U.S. authorities filed charges Monday against three China-based hackers for stealing sensitive information from U.S. based companies, including sensitive data from Siemens industrial groups and accessing a high-profile email account at Moody’s.
Wu Yingzhuo, Dong Hao and Xia Lei, who the Department of Justice (DOJ) says are Chinese nationals and residents of China, were indicted by a grand jury for a series of cyber-attacks against three corporate victims in the financial, engineering and technology industries between 2011 and May 2017.
Victims named in the indictment include Moody’s Analytics, Siemens, and GPS technology firm Trimble.
According to the FBI, the hackers work for Guangzhou Bo Yu Information Technology Company Limited, a firm that purports to be a China-based Internet security firm also known as “Boyusec.”
Tracked as APT3 by FireEye, and Gothic Panda by CrowdStrike, the group is also known as UPS Team, Buckeye and TG-0110, and has previously been linked to the Chinese Ministry of State Security (MSS).
“We’ve tracked their activity back to 2007 and they are one of the most technically advanced state-affiliated actors in China,” Adam Meyers, VP of Intelligence at CrowdStrike, told SecurityWeek. “Their previous targeting includes industries such as Aerospace, Defense, Energy, Technology, NGOs, etc., that are primarily aligned with China’s economic objectives.”
In November 2016, the Washington Free Beacon learned from Pentagon intelligence officials that Boyusec had been working with Chinese telecoms giant Huawei to develop spyware-laden security products that would be loaded onto computers and phones. The unnamed officials said Boyusec was “closely connected” to the Chinese Ministry of State Security.
According to the indictment, the hackers:
• Stole approximately 407 gigabytes of proprietary commercial data pertaining to Siemens’s energy, technology and transportation businesses.
• Accessed the internal email server of Moody’s Analytics and placed a forwarding rule in the email account of a prominent employee, and set it to forward all emails to and from the account to web-based email accounts controlled by the attackers.
• Stole at least 275 megabytes of data, including compressed data, which included hundreds of files that would have assisted a Trimble competitor in developing, providing and marketing a similar product without incurring millions of dollars in research and development costs.
“The primary goal of the co-conspirators’ unauthorized access to victim computers was to search for, identify, copy, package, and steal data from those computers, including confidential business and commercial information, work product, and sensitive victim employee information, such as usernames and passwords that could be used to extend unauthorized access within the victim systems,” the DOJ said. “For the three victim entities listed in the Indictment, such information included hundreds of gigabytes of data regarding the housing finance, energy, technology, transportation, construction, land survey, and agricultural sectors.”
Intrusiontruth previoysly conducted an analysis of APT3’s command and control (C&C) infrastructure, and analyzed domain registration data. Their research led to two individuals, named Wu Yingzhuo and Dong Hao, who apparently registered many of the domains used by the threat actor.
Researchers noticed last year that the group had shifted its attention from the U.S. and the U.K. to Hong Kong, where it had mainly targeted political entities using a backdoor dubbed “Pirpi.”
CrowdStrike has seen an uptick in activity by the group since 2016, Meyers said.
In addition to Pirpi, Symantec observed APT3 using various other tools, including keyloggers, remote command execution tools, system information harvesting tools, and browser password stealers. Researchers said the group appears to be focusing on file and print servers, which suggests they are mainly interested in stealing documents to support their espionage efforts.
“Defendants Wu, Dong and Xia launched coordinated and targeted cyber intrusions against businesses operating in the United States, including here in the Western District of Pennsylvania, in order to steal confidential business information,” said Acting U.S. Attorney Song. “These conspirators masked their criminal conspiracy by exploiting unwitting computers, called ‘hop points,’ conducting ‘spearphish’ email campaigns to gain unauthorized access to corporate computers, and deploying malicious code to infiltrate the victim computer networks.”