Chinese IT security bods accused of siphoning US GPS, biz blueprints

Three Chinese nationals went on a six-year hacking spree against American targets, siphoning financial reports and tech blueprints, US prosecutors allege.

Wu Yingzhuo, Dong Hao and Xia Lei, all thought to be residing in the city of Guangzhou, China, stand accused of eight counts of conspiracy to commit computer fraud and conspiracy to commit trade secret theft, conspiracy and identity theft in an indictment before a district court in western Pennsylvania. The court paperwork, filed in September, was unsealed on Monday.

"Defendants Wu, Dong and Xia launched coordinated and targeted cyber intrusions against businesses operating in the United States, including here in the Western District of Pennsylvania, in order to steal confidential business information," said acting US Attorney Soo Song.

The indictment states that Wu and Dong set up a security consultancy known as the Guangzhou Bo Yu Information Technology Company, or Boyusec, and they employed Xia as a consultant. But behind their legitimate exterior, the US government claimed, the trio, and unnamed coconspirators, were running a sophisticated hacking ring.

From 2011, the trio sent out a series of highly targeted emails containing malware dubbed exeproxy, according to court documents. The software nasty, thought to exploit a zero-day flaw in Internet Explorer to infect Windows PCs, proved very successful: it opens a backdoor to the machine, encrypting its communications between itself and the command-and-control server used by miscreants to orchestrate it.

Bad mood

The gang is accused of compromising several corporate email accounts belonging to staff at the ratings and financial services agency Moody's. One victim was a high-profile member of the company, and the attackers managed to set up a redirect on his inbox so that they got copies of all messages, including financial analysis and buying recommendations, for at least three years.

Another target was the industrial conglomerate Siemens, and the phishing campaign netted at least two major staffers in the US in 2014. Using stolen login credentials Dong is accused of stealing 407GB of proprietary information from its energy, technology and transport departments.

The following year the trio is accused of accessing the servers of engineering firm Trimble, which is working on the GPS satellite network's hardware. The firm had spent millions and three years developing a new kind of antenna for commercial global positioning satellites, and it appears this technology was the target.

Last January, Wu got into the Trimble servers, it is claimed, and prepared a 252MB .zip archive containing trade secrets. The file contained 773 pages of technical specifications, business documents and design blueprints, as well as plans to bring the new hardware to market, we're told.

The firm suffered two more intrusions that month, with smaller amounts of data being stolen, including subscriber information, it is claimed. In all around 275MB of material was removed.

"The fruits of these cyber intrusions and exfiltration of data represent a staggering amount of dollars and hours lost to the companies in terms of research, development, testing, trade secrets and the cost to remediate these cyber intrusions," said Soo Song.

Now prosecutors will have to wait. As we said, the trio of accused consultants are all thought to be living in China – good luck extraditing them. ®