Modern field guide to security and privacy

US indicts five in China's secret 'Unit 61398' for cyber-spying on US firms

Monday's indictment is the first the US has filed against a 'state actor' for economic cyber-theft, says Attorney General Eric Holder, citing need for 'aggressive response.' No one is expecting a trial, though, so why do it?

Charles Dharapak/AP
Attorney General Eric Holder speaks at a news conference at the Justice Department in Washington, Monday, May 19, 2014. Holder announced that a US grand jury has charged five Chinese hackers with economic espionage and trade secret theft, the first-of-its-kind criminal charges against Chinese military officials in an international cyber-espionage case.

After years of complaining that China is engaged in stealing trade secrets from American companies, the United States on Monday for the first time filed cyber-espionage charges against individuals belonging to a unit of the Chinese military, accusing them of hacking trade secrets since 2006 from five domestic manufacturers and the steelworkers union.

The indictment, filed by the US Attorney's Office for the western district of Pennsylvania, where several of the US companies are based, names five Chinese nationals who worked for China's People's Liberation Army (PLA) in Unit 61398, a cyber-intelligence-gathering section. It alleges that state-owned companies hired the unit to provide “information technology services” that included economic cyber-espionage.

The PLA workers named in the indictment are not in US custody, and probably never will be. By taking this legal action, the US is signaling to China that its tolerance of economic cyber-spying, which results in loss of American firms' competitive position on the world market, is at a breaking point.

“This is a very welcome toughening of our stance toward a wave of industrial espionage that has been going on for years,” says one former senior US intelligence official who asked not to be named so as to preserve political ties. “The question now is whether this case will lead to sanctions against Chinese companies or products that profited from the thefts. That would be a difficult gap to jump.”

The stolen trade secrets, the US indictment states, would in some cases give Chinese companies insights into US companies' pricing, manufacturing techniques, and negotiating positions. In other cases, the five conspirators stole sensitive e-mails and other documents that gave Chinese firms insider knowledge of strategy and vulnerabilities of those US companies, it adds. The US companies attacked are in the steel, solar, nuclear power, and specialty metals industries.

In announcing the unprecedented indictment, US Attorney General Eric Holder said the intent is to step up US efforts to bring to account perpetrators of state-sponsored economic hacking that undermines long-term US competitiveness.

“This is a case alleging economic espionage by members of the Chinese military and represents the first ever charges against a state actor for this type of hacking,” US Attorney General Eric Holder told reporters. “The range of trade secrets and other sensitive business information stolen in this case is significant and demands an aggressive response.”

Mr. Holder also sought to make a distinction between the kind of government-sponsored cyber-espionage in which the US engages, for political and military intelligence, and other nations' cyber-spying for economic advantage. The US, he said, does not steal trade secrets. 

“Success in the global market place should be based solely on a company’s ability to innovate and compete, not on a sponsor government’s ability to spy and steal business secrets,” the attorney general said. “This administration will not tolerate actions by any nation that seeks to illegally sabotage American companies and undermine the integrity of fair competition in the operation of the free market.”

In response, Chinese officials announced suspension of a US-China diplomatic working group set up to discuss cyber problems between the two countries.

The Chinese Embassy in Washington cited the US for its own cyber-espionage activities. "It is a fact known to all that relevant US institutions have long been involved in large-scale and organized cyber theft as well as wiretapping and surveillance activities against foreign political leaders, companies and individuals," the government statement read, referring apparently to news reports about National Security Agency surveillance programs.

"China is a victim of severe U.S. cyber theft, wiretapping and surveillance activities," the statement continued. The indictment, it said, is based on "fabricated facts."

The indictment alleges that five defendants – Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui – are officers of Unit 61398 of the Third Department of the PLA who hacked into the computer networks of five US companies and the United Steelworkers Union. Mr. Huang and Mr. Gu, meanwhile, are said to also have managed computer domain accounts that the hackers used in their attacks.

Once inside, the PLA hackers set up back doors on the companies' networks so they could maintain their clandestine footholds even if discovered – all the while downloading gigabytes of proprietary data useful to state-owned Chinese companies that compete with the American companies, the indictment says.

The 31-count indictment includes conspiracy; accessing (or attempting to access) a protected computer without authorization to obtain information for the purpose of commercial advantage and private financial gain; transmitting a program, information, code, or command with the intent to cause damage to protected computers; aggravated identity theft; economic espionage; and trade secret theft. Penalties range from 5 to 15 years per count.

The alleged cyber-spying, said to have continued through last month, targeted some of America's top manufacturers: nuclear power plant maker Westinghouse Electric Co., the US-based subsidiary of SolarWorld AG, United States Steel Corp., and Allegheny Technologies. 

Many of the attacks involved “spear phishing,” in which fake e-mails in the names of senior company officials are directed at other workers, who then open attachments or click on links infected with malicious software, according to the indictment. The software then “beacons” back to “hop points” – US-based computers. Those computers then communicate back to command-and-control computers in China – some of them “in the vicinity of 208 Datong Road” in Shanghai, the indictment states.

This is not the first time Chinese cyber-spies have been linked to the PLA, which occupies the white, 12-story office building at that address. In early 2013, Mandiant, a US cyber-security firm, identified attackers linked to the same PLA unit – and was lambasted by some experts for trying to pin cyber-attacks on specific individuals and units.

In fact, one attacker named in the Mandiant report went by the hacker alias “UglyGorilla.” The US indictment states that Wang Dong also went by the names “Jack Wang” and “UglyGorilla.”

To Richard Bejtlich, who oversaw the Mandiant study, Monday's indictment sounds very familiar.

“When we did it, we wanted to show these were real people – who had jobs, this is what they did for a living,” says Mr. Bejtlich, now chief security strategist for FireEye, which acquired Mandiant early this year. “No, I don’t think this indictment will ever lead to these guys being extradited to stand trial in the US. But it does serve the larger narrative that America does not like this activity – having US companies raided and their intellectual property stolen en masse.”

Indeed, the US appears to be sending multiple messages that it intends to take a harder line on hackers overall. In a separate case, US officials in New York on Monday announced the arrests of 97 people worldwide alleged to have used malware dubbed BlackShades to hack computers.

The five US companies said to be targets of Chinese cyber-spying represent a tiny fraction of all cyber-theft from American firms, notes Bejtlich. Mandiant reported observing a group – which it dubbed “APT1” and also identified as Unit 61398 – infiltrating and then stealing data from computer networks of at least 141 companies spanning 20 industries over nearly a decade. Of the targeted companies, 115 were in the US, seven were in Canada and Britain, and 17 of 19 others conducted their business in English.

Last year, the FBI reportedly notified at least 3,000 US companies that they had been cyber-attacked – and that most of the attacks appeared to come from China. Losses from theft of intellectual property cost US firms about $300 billion a year – or about 2 percent of gross national product, according to a 2013 report by the Commission on the Theft of American Intellectual Property.

The Chinese defendants can't be tried in absentia, Bejtlich notes. But civil suits seeking to recover economic damages may be a possibility, now that the government has laid out its evidence. While much of that evidence may be classified, making civil cases more difficult to prove, there is some satisfaction in finally putting names and faces on attacks that have undermined the US economy, some officials say.

“This 21st century burglary has to stop,” David Hickton, US attorney for the Western District of Pennsylvania, said Monday in a statement. “This prosecution vindicates hard-working men and women in western Pennsylvania and around the world who play by the rules and deserve a fair shot and a level playing field.”

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to