5 min read

US accuses China of spying on companies, names PLA officers they believe are responsible


May 20, 2014

Promo Protect all your devices, without slowing them down.
Free 30-day trial
US accuses China of spying on companies, names PLA officers they believe are responsible

The United States has today aggressively named five Chinese military officers that it says hacked into American firms in an eight-year hacking campaign, with the intention of stealing commercially sensitive secrets.

The officers, who America claims are all officers in Unit 61398 of the Third Department of the PLA (Chinese People’s Liberation Army) have been indicted on 31 criminal counts, including conspiring to commit computer fraud; accessing a computer without authorization for the purpose of commercial advantage and private financial gain; damaging computers through the transmission of code and commands; aggravated identity theft; economic espionage; and theft of trade secrets.

The same PLA Unit was previously blamed for a high-profile hacking attack against the New York Times

Each of the five were said by US Attorney General Eric Holder to have provided individual expertise in attacks against the computer networks of six American firms, while those companies were involved in business with, or pursuing legal action against, state-owned organisations in China.

According to a Department of Justice press statement, the hacking took place between 2006 and 2014.

“This is a case alleging economic espionage by members of the Chinese military and represents the first ever charges against a state actor for this type of hacking,” Holder said. “The range of trade secrets and other sensitive business information stolen in this case is significant and demands an aggressive response. Success in the global market place should be based solely on a company`s ability to innovate and compete, not on a sponsor government`s ability to spy and steal business secrets. This Administration will not tolerate actions by any nation that seeks to illegally sabotage American companies and undermine the integrity of fair competition in the operation of the free market.”

What is more, the United States is not shying away from naming the companies which it believes the Beijing-backed hackers targeted:

  • Westinghouse Electric Co. (Westinghouse)
  • U.S. subsidiaries of SolarWorld AG (SolarWorld)
  • United States Steel Corp. (U.S. Steel)
  • Allegheny Technologies Inc. (ATI)
  • the United Steel, Paper and Forestry, Rubber, Manufacturing, Energy, Allied Industrial and Service Workers International Union (USW)
  • Alcoa Inc.

Who hacked what?

Here is a summary of what the United States alleges happened in the case of each corporate victim:

In 2010, while Westinghouse was building four AP1000 power plants in China and negotiating other terms of the construction with a Chinese SOE (SOE-1), including technology transfers, Sun Kailiang stole confidential and proprietary technical and design specifications for pipes, pipe supports, and pipe routing within the AP1000 plant buildings.

Additionally, in 2010 and 2011, while Westinghouse was exploring other business ventures with SOE-1, Sun Kailiang stole sensitive, non-public, and deliberative emails belonging to senior decision-makers responsible for Westinghouse`s business relationship with SOE-1.

In 2012, at about the same time the Commerce Department found that Chinese solar product manufacturers had “dumped” products into U.S. markets at prices below fair value, Wen Xinyu and at least one other, unidentified co-conspirator stole thousands of files including information about SolarWorld`s cash flow, manufacturing metrics, production line information, costs, and privileged attorney-client communications relating to ongoing trade litigation, among other things. Such information would have enabled a Chinese competitor to target SolarWorld`s business operations aggressively from a variety of angles.

US Steel
In 2010, U.S. Steel was participating in trade cases with Chinese steel companies, including one particular state-owned enterprise (SOE-2). Shortly before the scheduled release of a preliminary determination in one such litigation, Sun Kailiang sent spearphishing emails to U.S. Steel employees, some of whom were in a division associated with the litigation. Some of these emails resulted in the installation of malware on U.S. Steel computers. Three days later, Wang Dong stole hostnames and descriptions of U.S. Steel computers (including those that controlled physical access to company facilities and mobile device access to company networks). Wang Dong thereafter took steps to identify and exploit vulnerable servers on that list.

In 2012, ATI was engaged in a joint venture with SOE-2, competed with SOE-2, and was involved in a trade dispute with SOE-2. In April of that year, Wen Xinyu gained access to ATI`s network and stole network credentials for virtually every ATI employee.

In 2012, USW was involved in public disputes over Chinese trade practices in at least two industries. At or about the time USW issued public statements regarding those trade disputes and related legislative proposals, Wen Xinyu stole emails from senior USW employees containing sensitive, non-public, and deliberative information about USW strategies, including strategies related to pending trade disputes. USW`s computers continued to beacon to the conspiracy`s infrastructure until at least early 2013.

About three weeks after Alcoa announced a partnership with a Chinese state-owned enterprise (SOE-3) in February 2008, Sun Kailiang sent a spearphishing email to Alcoa. Thereafter, in or about June 2008, unidentified individuals stole thousands of email messages and attachments from Alcoa`s computers, including internal discussions concerning that transaction.

Supporting activities
Huang Zhenyu facilitated hacking activities by registering and managing domain accounts that his co-conspirators used to hack into U.S. entities. Additionally, between 2006 and at least 2009, Unit 61398 assigned Huang to perform programming work for SOE-2, including the creation of a “secret” database designed to hold corporate “intelligence” about the iron and steel industries, including information about American companies.

Gu Chunhui managed domain accounts used to facilitate hacking activities against American entities and also tested spearphishing emails in furtherance of the conspiracy.

China’s response

Predictably enough, the Chinese say they are less than impressed by the United States’ announcement naming alleged cybercriminals in the ranks of the People’s Liberation Army.

The BBC quotes a Chinese spokesman as saying that the allegations were “made up” and would damage relations between the two countries.

“China is a staunch defender of network security, and the Chinese government, military and associated personnel have never engaged in online theft of trade secrets,” said Qin Gang.

“They’re all at it”

Let’s face facts.

America has been feeling the heat in the last year as more and more embarrassing revelations have been made of NSA-sponsored surveillance on the companies and citizens of foreign countries (and even friendly foreign leaders), so it must be eager to put the boot on the other foot for once.

I don’t know whether these particular Chinese gentlemen are responsible for hacking attacks against US companies or not, but I do believe that it is very likely that most developed countries have put resources into spying and infiltrating the networks of organisations and governments around the world – for political, economic and military advantage.

In short, if it wasn’t these gentlemen – chances are that someone else in China is being paid to do something very similar.

And not just China. The same will be true of the Americans, the British, the French, the Germans, the list surely goes on and on…

We’ve well and truly entered a new era of cybercime, backed by governments and intelligence agencies. The reality is that we all have to protect our networks, because we might be either the next target or the weak link in the chain that allows the hackers to reach their intended goal.




Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.

View all posts

You might also like