Feds Quietly Reveal Chinese State-Backed Hacking Operation

Prosecutors in the United States this week quietly outed what appears to be a Chinese state-linked hacking ring, an escalation in Washington’s campaign to pressure China over its trade practices and efforts to steal intellectual property from U.S. firms.

In an indictment unsealed on Monday, federal prosecutors in Pittsburgh allege that a trio of Chinese nationals and their cybersecurity firm Boyusec hacked three companies — industrial giant Siemens, the economic analysis firm Moody’s, and the GPS navigation company Trimble — and made off with sensitive company documents.

The indictment names Wu Yingzhuo, Dong Hao, and Xia Lei. The first two are co-founders of Boyusec, while Xia was an employee. With prosecutors scrutinizing the firm, the Wall Street Journal reported Wednesday that Boyusec disbanded earlier this month.

Prosecutors made no mention in court documents of any links between Boyusec and the Chinese state, a departure from a high-profile case in 2014 from the same office that publicly linked alleged hackers to Chinese government ministries. Then, the local FBI office drew up wanted posters of the Chinese army hackers and published photographs of the accused in their army uniforms.

But a trove of public evidence and research by private security firms strongly suggests that Boyusec is an affiliate of China’s powerful Ministry of State Security and appears to operate as a cover for cyber-espionage.

“There has been a lot of accumulated evidence that these guys are tied to the state,” said John Hultquist, the director of analysis for the computer security firm FireEye.

Despite the seemingly clear links between Boyusec and the Ministry of State Security, American officials have described the case as a routine criminal prosecution rather than one that implicates a Chinese intelligence agency.

“The indictment makes no allegations regarding state sponsorship,” said Justice Department spokesman Wyn Hornbuckle, who added that prosecutors only “included the allegations that we are prepared to prove in court with admissible evidence.”

There could be several reasons for a cautious approach from the department. The evidence linking Boyusec to the Chinese government could be weak, or too sensitive, to reveal in open court. At the same time, Washington and Beijing are trying to work together to rein in North Korea’s increasingly brazen weapons program, which could counsel a more cautious approach to naming and shaming. (U.S. and Chinese defense officials met Wednesday.)

Though fairly obscure, Boyusec was known to U.S. officials. In November 2016, a Defense Department intelligence assessment reportedly concluded that Boyusec was close to the Ministry of State Security and that it was working with the tech giant Huawei to “produce security products that will be loaded into Chinese-manufactured computer and telephone equipment,” according to the Washington Free Beacon.

“The doctored products will allow Chinese intelligence to capture data and control computer and telecommunications equipment,” the paper reported, citing anonymous officials. Pentagon officials did not respond to questions this week about the report.

In May, an anonymous blogger under the moniker “intrusiontruth” publicly named Wu and Dong and described Boyusec as a contractor for Chinese intelligence. In a series of blog posts, the anonymous author used a series of domain name registrations to identify Boyusec’s founders and to tie them to a hacking outfit known as APT3.

The security firm Recorded Future quickly chimed in with research of its own and backed the anonymous blogger’s conclusions. The firm concluded that Boyusec is a part of APT3 (for “advanced persistent threat”) and has worked as a contractor for China’s Ministry of State Security.

Security researchers use the term “APT3” as a moniker for a set of techniques, computer code, and hacking activity tied to a Chinese actor. It remains unclear whether Boyusec and its founders make up the entirety of the hacking operation known as APT3 or whether the firm is merely one component of APT3.

APT3 has been active since at least 2010, using valuable hacking exploits known as “zero days” to penetrate corporate targets and even the computers of Chinese dissidents.

“Many targeted organizations in the commercial sector were consistent with the stated research and development goals of the Chinese state,” Hultquist said. The group’s targets include defense firms and companies with advanced commercial technologies that could serve Beijing’s economic and military modernization agendas.

Going after political dissidents offers additional indications of state involvement, Hultquist said. “When you target dissidents you get a good idea of who you’re dealing with,” he said.

Chinese officials denied this week that they knowingly allowed APT3 and Boyusec to operate from its shores. “China firmly opposes and cracks down hard on all forms of cyberattacks in accordance with the law,” Foreign Ministry spokesman Geng Shuang told reporters.

Still, U.S. reticence to call out Chinese state responsibility for the hacks represents something of a departure from the approach begun in that 2014 case, which was seen as a shot across the bow of Chinese state-sponsored hackers and a watershed moment for U.S. law enforcement. In 2015, Presidents Barack Obama and Xi Jinping reached a landmark agreement in which they pledged not to carry out economic espionage for commercial gain, though Beijing seems not to be fully honoring the pact.

Hornbuckle, the Justice Department spokesman, said U.S. officials sought Beijing’s assistance but “received no meaningful response” and decided to go public with the indictment.

David Hickton, the former U.S. attorney in Pittsburgh who oversaw the 2014 investigation, said Monday’s indictment represents the “continuation of the campaign we started” to “apply law to the digital space.”

“In a global economy, we have to protect innovation and research and development,” said Hickton, who now directs the University of Pittsburgh’s Institute for Cyber Law, Policy, and Security. “We can’t let it be taken by cyber means.”