company’s “branding asset.” Lei is accused to accessing the emails, which contained “proprietary and confidential economic analyses, findings and opinions.” A spokesperson for Moody’s told the Trib that the company does not believe any “confidential consumer data or other personal employee information was exposed in the alleged hack.”

In 2015 and 2016, the hackers allegedly accessed Trimble’s network and stole at least 275 MB of data, including hundreds of zipped files and trade secrets. A Trimble spokesperson told the Trib that “no client data was breached” and “the attack had no meaningful impact on its business.”

Despite Trimble’s quotes, attorney Song called the losses to the targeted companies targeted “considerable,” adding, “The fruit of these cyber intrusions and exfiltration of data represent a staggering amount of dollars and hours lost to the companies.”

How will the U.S. actually get its hands on the accused? Song suggested the defendants “could be arrested while traveling.”