Indictment of China Military Hackers Reveals New Details of Cyber Attack Methods

Prosecution of five PLA cyber warriors unlikely

Wang Dong, Sun Kailian, Gu Chunhui / May 1 indictment
May 21, 2014

The Obama administration’s indictment of five Chinese military hackers for cyber attacks against U.S. companies and a labor union has revealed new details of China’s large-scale cyber warfare and cyber espionage operations.

The federal grand jury indictment filed May 1 named five People’s Liberation Army (PLA) operatives linked to a secretive, Shanghai-based group called Unit 61398, which is Beijing’s key cyber warfare and cyber spying unit. The unit was first disclosed publicly last year.

However, the legal action is largely symbolic because the likelihood of prosecuting the five PLA hackers—Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui—is slim.

The hackers are part of the PLA’s General Staff Third Department, the electronic intelligence agency known as 3PLA, and its Unit 61398.

The 56-page indictment states that they used sophisticated technology and traditional fake emails to fool targeted Americans with access to corporate secrets into providing access points inside company networks.

The hackers then methodically stole key commercial secrets, such as technical design details for Westinghouse nuclear reactor sales and solar panel technology. Internal communications containing valuable economic data were also stolen and provided by the PLA to Chinese state-run competitors.

The activities began around 2006 and continued at least through April. The companies hit by the cyber attacks include Westinghouse Electric Co., SolarWorld AG, United State Steel Corp., Allegheny Technologies Inc., the United Steel, Paper and Forestry, Rubber, Manufacturing, Energy, Allied Industrial, and Service Workers International Union, and Alcoa. All are located in Pennsylvania. The indictment was issued May 1 in the U.S. District Court in Western Pennsylvania.

"The FBI deliberately provided remarkable details about the secret techniques and goals of the clandestine cyber attacks in Pittsburgh," said Michael Pillsbury, a former Pentagon policymaker and specialist on the Chinese military.

"This will scare the PLA hackers, at least for a few months, while they try to find out how they were detected."

However, it is unlikely the FBI’s methods used in the five PLA hackers’ case will be useful in the future because the hackers can mask future activities by using different names and more stealthy cyber penetration methods, Pillsbury said.

"Much stronger medicine will be needed next time," said Pillsbury, a senior fellow at the Hudson Institute. "Beijing reacted in a few hours, much too quickly and angrily, without any time for an investigation in good faith, which gives some observers the impression the allegations may be true."

Attorney General Eric Holder sounded skeptical Monday of what he termed "the alleged hacking" that  "appears to have been conducted for no other reason than to advantage state-owned companies and other interests in China at the expense of businesses here in the United States."

"This case should serve as a wake-up call to the seriousness of the ongoing cyber threat," Holder added.

John Carlin, head of the Justice Department National Security Division, linked the indictment to the Chinese government’s failure to curb cyber economic espionage.

"In the past, when we brought concerns such as these to Chinese government officials, they responded by publicly challenging us to provide hard evidence of their hacking that could stand up in court," Carlin said, adding: "Well, today we are."

The legal action highlights the administration’s announced policy of using passive, non-military means to counter and deter widespread Chinese cyber attacks.

The administration has been under pressure for years from American companies victimized by Chinese hacking—ranging from Google to Lockheed Martin—to take more aggressive action against Chinese military cyber attacks.

Former National Security Agency Director Gen. Keith Alexander has said that theft of American corporate secrets in recent years resulted in the largest loss of valuable economic and other data in history. Losses have been estimated to be worth tens to hundreds of billions of dollars in lost information to competitors such as China.

Obama administration security officials said President Obama rejected proposals from the U.S. intelligence community to conduct aggressive counter attacks against the Chinese three years ago.

The tougher measures included counter-cyber attacks against Chinese military units and economic sanctions. The measures were rejected over fears of upsetting relations with China.

The options were based on large-scale theft of U.S. secrets and proprietary economic information that boosted China’s industry and its military, allowing them in many cases to make "leapfrog" technological hurdles and more favorably compete against the United States.

The measures rejected by Obama in 2011 also called for taking legal action of the kind announced Monday.

The White House, through its cyber security coordinator Michael Daniel, last year defended the inaction against the Chinese because of what he said was difficulty of identifying the specific cyber attackers.

The May indictment reveals that the National Security Agency, which is the lead spy agency for cyberspace, identified the five men and catalogued their spying activities. Photographs of the PLA hackers were included in the indictment, including one wearing a PLA uniform.

Screen Shot 2014-05-20 at 6.43.36 PM
Sun Kailiang

The five men, whose ranks were not specified, also worked as technology consultants to Chinese state-run industries who received the stolen U.S. trade secrets, including the State Nuclear Power Technology Corp., which was the recipient of stolen data on Westinghouse’s AP1000 reactor. Westinghouse had concluded a deal with State Nuclear Power in May 2013.

The private security firm Mandiant, in a dramatic report published last year, first revealed the activities of one of the hackers, Wang Dong, who is also known as "UglyGorrilla" in both the report and the indictment.

Wang was identified in 2004 after he asked a question to a Chinese military cyber warfare official during an online forum.

Using the nickname "Greenfield," Wang had asked if China had "cyber

Wang Dong
Wang Dong

troops" like the United States.

"Like all users of the China Military Online (chinamil) forums, ‘Greenfield’ was required to sign up with an email address and specify a small bit of information about himself," the Mandiant report said. "Thankfully, the Internet’s tendency to immortalize data preserved the profile details for us."

Another indicted hacker, Gu Chunhui, was mentioned in the book by Scott Henderson called "The Dark Visitor" that linked Gu to a government-linked Chinese hacker group called the Red Hacker Alliance. Gu was known for cracking software code since the late 1990s.

The indictment set off a fierce reaction from China’s government, which denounced the indictment as "irresponsible" and called for the indictment to be withdrawn. China also suspended talks with the United States on cyber security, a forum U.S. officials said has failed to resolve U.S. concerns about cyber attacks in several meetings.

Gu Chunhui
Gu Chunhui

John Tkacik, a former State Department official and specialist on China, said the indictment reveals the significant damage caused to the companies by the Chinese.

"Westinghouse had millions of pages of engineering data purloined that will save Westinghouse's Chinese competitors millions if not billions in [research and development] costs, and thereby deny Westinghouse business in China, and possibly elsewhere in the world as foreign clients opt to purchase Chinese nuclear plants rather than Westinghouse ones," Tkacik said.

The damage caused to SolarWorld is less specific. The company made clear its Chinese competitors stole proprietary data that was part of its trade litigation against the company.

"In fact, SolarWorld found that Chinese competitors were undercutting its prices in China and using SolarWorld data to bid against it in the U.S. market," Tkacik said. "Chinese companies read SolarWorld's emails, learned what their bids were, and undercut them—with the help of massive subsidies from the Chinese government."

Chinese cyber espionage also allowed Beijing to know how much "financial or market shock" SolarWorld could take before collapsing, a strategy China used against American Superconductor in 2011 and 2012.

Alcoa, another company victimized by the Chinese military hackers, did not disclose the damage it suffered. But the indictment reveals that Alcoa's Chinese partners in the Rio Tinto purchased used Alcoa's internal data to make money.

"What wasn't said is that China calibrates its aluminum production and pricing to drive foreign aluminum smelters to close capacity in the U.S. because Chinese production floods international markets—and once the U.S. capacity is shut-down, China can jack international prices up again," Tkacik said.

Rick Fisher, a China military expert, said he believes the administration indicted low-level Chinese military operators to try to limit Chinese retaliation to the same level of actors on the U.S. side.

"Courtesy of [former NSA contractor] Edward Snowden, the Chinese likely have enough ‘footnotes’ to land charges on numerous officers in the NSA and elsewhere," Fisher said. "What if China chooses to indict the team that listened in on German Chancellor Merkel's cell phone calls or who led broad monitoring in Brazil? They will be inviting these countries to also chase the Americans."

Fisher said he is concerned that the administration launched the legal action without enlisting support from allies who also have been victims of large-scale Chinese cyber attacks.

"Most NATO members have been savaged by Chinese cyberspies," Fisher said. "There should be a long list of Chinese that the U.S. side has observed at work against European economic and government targets."

Tkacik said it is likely that China’s military hacker units are not limited to enriching the state, and probably are utilized by individual Chinese Communist Party members, many of whom have grown wealthy under reform communism.

"The extent of the cybercrimes documented in the indictment illuminate the likelihood that China Inc. uses cyber-penetrations to enrich both the state and individual Chinese Communist Party members with privileged financial and commodities market information to the tune of trillions, not billions, of dollars," he said.

"In 2014, China has unprecedented influence in global financial and commodities markets, and engages in front-running those markets on a galactic scale," he said. "If Chinese steel and aluminum companies have this kind of access to foreign data networks, there can be no doubt that they use it to reap extra billions in profits off of global commodities markets with insider information."

Published under: China , Cyber Security