U.S. Charges 5 Chinese with Hacking

DoJ: Attacks Resulted in Plants Shuttered, Jobs Lost
U.S. Charges 5 Chinese with Hacking
U.S. Attorney General Eric Holder

Five Chinese military officers have been indicted for hacking U.S. companies - incidents that had major consequences, including the shuttering of three American steel plants, U.S. Justice Department officials say.

See Also: Core Elements of Modern Workforce Identity Security

A federal grand jury in Pittsburgh on May 19 handed up 31 indictments against officers of Unit 61398, the Shanghai Chinese People's Liberation Army unit identified in a February 2013 Mandiant report that detailed breaches of business and government computer systems in the U.S. and other nations (see 6 Types of Data Chinese Hackers Pilfer).

The government identified the victims of the hacks, which allegedly occurred between 2006 and 2014, as aluminum manufacturer Alcoa, specialty metals producer Allegheny Technologies, the U.S. subsidiaries of Germany's solar-power-products maker SolarWorld, steelmaker United States Steel, trade union United Steelworkers and nuclear plant builder Westinghouse Electric.

Attorney General Eric Holder, speaking at a press conference, says this case isn't about one nation spying on another nation. "All nations are engaged in intelligence gathering," Holder says. "What I think distinguishes this case is that we have a state-sponsored entity, state-sponsored individuals using intelligence tools to gain commercial advantage."

The indictment won bipartisan backing in Congress. The chairman and ranking Democrat on the House Intelligence Committee issued a statement saying Beijing must be held accountable for manipulating the free market through cyber-economic espionage. "While every nation collects information to protect itself, it is unacceptable for any nation to steal intellectual property simply to get rich at other nations' expense," says the statement from Reps. Mike Rogers, R-Mich., and Dutch Ruppersberger, D-Md.

The Impact

David Hickton, U.S. Attorney for the Western District of Pennsylvania, directly ties the closing of three U.S. Steel fabrication plants to the cyber-attacks. "When these intrusions hit, the market was flooded with below-cost pipe from the Chinese, these plants were padlocked and people lost their jobs," Hickton said. "It has a real, negative impact."

The Justice Department identified the defendants as Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zheny and Gu Chunhui, all officers in Unit 61398. The indictment alleges that Wang, Sun and Wen, along with others, hacked or attempted to hack into U.S. entities between 2006 and 2014 while Huang and Gu supported their conspiracy by, among other things, managing infrastructure such as domain accounts used for hacking.

John Carlin, assistant attorney general for national security, alleges the Chinese stole cost, pricing and strategy information from SolarWorld computers about the time the solar products manufacturer was losing market share to Chinese competitors who priced their export products below cost.

Carlin says the hackers also stole trade secret designs for components of nuclear power plants from Westinghouse as the U.S. company was negotiating with a Chinese state-owned enterprise over the construction of nuclear power plants.

"To be clear, this conduct is criminal," Carlin says. "And it is not conduct that most responsible nations within the global economic community would tolerate."

Holder says the alleged hacking appears to have been conducted for no reason other than to gain an advantage for state-owned companies and other interests in China at the expense of businesses in the United States. "When a foreign nation uses military or intelligence resources and tools against an American executive or corporation to obtain trade secrets or sensitive business information for the benefit of its state-owned companies, we must say, enough is enough," Holder says. "... This case should serve as a wake-up call to the seriousness of the ongoing cyberthreat. These criminal charges represent a groundbreaking step forward in addressing that threat."

The Allegations

The indictment alleges:

  • While Westinghouse was building four AP1000 power plants in China and negotiating other terms of the construction with a Chinese state enterprise, including technology transfers, defendant Sun stole confidential and proprietary technical and design specifications for pipes, pipe supports and pipe routing within the AP1000 plant buildings. Additionally, in 2010 and 2011, while Westinghouse was exploring other business ventures with the state-sponsored enterprise, Sun stole sensitive, non-public and deliberative e-mails belonging to senior executives responsible for Westinghouse's business relationship with the Chinese enterprise.
  • In 2012, at about the same time the Commerce Department found that Chinese solar product manufacturers had dumped products into U.S. markets at prices below fair market value, defendant Wen and at least one other unidentified co-conspirator stole thousands of files, including information about SolarWorld's cash flow, manufacturing metrics, production line information, cost, and privileged attorney-client communications relating to ongoing trade litigation, among other things. Such information would have enabled a Chinese competitor to target SolarWorld's business operations aggressively from a variety of angles.
  • U.S. Steel was participating in trade cases with Chinese steel companies, including one particular state-owned enterprise, in 2010. Shortly before the scheduled release of a preliminary determination in one such litigation, defendant Sun sent spear phishing e-mails to U.S. Steel employees, some of whom were in a division associated with the litigation. Some of these e-mails resulted in the installation of malware on U.S. Steel computers. Three days later, Wang stole hostnames and descriptions of U.S. Steel computers, including those that controlled physical access to company facilities and mobile device access to company networks. Afterward, Wang took steps to identify and exploit vulnerable servers on that list.
  • Allegheny Technology in 2012 was engaged in a joint venture with a Chinese state enterprise, competed with that enterprise and was involved in a trade dispute with the enterprise. In April of that year, Wen gained access to Allegheny Technology's network and stole network credentials for virtually every employee.
  • The United Steelworkers Union in 2012 was involved in public disputes over Chinese trade practices in at least two industries in 2012. At or about the time the union issued public statements regarding those trade disputes and related legislative proposals, Wen stole e-mails from senior union employees containing sensitive, non-public and deliberative information about the labor group's strategies, including strategies related to pending trade disputes. The union's computers continued to send data to the conspiracy's infrastructure until at least early 2013.
  • About three weeks after Alcoa announced a partnership with a Chinese state-owned enterprise in February 2008, Sun sent a spear phishing e-mail to Alcoa. Around 2008, unidentified individuals stole thousands of e-mail messages and attachments from Alcoa's computers, including internal discussions concerning that transaction.
  • Defendant Huang facilitated hacking activities by registering and managing domain accounts that his co-conspirators used to hack into American entities. Additionally, between 2006 and at least 2009, Unit 61398 assigned Huang to perform programming work for a state-sponsored enterprise, including the creation of a secret database designed to hold corporate intelligence about the iron and steel industries, including information about American companies.
  • Defendant Gu managed domain accounts used to facilitate hacking activities against American entities and also tested spear phishing e-mails in furtherance of the conspiracy.

Chinese Issue Denial

A Chinese Foreign Ministry spokesman denied the accusations, saying China steadfastly upholds cybersecurity. "The Chinese government, the Chinese military and their relevant personnel have never engaged or participated in cyber-theft of trade secrets," spokesperson Qin Gang says in a statement. "The U.S. accusation against Chinese personnel is purely ungrounded and absurd."

Making reference to the leaks about National Security Agency spying based on the revelations of Edward Snowden, the spokesperson accuses the United States with "large-scale and organized cyber-theft. ... China is a victim of severe U.S. cyber-theft, wiretapping and surveillance activities."

China also suspended cooperation on cybersecurity with the United States. "Given the lack of sincerity on the part of the U.S. to solve issues related to cybersecurity through dialogue and cooperation, China has decided to suspend activities of the China-U.S. Cyber Working Group," the spokesperson says. "China will react further to the U.S. indictment as the situation evolves."

Adam Segal, senior fellow for China studies at the Council of Foreign Affairs, says it's not uncommon for China to suspend such talks; China suspended negotiations with the U.S. over American arm sales to Taiwan. "They needed some way to react," he says.


About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.