wanted_cyber051914

A federal grand jury in Pennsylvania indicted five Chinese military officers for economic espionage and trade secret theft this morning.  According to the indictment, the five officers engaged in an elaborate conspiracy to hack into the computer networks of five U.S.-based companies, as well as a labor organization, to steal trade secrets and proprietary information that would be useful to Chinese competitors and state-owned enterprises.

This is the first-ever indictment against a state actor involving this type of cyber espionage. U.S. Attorney General Eric Holder remarked:

This is a case alleging economic espionage by members of the Chinese military and represents the first-ever charges against a state actor for this type of hacking. The range of trade secrets and other sensitive business information stolen in this case is significant and demands an aggressive response. Success in the global market place should be based solely on a company’s ability to innovate and compete, not on a sponsor government’s ability to spy and steal business secrets. This administration will not tolerate actions by any nation that seeks to illegally sabotage American companies and undermine the integrity of fair competition in the operation of the free market.

The indictment included 31 counts, charging the five officers with computer fraud and abuse; aggravated identity theft; economic espionage; and trade secret theft.  The alleged criminal conduct occurred from 2006-2014 and targeted Westinghouse Electric Co.; U.S. subsidiaries of SolarWorld AG (SolarWorld); U.S. Steel Corp.; Allegheny Technologies, Inc. (ATI); Alcoa, Inc.; and the United Steel, Paper and Forestry, Rubber, Manufacturing, Energy, Allied Industrial and Service Workers International Union (USW).

A DOJ press release provides the following summary of the alleged criminal conduct:

  • In 2010, while Westinghouse was building four AP1000 power plants in China and negotiating other terms of the construction with a Chinese SOE (SOE-1), including technology transfers, an officer stole confidential and proprietary technical and design specifications for pipes, pipe supports, and pipe routing within the AP1000 plant buildings. Additionally, in 2010 and 2011, while Westinghouse was exploring other business ventures with SOE-1, the officer stole sensitive, non-public, and deliberative e-mails belonging to senior decision-makers responsible for Westinghouse’s business relationship with SOE-1.
  • In 2012, at about the same time the Commerce Department found that Chinese solar product manufacturers had “dumped” products into U.S. markets at prices below fair value, Wen and at least one other, unidentified co-conspirator stole thousands of files including information about SolarWorld’s cash flow, manufacturing metrics, production line information, costs, and privileged attorney-client communications relating to ongoing trade litigation, among other things. Such information would have enabled a Chinese competitor to target SolarWorld’s business operations aggressively from a variety of angles.
  • In 2010, U.S. Steel was participating in trade cases with Chinese steel companies, including one particular state-owned enterprise (SOE-2). Shortly before the scheduled release of a preliminary determination in one such litigation, an officer sent spear phishing e-mails to U.S. Steel employees, some of whom were in a division associated with the litigation. Some of these e-mails resulted in the installation of malware on U.S. Steel computers. Three days later, he stole hostnames and descriptions of U.S. Steel computers (including those that controlled physical access to company facilities and mobile device access to company networks). He thereafter took steps to identify and exploit vulnerable servers on that list.
  • In 2012, ATI was engaged in a joint venture with SOE-2, competed with SOE-2, and was involved in a trade dispute with SOE-2. In April of that year, Wen gained access to ATI’s network and stole network credentials for virtually every ATI employee.
  • In 2012, the USW was involved in public disputes over Chinese trade practices in at least two industries. At or about the time USW issued public statements regarding those trade disputes and related legislative proposals, an officer stole e-mails from senior USW employees containing sensitive, non-public, and deliberative information about USW strategies, including strategies related to pending trade disputes. USW’s computers continued to beacon to the conspiracy’s infrastructure until at least early 2013.
  • About three weeks after Alcoa announced a partnership with a Chinese state-owned enterprise (SOE-3) in February 2008, an officer sent a spear phishing e-mail to Alcoa. Thereafter, in or about June 2008, unidentified individuals stole thousands of e-mail messages and attachments from Alcoa’s computers, including internal discussions concerning that transaction.
  • An officer facilitated hacking activities by registering and managing domain accounts that his co-conspirators used to hack into U.S. entities. Additionally, between 2006 and at least 2009, Unit 61398 of the Chinese Army assigned him to perform programming work for SOE-2, including the creation of a “secret” database designed to hold corporate “intelligence” about the iron and steel industries, including information about American companies.
  • An officer managed domain accounts used to facilitate hacking activities against American entities and also tested spear phishing e-mails in furtherance of the conspiracy.

We anticipate numerous developments will stem from this indictment. As the New York Times reported, the move marked “a rare instance of the United States charging foreign government employees with economic espionage” and “increased the tensions between American and Chinese officials who have accused each other in public and in private of using military assets to initiate hacks and cyber attacks.”  Stay tuned, as we’ll continue to report on any significant developments.