On Monday, the Department of Justice announced the indictment of Wu Yingzhuo, Dong Hao, and Xia Lei, all of whom are Chinese nationals who reside in China, for computer hacking, theft of trade secrets, conspiracy and identity theft directed at U.S. and foreign employees and computers of three corporate victims. The trio work for the Guangzhou Bo Yu Information Technology Co. (Boyusec) -- a purported Internet security firm that is based in China.
Among the companies the trio allegedly targeted are Siemens AG, Moody's Analytics, and Trimble. Siemens was the most affected: hackers stole 407 gigabytes of data from its energy, technology, and transportation businesses, according to the indictment. The three men hacked into Trimble in 2016 when it was in the process of designing more accurate satellite navigation tech. They allegedly stole more than 275 megabytes of data, including trade secrets related to sat-nav technology. Moody's was hacked in 2011, when the Chinese are believed to have hacked into company email to forward on a prominent employee's mail to their own accounts.
Speaking for DOJ, Acting U.S. Attorney Soo C. Song said, “Defendants Wu, Dong and Xia launched coordinated and targeted cyber intrusions against businesses operating in the United States...in order to steal confidential business information.” Song added, “These conspirators masked their criminal conspiracy by exploiting unwitting computers, called ‘hop points,’ conducting ‘spearphish’ email campaigns to gain unauthorized access to corporate computers, and deploying malicious code to infiltrate the victim computer networks.”
According to a DOJ statement, the indictment alleges that the accused hacked into businesses so as to maintain unauthorized access and steal sensitive information and communications. For one victim, information that the defendants targeted and stole between December 2015 and March 2016 contained trade secrets.
Defendants Wu, Dong, Xia, and other conspirators coordinated computer intrusions by spearphishing e-mails to employees of the targeted entities, which included malicious attachments or links to malware. According to the DOJ, when a recipient opened the attachment or clicked on the link, the hackers then obtained continuous access to the recipient’s computer. The conspirators would then install other tools on victims’ computers, including malware they called “ups” and “exeproxy.” In many instances, they concealed their activities, location, and Boyusec affiliation by using aliases, intermediary computer servers known as “hop points,” and valid credentials stolen from victim systems.
The primary goal of the co-conspirators’ unauthorized access to victim computers was to search for, identify, copy, package, and steal data from those computers, including confidential business and commercial information, work product, and sensitive victim employee information, such as usernames and passwords that could be used to extend unauthorized access within the victim systems. For the three victim entities listed in the Indictment, such information included hundreds of gigabytes of data regarding the housing finance, energy, technology, transportation, construction, land survey, and agricultural sectors.
Boyusec has been linked to China’s intelligence agencies. It has also been linked to another hacker group known variously as APT3, Buckey, UPS Team, TG-0110, and Gothic Panda, which in turn have been connected with the Chinese Ministry of State Security (MSS). The first link came via a mysterious source, IntrusionTruth, which connected domain names registered by the APT3 group with Boyusec employees Wu Yingzhuo and Dong Hao. Cybersecurity company Recorded Future, which has various contracts with the U.S. government, later claimed to have corroborated those findings. The methods described in the indictment match those described in reports Symantec, FireEye, and other security firms have made on APT 3.
Victims of Boyusec intrusions included companies in the defense, telecommunications, transportation, and advanced technology sectors. Government networks in Hong Kong and the United States, as well as other countries, were also victims. Boyusec has also targeted democracy advocates in Hong Kong.
Spero News was the target of a Chinese hack in 2011, crippling the site for several days. The website had published several articles about human rights violations, including organ harvesting from live persons, in China.
The DOJ announcement die not link Boyusec or the defendants to China’s government. However, experts in the U.S. assert that Boyusec was contracted by the Chinese government so as to provide deniability. Boyusec once listed Huawei -- a China-based multinational that is the biggest manufacturer of cell phones in the world -- as a partner.
The indictment comes two years after Barack Obama reached an agreement with his Chinese counterpart Xi Jinping over state-sponsored espionage hacking that had targeted American intellectual property for years. China's compliance with the 2015 agreement have been uneven. For example, Chinese hackers have allegedly targeted U.S. defense contractors in pursuit of military technology.
The three indicted men reside in Guangzhou, China. Bringing them to justice in the U.S. would require them to appear in a U.S. court. However, China and the U.S. are not currently party to an extradition treaty.
Martin Barillas is a former US diplomat and the editor of Spero News.