Federal prosecutors unsealed an indictment against three Chinese nationals this week in a US District Court, accusing them of hacking into at least three multinational corporations over the past seven years.
The eight-count indictment accuses Wu Yingzhuo, Dong Hao, and Xia Lei of conspiracy to commit computer fraud and abuse, trade secret theft, wire fraud and aggravated identity theft against Siemens AG, Moody’s Analytics, and Trimble, a geospatial technology firm. Siemens is a major contractor for US critical infrastructure.
The indictment doesn’t mention the Chinese government directly, but it does mention the UPS Backdoor malware the defendants allegedly used, which has been linked to the government.
The three worked for what is nominally an internet security firm called Guangzhou Bo Yu Information Technology (Boyusec). Wu and Dong are founding members and equity shareholders of the company, while Xia is an employee.
The indictment alleges that in 2014 the hackers broke into the network of Siemens and stole employee user names and passwords and 407GB of data relating to the company’s energy, technology, and transportation businesses – all of which fall under the “critical infrastructure” heading.
In the case of Moody’s, the hackers placed a rule on an email server that caused all messages sent to a prominent company economist to be forwarded to a dummy account created by the attackers.
While the indictment only described the economist as “Employee A,” the Wall Street Journal reported that most of the rumors point to Mark Zandi, “chief economist” at the firm who, “has frequently been cited by congressional Democrats and Obama administration officials.”
Against Trimble, the hackers allegedly stole data on a Global Navigation Satellite Systems (GNSS) product that the company had spent three years and millions of dollars developing.
While the technology apparently has no military application, Reuters reported that an anonymous US official said the Chinese government could have been interested in using it to track dissidents, Chinese citizens who are overseas and foreign spies.
Ars Technica notes that an anonymous group called Intrusion Truth published a report in May claiming that Boyusec was a front for APT3 – one of the hacking units of the People’s Liberation Army. Also, a few days later, security firm Recorded Future reported that APT3 – which is also known as Gothic Panda, Buckeye, UPS Team, and TG-0110 – worked directly for China’s Ministry of State Security.
That is significant, given that, according to the indictment, the hacking began no later than 2011 and continued until at least May 2017 – nearly two years after President Obama and Chinese President Xi Jinping announced, with considerable fanfare, an agreement aimed at curbing economic espionage.
According to the White House press release, dated 25 September 2015:
Neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.
Of course, that carefully worded language contained holes – major holes. It refers only to the governments of both countries – not their private sectors. And saying the government will not “knowingly support” something is obviously not a promise that it will take steps to stop it.
Besides a flurry of news stories about the indictment, what does this all mean?
Almost certainly very little. The defendants are out of the reach of US law enforcement. President Trump is trying to get Xi to assist in putting pressure on North Korea, and is very unlikely to want to jeopardize that by making an issue out of IP theft.
Indeed, if history is any guide, all this is likely to do is generate a few denials and veiled threats from China’s leaders.
Back in 2014, US prosecutors indicted five military officers from the notorious People’s Liberation Army (PLA) hacking unit 61398.
China warned it would retaliate if the US pressed the issue. And that was pretty much that.
Which is the way Kevin Murray, director at Murray Associates, a counter espionage consultancy, sees this case playing out. Does the indictment mean anything significant will happen? “No,” he said, offering a brief history lesson.
Go back 1,000 years, remembering that the Chinese invented things like silk, gunpowder, paper. All this intellectual property was stolen from them. At that time, the law in China was that if you engaged in it, that was your life. But it still got stolen. So now they’re getting back at us. And we’re trying to replicate what they did by punishing the criminal. Is it going to help? No.
Murray said if those responsible for protecting IP faced charges, “then you’d see some changes.”
But whoever gets prosecuted, things are unlikely to change. A report earlier this year by Cybereason, on compliance with the US/China agreement, noted that monitoring it is increasingly difficult due to a trend toward nation states “outsourcing” cyberespionage to private firms.
According to the report:
The use of what are called, “cutouts and sympathetic agents to collect information on their behalf,” makes attribution of the attackers more difficult and also gives the governments “plausible deniability.”