APT3

US authorities have acted on one of the worst-kept secrets in cyber-security and have filed official charges against three Chinese hackers part of one of China's elite cyber-espionage unit.

According to an indictment unsealed today by the Department of Justice (DOJ), officials have charged the three hackers for hacking three companies —Moody’s Analytics, Siemens, and Trimble— between 2011 and May 2017.

More precisely, the DOJ charged Wu Yingzhuo with hacking Trimble, Dong Hao with hacking Siemens, and Xia Lei with hacking Moody's Analytics.

The three suspects work for cyber-security firm Boyusec

The three suspects work for Chinese cyber-security firm "Guangzhou Bo Yu Information Technology Company Limited," also known under its short name of Boyusec. Both Wu and Dong are founding members and shareholders, while Xia is just an employee.

Several reports published in May 2017 fingered Boyusec as notorious cyber-espionage unit APT3, one of the Chinese government's most proficient hacking units.

APT3, also known as UPS, Gothic Panda, and TG-011, has been active since 2010 and has been tied to the theft of intellectual property from private businesses, but also to cyber-espionage with substantial political implications. Past reports [1, 2, 3, 4] have tied the group to hacks all over the world, but most often in Hong Kong and the US.

Boyusec identified as APT3 six months ago

Blog posts published by Intrusion Truth [1, 2, 3, 4] linked Wu and Dong to domain names used in the server infrastructure from where many APT3 attacks originated.

Another report claimed Boyusec was a government contractor that reported to the Guangdong Information Technology Security Evaluation Center (or Guangdong ITSEC), who is a local branch of the China Information Technology Evaluation Center (CNITSEC), an organization run by the Chinese Ministry of State Security (MSS).

APT3 backdground

Hacks took place between 2011 and 2017

Despite APT3's past political espionage history, the DOJ charges focus on the theft of intellectual property. Below is a summary of all accusations.

Defendant

Victim

Criminal Conduct

Wu

Trimble

 

In 2015 and 2016, Trimble was developing a Global Navigation Satellite Systems technology designed to improve the accuracy of location data on mobile devices.  In January 2016, while this project was in development, Wu accessed Trimble’s network and stole files containing commercial business documents and data pertaining to the technology, including Trimble trade secrets.  In total, between December 2015 and March 2016, Wu and the other co-conspirators stole at least 275 megabytes of data, including compressed data, which included hundreds of files that would have assisted a Trimble competitor in developing, providing and marketing a similar product without incurring millions of dollars in research and development costs.

Dong

Siemens

 

In 2014, Dong accessed Siemens’s computer networks for the purpose of obtaining and using employees’ usernames and passwords in order to access Siemens’ network. In 2015, the co-conspirators stole approximately 407 gigabytes of proprietary commercial data pertaining to Siemens’s energy, technology and transportation businesses.

Xia

Moody’s Analytics

 

In or around 2011, the co-conspirators accessed the internal email server of Moody’s Analytics and placed a forwarding rule in the email account of a prominent employee.  The rule directed all emails to and from the employee’s account to be forwarded to web-based email accounts controlled by the conspirators.  In 2013 and 2014, defendant Xia regularly accessed those web-based email accounts to access the employee’s stolen emails, which contained proprietary and confidential economic analyses, findings and opinions.

All three indicted suspects are still at large and residing in China.

The US has charged Chinese state hackers before

This is not the first time that the US has charged individuals that were part of Chinese cyber-espionage operations. The US charged five Chinese military officers in 2014 with hacking US companies such as Westinghouse, SolarWorld, Allegheny Technologies Inc. (ATI), USW, US Steel, and Alcoa.

The DOJ claimed the hackers stole intellectual property and trade secrets and then passed the data to Chinese state-owned enterprises (SOEs).

Following the hacks, US Steel tried to get the US government to ban the sale of cheap Chinese-made steel on the US market, albeit the company later dropped the request earlier this year.

These high-profile hacks led to the US and China signing a mutual pact where neither government would "conduct or knowingly support cyber-enabled theft of intellectual property."

New reports suggest that China has skirted around this pact by outsourcing hacking operations from specialized military units to third-party contractors, while also paying more attention to not getting spotted.