Three Chinese citizens were indicted in U.S. federal court on Monday for attacking the computer systems of Siemens AG, Trimble Inc., and Moody’s Analytics in an effort to steal valuable corporate data.
According to the indictment unsealed in Pittsburgh on Monday, the defendants are Wu Yingzhuo, Dong Hao, and Xia Lei. Their alleged cyberattacks were carried out between 2011 and 2017, with the goal to steal intellectual property, trade secrets, and the identities of targeted individuals to gain “commercial advantage.”
Their weapons of choice were the infamous “spear phishing” emails—messages disguised to look like legitimate communications from trusted sources, but actually carry viral payloads in attached documents, or trick victims into clicking on hyperlinks that will infect their computers with malware.
The primary goal of the co-conspirators’ unauthorized access to victim computers was to search for, identify, copy, package, and steal data from those computers, including confidential business and commercial information, work product, and sensitive victim employee information, such as usernames and passwords that could be used to extend unauthorized access within the victim systems. Such information included hundreds of gigabytes of data regarding the housing finance, energy, technology, transportation, construction, land survey, and agricultural sectors.
One of the cyberattacks attributed to the trio successfully penetrated the email server at Moody’s Analytics and stole the emails of an “influential economist.” Another scheme netted them 407 gigabytes of proprietary data from Siemens. Trimble was apparently targeted for its work on a new and improved global satellite navigation system.
According to the Justice Department, all three of the named defendants are believed to be in China, and therefore cannot be taken into custody. A number of unnamed accomplices may also have been involved in the alleged hacking activity.
One of the most interesting details of the case is that the three all worked for a cybersecurity company called Boyusec. Wu and Dong were company founders, while Xia was an employee.
“Two U.S. government officials told Reuters that Guangzhou Bo Yu, also known as Boyusec, is affiliated with China’s People’s Liberation Army Unit 61398, and that most if not all its hacking operations are state-sponsored and directed,” Reuters reports.
Five military officers from Unit 61398 were indicted in the U.S. on hacking charges in 2014. The unit, also known as “Gothic Panda” to security researchers, has “targeted aerospace and defense, chemical, energy, financial, healthcare, industrial and transportation firms in Britain, France, Hong Kong, the United States and other western nations,” according to researcher Adam Meyers of CrowdStrike.
Forbes notes that Gothic Panda is linked to the Chinese Ministry of State Security. Boyusec’s ties to the Gothic Panda operation have been verified by cybersecurity contractors working for the U.S. government.
“Boyusec is one of many private companies with close connections to Chinese intelligence services and which appear to be heavily involved in cyber-espionage,” John Hultquist of the FireEye security firm told Forbes. “The use of commercial third parties puts breathing room between the state and this dicey work.”
Nevertheless, prosecutors said the case against Wu, Dong, and Xia is not being treated as a case of state-sponsored hacking, even though Reuters explains how the Chinese government and military have a clear interest in the data that was stolen:
Trimble’s advances in geolocation and Siemens’ work in guidance and navigation are of interest to the Chinese for internal security and military purposes, as well as commercial, ones, according to one of the officials, who declined to be named because some details of the case remain classified.
“Gleaning precise locations from mobile phones and other devices is valuable to the Ministry of State Security for monitoring dissidents as well as foreigners,” the official said. “Overseas, it can be valuable to keep track of where your own people are going, as well as keeping track of foreigners’ movements, whether they’re government or commercial.”
The official said that data collected by Moody’s could be used to help identify businesses and people that might be vulnerable to commercial or government exploitation, blackmail or bribery.
The Chinese government had no comment on the case as of Tuesday, beyond routine assurances that China hates hackers and wants data security for everyone in the world. Another noteworthy detail is that Boyusec seems to have disappeared. Reuters reported that its corporate website is down, and Chinese telecom giant Huawei is claiming to have no knowledge of the cybersecurity firm, even though it has long claimed Huawei as one of its business partners.
As for the companies targeted by the hacking attacks: Siemens said it does not comment on “internal security matters,” Moody’s said it does not believe any sensitive customer or employee data was compromised, and Trimble said there was “no meaningful impact on its business.”