A criminal complaint just unsealed by the Department of Justice reveals a malicious insider’s ingenious data theft idea.

The DoJ’s complaint against New York-based engineer Xiaoqing Zheng accuses him of using steganography (a means of hiding a data file within another data file) to steal secrets from General Electric.

According to the DoJ, Zheng conspired with his business partner Zhaoxi Zhang from China to steal GE’s turbine technology secrets for delivery to the People’s Republic Of China.

The indictment accuses Zheng, a former sealing technology engineer at the company, of stealing electronic files related to its gas and steam turbines.

Zheng had copied thousands of files to a USB key, and GE noticed. Investigators questioned him, and he said he’d deleted them. The company then banned the use of USB drives and locked down its computers’ USB ports.

Then, the complaint alleges that he got clever. On July 5, 2018, he used steganography to conceal data from 40 Excel and Matlab files.

“Zheng placed the aforementioned electronic files into the binary code of an innocuous looking separate electronic file on the computer—a digital photograph of a sunset,” the complaint says. Then, he emailed the photo to his personal address.

He then transferred the files to Zhang in China, alleges the DoJ, and the pair used the secrets to further their business interests in two companies: Liaoning Tianyi Aviation Technology Co., Ltd and Nanjing Tianyi Avi Tech Co. Ltd.

According to the complaint, the Chinese government funded these companies, which also had research agreements with state-owned institutions to develop turbine technologies.

The DoJ charged Zheng on six counts of economic espionage, carrying a maximum 15-year sentence and a fine of up to $5m. Seven counts of trade secrets theft could get him up to 10 years in jail and up to $250,000 in fines. The final count—lying to the FBI—carries up to five years and a possible $250,000 penalty.

All of which goes to show how sneaky a malicious insider can be. GE caught Zheng because it monitored his computers, the complaint says. How many other companies will let insider threats like this slip through?

The topic of Incident Response & Security Operations will be covered throughout the free-to-attend conference at Infosecurity Europe in London from 4-6 June. See all the talks on Incident Response & Security Operations here. Infosecurity Europe is the leading European event for information and cyber security; find out more and secure your free visitor badge.