U.S. Indicts Three Chinese Hackers Linked to Security Firm

Boyusec hackers stole hundreds of gigabytes of energy and GPS technology

Men look at computers in an internet bar in Beijing
Men look at computers in an internet bar in Beijing / Getty Images
November 27, 2017

The Justice Department charged three Chinese hackers on Monday with conducting cyber attacks against U.S. and international financial and technology firms and stealing confidential business information.

The three hackers, Chinese nationals Wu Yingzhuo, Dong Hao, and Xia Lei, all worked for a Chinese cyber security firm called Boyusec that the Pentagon has linked to the Ministry of State Security, the civilian intelligence service.

The three men were charged with coordinated cyber attacks against computer networks at Moody's Analytics, Siemans AG, and Trimble Inc.

The companies are involved in economic analysis, manufacturing and electronics, and GPS technology, respectively.

The hackers "launched coordinated and targeted cyber intrusions against businesses operating in the United States… in order to steal confidential business information," said Soo C. Song, acting U.S. Attorney for the Western District of Pennsylvania.

"These conspirators masked their criminal conspiracy by exploiting unwitting computers, called 'hop points,' conducting 'spearphish' email campaigns to gain unauthorized access to corporate computers, and deploying malicious code to infiltrate the victim computer networks," Song said in a statement.

Court papers in the case said the three were employees of Guangzhou Bo Yu Information Technology Co. Ltd, known as Boyusec, located in Guangzhou, Guangdong Province, China.

Boyusec's links to Chinese intelligence were disclosed by the Washington Free Beacon in November 2016.

The indictment is the latest indication that the 2015 "understanding" reached between Chinese President Xi Jinping and then-President Barack Obama not to engage in cyber economic espionage has been violated.

The most recent hacking took place between 2011 and May 2017 and involved the use of fraudulent emails and a malware called UPS Backdoor, the Justice Department said.

The hackers were charged with conspiracy to commit computer fraud and abuse, conspiracy to commit trade secrets theft, wire fraud, and aggravated identity theft.

Against Moody's, Xia hacked into the email of a Moody's specialist and placed a rule on his email that forwarded all messages to a separate email account. Xia then obtained proprietary and confidential economic analyses.

Dong hacked into Siemens computers and stole usernames and passwords and planted malware that helped steal some 407 gigabytes of data on the company's energy technology and transportation businesses.

The Trimble hack involved Wu accessing the company's computers and stealing hundred of gigabytes of data, including information on a precision GPS software and antenna that cost the company millions to develop.

The indictment, largely symbolic, is the second major case against Chinese hackers. The likelihood of prosecution is limited since the three are believed to be in China.

In May 2014, five Chinese military officers linked to a People's Liberation Army hacking unit were indicted for cyber attacks against U.S. companies and a labor union.

Those hackers, part of a Shanghai-based hacking group known as Unit 61398, are believed to be in China.

"Once again, the Justice Department and the FBI have demonstrated that hackers around the world who are seeking to steal our companies' most sensitive and valuable information can and will be exposed and held accountable," said Dana J. Boente, acting assistant attorney general for national security.

"The Justice Department is committed to pursuing the arrest and prosecution of these hackers, no matter how long it takes, and we have a long memory."

The Justice Department said in a statement the stolen data included information related to the housing, finance, energy, technology, transportation, construction, land survey, and agricultural sectors.

Wu used the cyber handle "mxmtmw," "Christ Wu," and "wyz." He lives in Guangzhou and was a founding member and equity shareholder of Boyusec.

Dong was known as "Bu Yi," "Dong Shi Ye," and "Tianyu" and also lives in Guangzhou and was a founding member and equity shareholder of Boyusec. He held the position of executive director and manager.

Xi, a Boyusec employee, also lives in Guangzhou.

The investigation of the cyber attacks was conducted by the FBI, Naval Criminal Investigative Service, and Air Force Office of Special Investigations.

James Lewis, a cyber security expert at the Center for Strategic and International Studies, said Chinese hacking may be on the upswing after the 2015 agreement in which both countries agreed not use purely commercial espionage.

"One thing to watch is how the Chinese government reacts," Lewis said. "A low key reaction could mean these people were freelancing. Let’s see what Beijing says, if anything."

A Chinese Embassy spokesman did not return an email seeking comment on the indictment.

Pentagon intelligence officials disclosed last year that Boyusec was linked to the MSS and a global Chinese telecommunications company known as Huawei Technologies that U.S. officials say has ties to the Chinese military.

An internal report by the Pentagon's J-2 intelligence directorate identified Boyusec and Huawei as working together to produce security products used in Chinese-manufactured computer and telephone equipment that could allow Chinese intelligence to remotely steal data on the computers.

Published under: China , Cyber Security