U.S. attorney in Pittsburgh says Chinese hackers attacked U.S. companies |

U.S. attorney in Pittsburgh says Chinese hackers attacked U.S. companies

Aaron Aupperlee
Andrew Russell | Tribune-Review
Acting U.S. Attorney for Western Pennsylvania Soo C. Song announces the indictment of several Chinese hackers at the U.S. District Courthouse in Downtown Pittsburgh on Monday, Nov. 27, 2017. (Trib photo)

A trio of Chinese hackers used phishing scams and malware to attack Moody’s Analytics, Siemens AG and GPS manufacturer Trimble Inc., according to a federal indictment filed in Pittsburgh and unsealed Monday.

Acting U.S. Attorney for Western Pennsylvania Soo C. Song charged Wu Yingzhuo, Dong Hao and Xia Lei with conspiracy to commit computer fraud and abuse, conspiracy to steal trade secrets, wire fraud and identity theft.

The most serious charge, wire fraud, carries a sentence of up 20 years in federal prison. Each conspiracy charge has a possible sentence of up to 10 years and the identity theft carries a sentence of up to two years.

“Any company should be able to succeed based upon its ability to innovate and to compete without being sabotaged by cyber hacking,” Song said Monday.

.lemonwhale-embed-container { position: relative; padding-bottom: 56.25%; height: 0; overflow: hidden; max-width:100%; }.lemonwhale-embed-container iframe { position: absolute; top: 0; left:0; width: 100%; height: 100%; }

The network of a Siemens office in Plum was allegedly breached in the attacks, giving Song’s office jurisdiction to take the case.

Song took over the top federal prosecutor job in Pittsburgh a year ago when David Hickton, appointed by President Barack Obama, stepped down. He now heads the University of Pittsburgh’s Institute for Cyber Law, Policy and Security.

President Donald Trump has nominated Scott W. Brady to take over the office. The U.S. Senate Judiciary Committee approved Brady’s nomination Nov. 16. Brady’s nomination awaits a vote by the full Senate.

Song was Hickton’s second-in-command in an office that distinguished itself nationally and internationally with aggressive investigations into cyber crimes. The office in 2014 brought charges against five members of China’s military for stealing trade secrets and other confidential information from Alcoa, Allegheny Technologies Inc., Westinghouse Electric Co., U.S. Steel Corp., the United Steelworkers union and a German-owned solar manufacturer in Oregon.

“Prosecutions and indictments are powerful tools in our arsenal to stop conduct,” Song said. “Whether a defendant is in China, Russia, Nigeria, we follow the evidence. We identify the actor behind the computer screen, and we bring the criminal charge.”

Song said there does not appear to be a link between the cyber attacks alleged in the most recent indictment and the Chinese government or military.

Song dismissed criticism that indictments such as the ones against Wu, Dong, Xia and the Chinese military members would never result in the accused standing trial in the federal courthouse in Downtown Pittsburgh. Investigators maintain hope that the accused will be arrested and brought to Pittsburgh.

The defendants could be arrested while traveling, Song said.

Between September, when the indictment was filed, and Monday, federal prosecutors informed the Chinese government of the indictment and sought its cooperation, Song said.

“That process is ongoing at higher levels within the Executive (Branch) and the Justice Department,” Song said.

What prosecutors allege

The indictment alleges that Wu, Dong and Xia worked with Guangzhou Bo Yu Information Technology Co. Ltd., a Chinese cybersecurity firm in Guangzhou, but used their skills to launch attacks on corporations in the U.S.

Between 2011 and May 2017, the trio stole files containing documents and data pertaining to a new technology under development by Trimble, along with employee usernames and passwords and 407 gigabytes of proprietary data concerning Siemens’ energy, technology and transportation efforts, according to the indictment.

The trio gained access to the internal email server at Moody’s Analytics and forwarded all emails sent to an “influential economist” working for the firm, the indictment stated. Those emails contained proprietary and confidential economic analyses, findings and opinions. The economist was not named in the indictment.

A Siemens spokesperson said that the company “rigorously” monitors and protects its infrastructure and continually detects and hunts for breaches. The company did not comment on the alleged breach by the Chinese hackers and declined to comment on internal security measures.

Michael Adler, a spokesman for Moody’s Analytics, said that to the company’s knowledge no confidential consumer data or other personal employee information was exposed in the alleged hack.

“We take information security very seriously and continuously review and enhance our cybersecurity defenses to safeguard the integrity of our data and systems,” Adler wrote in an email to the Tribune-Review.

Trimble, in a statement sent to the Trib, wrote that no client data was breached. The company concluded that the attack had no meaningful impact on its business.

Feds claim losses to companies ‘considerable’

Song, however, said the loss to the companies targeted was considerable.

“The fruit of these cyber intrusions and exfiltration of data represent a staggering amount of dollars and hours lost to the companies,” Song said.

Wu, Dong and Xia used “spearphish” emails to gain access to computers, spread malware to infect networks and covered their tracks by exploiting other computers known as “hop points.”

Hop points allow users to hide their identities and locations by routing themselves through third-party computer networks.

“But there were missteps that led our investigators right to them,” said FBI Special Agent in Charge Bob Johnson, of the Pittsburgh office.

Johnson would not elaborate on the missteps, claiming doing so could jeopardize future investigations.

The U.S. Attorney’s Office led the investigation and was assisted by the FBI’s Pittsburgh Division, the Navy Criminal Investigative Service Cyber Operations Field Office and the Air Force Office of Special Investigations.

Aaron Aupperlee is a Tribune-Review staff writer. Reach him at [email protected], 412-336-8448 or via Twitter @tinynotebook.

TribLIVE commenting policy

You are solely responsible for your comments and by using you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.