US charges 3 Chinese with hacking, but stops short of blaming Beijing directly
By TIM JOHNSON | McClatchy Washington Bureau (Tribune News Service) | Published: November 27, 2017
WASHINGTON — A federal grand jury in Pittsburgh charged three Chinese nationals with hacking and theft of trade secrets Monday for allegedly stealing data from corporate networks in the United States, a move that may become an irritant in U.S.-China relations in other areas.
The three indicted individuals are employees of a cybersecurity firm in Guangzhou, a metropolis in southern China, and work closely with China’s Ministry of State Security.
The alleged hacking began in 2011 and continued until May of this year, according to the indictment. Three companies fell victim to the intrusions, including Moody’s Analytics, a major economic analysis firm. The others were Siemens AG, a German manufacturing and electronics conglomerate with U.S. operations, and Trimble Inc., a Sunnyvale, Calif., firm that provides specialized GPS technology, the document said.
The indictment shied from directly linking the Chinese government to the hacking, blaming only the private company, Guangzhou Bo Yu Information Technology Co.
But a researcher at a U.S. cyberthreat intelligence company, Recorded Future, said the Chinese company, called Boyusec for short, is a front operation for the Ministry of State Security and the indicted individuals are intelligence agents.
The Justice Department may want to avoid provoking China with a direct accusation, said Priscilla Moriuchi, director of strategic threat development for the Somerville, Mass., company and a veteran of the U.S. intelligence community.
“They are trying to not anger the Chinese and still be able to have it both ways in terms of holding some cyber actors responsible,” she said, while maintaining “our cooperative relationship with China on topics where we need them, like North Korea.”
Earlier in the decade, U.S.-China relations soured sharply over hacking allegations.
In 2014, another grand jury in Pittsburgh indicted five members of Unit 61398 of the People’s Liberation Army, a specialized military hacking squad based in Shanghai, and charged them with stealing secrets from Westinghouse Electric, U.S. Steel and other corporations.
The Chinese “were extremely angry” over the indictments of active duty military officers, Moriuchi said, and pulled out of a cybersecurity dialogue. After a year of tension over the issue, then President Barack Obama and Chinese leader Xi Jinping signed a cybersecurity accord in 2015 in which the two countries pledged to refrain from commercial hacking, but not electronic espionage.
The agreement has been credited with slowing down overt Chinese hacking of U.S. companies with the aim of stealing trade secrets. But praise has recently diminished.
“There is some concern in the U.S. government about possible backsliding,” said Adam Segal, a cybersecurity and China expert at the Council on Foreign Relations.
The indictment said the three Chinese nationals — Wu Yingzhuo, Dong Hao and Xia Lei — sought to steal commercial secrets and sensitive employee data by sending spearphishing emails to employees with malicious attachments or links to malware that facilitated access to the recipient’s computer. Then the hackers would install other tools on victims’ computers, sometimes using intermediary servers known as “hop points,” the indictment added.
There was no immediate reaction from the individuals charged or the company that employs them.
Justice Department officials indicated that the U.S. government would seek the arrest of the three Chinese nationals if they ever travel outside of China’s borders.
“The Justice Department is committed to pursuing the arrest and prosecution of these hackers, no matter how long it takes, and we have a long memory,” Acting Assistant Attorney General for National Security Dana J. Boente said in a statement.
A spotlight has fallen on private cybersecurity companies in various parts of the world that ostensibly work with state intelligence agencies. In September, the Department of Homeland Security ordered U.S. agencies to halt use of antivirus software from Moscow-based Kaspersky Lab, contending the company is linked to Russian intelligence. Foreign security experts sometimes make similar accusations against U.S. cybersecurity companies.
One threat firm, Cybereason, which is based in Boston, says Boyusec may fall in a “gray area” in which Chinese cyber companies collaborate with state intelligence agencies but also seek to profit from their own hacking activities.
“They are smaller in absolute numbers but I would say they are responsible for a disproportionate number of the headline-grabbing intrusions these days,” said Ross Rustici, senior director of intelligence services at Cybereason.
He said the hack of Moody’s may come under the category of attempting to profit from protected Wall Street information while the hack of Trimble could be to steal technology with military applications.
©2017 McClatchy Washington Bureau
Visit the McClatchy Washington Bureau at www.mcclatchydc.com
Distributed by Tribune Content Agency, LLC.