Saturday, December 2, 2017

Indictments vs. 3 Chinese nationals spotlight criminal activities of Gothic Panda hackers



A TRIO of Chinese computer experts, believed to be part of a criminal group called Gothic Panda, allegedly used phishing scams and malware to attack 3 U.S.-based companies:, according to a federal indictment filed in Pittsburgh and unsealed Monday (Nov. 27).
Acting U.S. Attorney for Western Pennsylvania Soo C. Song charged Wu Yingzhuo, Dong Hao and Xia Lei with conspiracy to commit computer fraud and abuse, conspiracy to steal trade secrets, wire fraud and identity theft.

An indictment was unsealed Monday, (Nov. 27) against the three alleged hackers, Chinese nationals and residents of China, who work for the purported China-based Internet security firm Guangzhou Bo Yu Information Technology Company Limited (a/k/a “Boyusec”).

“Defendants Wu, Dong and Xia launched coordinated and targeted cyber intrusions against businesses operating in the United States, including here in the Western District of Pennsylvania, in order to steal confidential business information,” said Song during a press conference). 


The targeted companies included Moody's Analytics, Siemens AG and Trimble Inc., a GPS manufacturer.

“These conspirators masked their criminal conspiracy by exploiting unwitting computers, called ‘hop points,’ conducting ‘spearphish’ email campaigns to gain unauthorized access to corporate computers, and deploying malicious code to infiltrate the victim computer networks.”

Song, said arrest warrants had been issued for the three men, but the case was not being prosecuted as state-sponsored hacking.


The hacking group described in the indictment has been active since 2007. The group, known to some cyber security experts as “Gothic Panda,” was active as recently as September, said one expert. It has targeted aerospace and defense, chemical, energy, financial, healthcare, industrial and transportation firms in Britain, France, Hong Kong, the United States and other western nations, he said.


Chinese foreign ministry spokesman Geng Shuang told a regular press briefing on Tuesday (Nov. 28) that he was unclear on the details of the case but added that China opposes hacking and wants to work with other countries to ensure global security.

“China firmly opposes and responds in accordance with the law to all forms of cyber attacks,” Geng said.

Siemens has 13 offices in Western Pennsylvania, including a facility in the Westmoreland Business & Research Park in Upper Burrell and Washington Township, an automated rail factory in Munhall and East Pittsburgh and health care offices in Green Tree and Pittsburgh. A computer network in at least one of those offices was breached in the attacks, according to the indictment, which was filed in September.

The trio worked at or with a Chinese cybersecurity firm in Guangzhou, China. They're accused of stealing emails, employee usernames and passwords, proprietary commercial data and important documents, according to the indictment.

Between June 2015 and August 2015, about 407 gigabytes of data were stolen from Siemens' network. The emails of an economist working for Moody's were hacked and forwarded to the three. About 275 megabytes of computer files were stolen from Trimble, many with confidential or proprietary information and trade secretes about a new project by the company.

According to court documents, the three suspects along with others known and unknown to the grand jury (collectively, “the co-conspirators”) coordinated computer intrusions against businesses and entities, operating in the U.S. and elsewhere. 


To accomplish their hacks, the co-conspirators would, for example, send spearphishing e-mails to employees of the targeted entities, which included malicious attachments or links to malware. If a recipient opened the attachment or clicked on the link, such action would facilitate unauthorized, persistent access to the recipient’s computer.

With such access, the co-conspirators would typically install other tools on victim computers, including malware the co-conspirators referred to as “ups” and “exeproxy.” In many instances, the co-conspirators sought to conceal their activities, location and Boyusec affiliation by using aliases in registering online accounts, intermediary computer servers known as “hop points” and valid credentials stolen from victim systems.

The primary goal of the co-conspirators’ unauthorized access to victim computers was to search for, identify, copy, package, and steal data from those computers, including confidential business and commercial information, work product, and sensitive victim employee information, such as usernames and passwords that could be used to extend unauthorized access within the victim systems. 

For the three hacked businesses, such information included hundreds of gigabytes of data regarding the housing finance, energy, technology, transportation, construction, land survey, and agricultural sectors.

“In order to effectively address the cyber threat, a threat that respects no boundaries and continues to grow in both its scope and complexity, law enforcement must come together and transcend borders to target criminal actors no matter where they are in the world,” said the FBI's Special Agent in Charge Robert Johnson.

________________________________________________________________________________

No comments:

Post a Comment