US indicts Chinese hackers belonging to APT3 for espionage on Siemens and Moody’s

Pierluigi Paganini November 28, 2017

US authorities have filed official charges against three Chinese hackers part of the elite cyber-espionage unit APT3.

US authorities charged three China-based hackers for stealing sensitive information from US based companies, including Siemens AG, and accessing a high-profile email account at Moody’s.

The three Chinese citizens, Wu Yingzhuo, Dong Hao and Xia Lei, work for the Chinese cybersecurity company Guangzhou Bo Yu Information Technology Company Limited, also known as “Boyusec.”

While Wu and Dong are founding members and shareholders of the China-based company, Xia is just an employee.

Do you remember the Boyusec name?

Several reports published in May 2017 linked the Boyusec firm to the infamous APT3 group, a cyber-espionage group under the control of the Chinese Government.

The APT3, also known as UPS, Gothic Panda, and TG-011, has been active since 2010.

APT3 China

On May 9th, 2017, an unknown party using the alias ‘intrusiontruth’ published a series of blogs posts describing connections between the Pirpi RAT command and control components and shareholders of the Chinese security contractor Guangzhou Boyu Information Technology Company, aka Boyusec.

The names of two specific shareholders of Boyusec appear in the domain registration for the Pirpi C&C servers.  This is particularly interesting because Boyusec supports the Chinese Ministry of State Security (MSS) by collecting civilian human intelligence. Think of them as an outsourcer for a government agency like the United States’ National Security Agency (NSA).

Also interesting is that in 2016 a Pentagon report described the relationship between Boyusec and network equipment manufacturer, Huawei. According to the report, the two companies were colluding to develop security equipment with embedded backdoors which would likely be used by Boyusec to compromise Huawei customers.

“In November 2016, the Washington Free Beacon reported that a Pentagon internal intelligence report had exposed a product that Boyusec and Huawei were jointly producing.” continues the analysis.”According to the Pentagon’s report, the two companies were working together to produce security products, likely containing a backdoor, that would allow Chinese intelligence “to capture data and control computer and telecommunications equipment.” The article quotes government officials and analysts stating that Boyusec and the MSS are “closely connected,” and that Boyusec appears to be a cover company for the MSS.”

The Chinese men have been charged in Pittsburgh with using malware to steal data from the international corporations, including Siemens AG, which has Pittsburgh offices.

The federal indictment filed in September was unsealed Monday, the men were charged by a grand jury for cyber-attacks against three corporations in the financial, engineering and technology industries between 2011 and May 2017. Victims are Moody’s Analytics, Siemens, and GPS technology firm Trimble.

“The primary goal of the co-conspirators’ unauthorized access to victim computers was to search for, identify, copy, package, and steal data from those computers, including confidential business and commercial information, work product, and sensitive victim employee information, such as usernames and passwords that could be used to extend unauthorized access within the victim systems,” the DOJ said.  “For the three victim entities listed in the Indictment, such information included hundreds of gigabytes of data regarding the housing finance, energy, technology, transportation, construction, land survey, and agricultural sectors.”

According to the indictment, the hackers:

• Stole approximately 407 gigabytes of proprietary commercial data pertaining to Siemens’s energy, technology and transportation businesses.

• Accessed the internal email server of Moody’s Analytics and placed a forwarding rule in the email account of a prominent employee, and set it to forward all emails to and from the account to web-based email accounts controlled by the attackers.

• Stole at least 275 megabytes of data, including compressed data, which included hundreds of files that would have assisted a Trimble competitor in developing, providing and marketing a similar product without incurring millions of dollars in research and development costs.

All three indicted suspects are still at large and currently residing in China.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – APT3, cyber espionage)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment