US Charges Chinese Agents In Hacking Scheme, More Cases Expected (#GotBitcoin)
Prosecutors targeting hacking group previously linked to Beijing. US Charges Chinese Agents In Hacking Scheme, More Cases Expected (#GotBitcoin)
Federal prosecutors unsealed charges against 10 Chinese intelligence officers and other individuals Tuesday, accusing them of engaging in a persistent campaign to hack into U.S. aviation companies in Arizona, Massachusetts, Oregon and elsewhere.
Officials described the case as part of a push by the Trump administration to highlight what U.S. authorities say are China’s continuing efforts to steal information from American companies through cyberattacks and on-the-ground recruiting.
Prosecutors are also expected to announce charges in coming days against another set of hackers linked to the Chinese government. Those hackers have allegedly targeted information-technology service providers for the purposes of espionage and intellectual-property theft, according to people familiar with the matter.
Private-sector cybersecurity researchers have previously identified those attacks as the work of a hacking enterprise known as “APT 10” or “cloudhopper,” which they link to Beijing.
“This is just the beginning,” the head of the Justice Department’s national security division, John Demers, said in announcing Tuesday’s case. The defendants, who are not in U.S. custody and believed to be overseas, are accused of trying to steal information about how to build a certain type of aircraft engine that a Chinese state-owned company was also working to develop.
The case comes weeks after U.S. authorities won the rare extradition of a Chinese intelligence operative accused of a related scheme to obtain technical information from employees of GE Aviation and other American companies about aircraft-engine design and production. The officer in that case, Yanjun Xu, has pleaded not guilty.
U.S. prosecutors describe both Mr. Xu and the officers named in the new indictment as members of a regional unit of China’s Ministry of State Security, or MSS. The officers and people working for them who were charged in the indictment attempted to hack into companies that built parts for the turbofan engine from 2010 through at least May 2015, the indictment says.
A few months later, in September 2015, then-President Barack Obama and Chinese President Xi Jinping signed an accord pledging not to conduct cyber operations against one another for economic espionage. Cases in the coming months are expected to accuse Beijing of violating that accord, said people familiar with the cases.
Some private cybersecurity researchers believe China violated that pact since President Trump took office, as trade hostilities between the two countries have ratcheted up. Others question whether the Chinese activity ever truly declined.
“In our perspective, they are in full violation of the deal,” said Dmitri Alperovitch, co-founder of the U.S.-based cyber firm CrowdStrike. Mr. Alperovitch said that hackers were targeting “virtually every industry of interest to the Chinese,” including energy, defense, technology, transportation and hospitality.
The MSS hackers named in Tuesday’s indictment focused on an engine for commercial airliners that a French aerospace manufacturer was developing in conjunction with a U.S. company, prosecutors said.
The Chinese officers directed a Chinese national who worked at the French company to infect the company’s computers with malware, according to the indictment, telling him, “I’ll bring the horse to you tonight,” referring to Trojan horse malware.
When law enforcement notified the French company, which isn’t named in the indictment, another Chinese national working there deleted a domain name linked to the MSS group to minimize the agents’ exposure, prosecutors said.
The defendants, including the two employees, couldn’t immediately be located for comment.
The indictment, dated October 25, was unsealed Tuesday as a bipartisan group of eight senators sent a letter to Treasury Secretary Steven Mnuchin urging an executive order to impose sanctions on Beijing for its “ongoing cybertheft of the United States’ intellectual property and the impact this has had on the ability of American firms to compete internationally.”
Former U.S. officials said the Trump administration should respond forcefully if China is found to have violated the 2015 accord. Some faulted the White House for creating a more combative relationship with Beijing that may have provoked a surge in Chinese hacking activity.
“One of the reasons China agreed to this in the first place is that they were getting something out of it,” said Chris Painter, who ran the State Department’s cyber office in the Obama administration. “Now that things are more conflict-laden, they don’t have incentive to abide by the agreement.”
The White House and National Security Council didn’t immediately respond to requests for comment.
Tuesday’s indictment landed as the White House has sought to refocus the conversation on cybersecurity threats posed by China rather than Russia. Mr. Trump and Vice President Pence have said in recent weeks that China is attempting to interfere in U.S. elections, but intelligence officials said they have seen little evidence of such an operation.
Still, China remains a top adversary in the more traditional commercial cybersecurity, officials said.
In October, the Department of Homeland Security warned of an active hacking campaign targeting technology service-providers in various industries. The alert didn’t name China, but cybersecurity researchers have previously linked the group involved, APT 10, to Beijing.
That campaign is “a serious concern,” Rob Joyce, senior adviser for cybersecurity at the National Security Agency, said in an interview earlier this month. “It’s broad-based exploitation. If they get into a managed service provider, then they can go to any of the customers of those providers.” Managed service providers, such as IBM and Accenture, handle the technology needs of client companies, including data storage.
Mr. Joyce, who worked as the cybersecurity coordinator at the White House until earlier this year before returning to the NSA, said the Chinese attacks on technology service providers were particularly worrisome, because they provide services to—and potentially access to—hundreds or thousands of other companies.
Commerce Chief Raimondo’s Email Hacked In Breach Tied To China
* State Department, Agencies In Western Europe Also Affected
* Officials Say Breach Was Relatively Limited In Scope
Commerce Secretary Gina Raimondo was among the US officials whose emails were breached in a hack of government accounts that Microsoft Corp. has said originated from China, according to a person familiar with the matter.
Raimondo has been a prominent American figure implementing export curbs on advanced semiconductor technology to China, moves which Beijing has decried as undermining free trade and global supply chain stability. The person asked not to be identified discussing information that hasn’t been made public.
A Commerce Department spokesperson declined to comment or confirm the breach of Raimondo’s emails, which was reported earlier by the Washington Post. Microsoft also declined to comment late Wednesday night.
The Commerce and State Departments as well as agencies in Western Europe were also attacked, according to government officials and Microsoft.
Commerce took immediate action after being notified by Microsoft that the department had been breached, the spokesperson said earlier Wednesday.
When asked on Thursday about the claims that US officials were hacked, China’s Foreign Ministry said that “the US should account for its cyberattacks as soon as possible rather than spread false information and divert attention.”
Last month, the US State Department identified anomalous activity and alerted Microsoft to the attack, according to a spokesperson, who said the agency had no reason to doubt that the hackers, who breached Microsoft Outlook accounts, were based in China.
“A subsequent investigation by the company determined that the hackers accessed and exfiltrated unclassified Exchange Online Outlook data from a small number of accounts,” according to a statement from the US Cybersecurity and Infrastructure Security Agency, known as CISA.
It wasn’t known what other US agencies were affected, but a senior official said the number was in the single digits.
US officials described the attacks as targeted and focused on a small number of accounts at the agencies that were breached, as opposed to hack seeking to steal large amounts of data. CISA and the FBI issued a joint advisory urging organizations to harden their Microsoft 365 cloud environments.
The hacking campaign got underway in the weeks before Secretary of State Antony Blinken arrived in Beijing to meet with top officials, including Chinese President Xi Jinping, according to the officials.
In a blog post published Tuesday night, Microsoft described the group behind the attack as China-based, calling it Storm-0558. The hackers were able to remain undetected for a month after gaining access to email data from around 25 organizations in mid-May.
“We assess this adversary is focused on espionage, such as gaining access to email systems for intelligence collection,” Charlie Bell, an executive vice president at Microsoft, wrote in another post.
It also wasn’t clear which European governments were affected. Italian cybersecurity officials said they were in contact with Microsoft “in order to identify potential Italian subjects involved in the latest attacks.”
Asked about the findings, China’s Foreign Ministry spokesman Wang Wenbin, at a regular briefing on Wednesday, accused the US of being the world’s largest cyberattacker.
The hackers used “forged authentication tokens to access user email using an acquired Microsoft account (MSA) consumer signing key,” Microsoft’s Bell said in his post. The hackers were then able to access Outlook email hosted on systems run and operated by Microsoft.
But how hackers obtained the signing key that gave them access to these emails remains unknown.
“The big question here really is where did they get the MSA-key to sign tokens,” said Sami Laiho, a computer security expert who specializes in Microsoft products. One possible explanation, Laiho said, is if Microsoft itself was breached.
Microsoft didn’t immediately respond to a request for comment about how hackers obtained the signing key.
The senior official used the news of the breach to highlight a source of tension between Microsoft and the US government: logging. Logs allow cybersecurity investigators to dig through digital clues left behind on their own systems to figure out if they’ve been hacked and who may be responsible.
More advanced logging can capture and record granular actions made by a user, like if a certain email was accessed. At issue is whether Microsoft should sell logging as a premium add-on for government customers or include it in its product for free.
A lack of logging complicated the investigation into the so-called SolarWinds attack, which was disclosed in 2020.
In that episode, Russian state-sponsored hackers installed a malicious update in software made by SolarWinds Corp., which installed a digital backdoor which they could then use to further infiltrate SolarWinds customers.
Ultimately, nine US agencies about 100 companies were breached via the SolarWinds update and other methods.
Microsoft offered its premium logging feature for free for about a year in the wake of the SolarWinds hack. CISA and others have said that logs should be free, maintaining that they are crucial for detecting and investigating security incidents.
On Wednesday, the senior officials said some of the affected US agencies paid for a premium logging feature and were able to detect the breach on their own. Microsoft, which retains the logs, was able to identify others who were hacked but don’t pay for logging.
Requiring organizations to pay for better logging is a recipe for inadequate visibility into what has occurred in networks, the official said, adding that the issue requires urgent attention.
Two U.S. Navy Servicemembers Arrested For Transmitting Military Information To The People’s Republic of China
In two separate cases in the Southern and Central Districts of California, two U.S. Navy servicemembers were arrested for transmitting sensitive military information to the People’s Republic of China (PRC).
“These individuals stand accused of violating the commitments they made to protect the United States and betraying the public trust, to the benefit of the PRC government,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division.
“The Department of Justice will continue to use every tool in our arsenal to counter threats from China and to deter those who aid them in breaking our laws and threatening our national security.”
“These arrests are a reminder of the relentless, aggressive efforts of the People’s Republic of China to undermine our democracy and threaten those who defend it,” said Assistant Director Suzanne Turner of the FBI’s Counterintelligence Division. “The PRC compromised enlisted personnel to secure sensitive military information that could seriously jeopardize U.S. national security.
The FBI and our partners remain vigilant in our determination to combat espionage, and encourage past and present government officials to report any suspicious interactions with suspected foreign intelligence officers.”
United States v. Jinchao Wei, Southern District of California
A U.S. Navy sailor, Jinchao Wei, aka Patrick Wei, was arrested yesterday on espionage charges as he arrived for work at Naval Base San Diego, the homeport of the Pacific Fleet. He was indicted for conspiracy to send national defense information to an intelligence officer working for the People’s Republic of China.
The indictment, unsealed this morning, alleges that Wei, was an active-duty sailor on the amphibious assault ship the U.S.S. Essex stationed at Naval Base San Diego. In his role as a machinist’s mate, Wei held a U.S. security clearance and had access to sensitive national defense information about the ship’s weapons, propulsion and desalination systems.
Amphibious assault ships like the Essex resemble small aircraft carriers and allow the U.S. military to project power and maintain presence by serving as the cornerstone of the U.S. Navy’s amphibious readiness and expeditionary strike capabilities.
According to the indictment, in February 2022, Wei began communicating with an intelligence officer from the PRC who requested that Wei provide information about the U.S.S. Essex and other Navy ships.
Specifically, the Chinese intelligence officer tasked Wei with passing him photos, videos and documents concerning U.S. Navy ships and their systems. The two agreed to hide their communications by deleting records of their conversations and using encrypted methods of communication.
At the request of the intelligence officer, between March 2022 and the present, Wei sent photographs and videos of the Essex, disclosed the locations of various Navy ships and described defensive weapons of the Essex. In exchange for this information, the intelligence officer paid Wei thousands of dollars over the course of the conspiracy.
The indictment further alleges that in June 2022, Wei sent the intelligence officer approximately 30 technical and mechanical manuals. These manuals contained export control warnings and detailed the operations of multiple systems aboard the Essex and similar ships, including power, steering, aircraft and deck elevators, as well as damage and casualty controls.
The intelligence officer confirmed with Wei that at least 10 of those manuals were useful to him. For passage of those materials, the indictment alleges that Wei was paid $5,000.
In June 2022, the intelligence officer requested that Wei provide information about the number and training of U.S. Marines during an upcoming international maritime warfare exercise. In response to this request, Wei sent multiple photographs of military equipment to the intelligence officer.
In August 2022, Wei sent an additional 26 technical and mechanical manuals related to the power structure and operation of the Essex and similar ships. The manuals contained warnings that this was technical data subject to export controls and that it was deemed “critical technology” by the U.S. Navy.
The indictment further alleges that in October 2022, Wei sent a technical manual to the intelligence officer describing the layout and location of certain departments, including berthing quarters and weapons systems. Specifically, Wei sent a weapons control systems manual for the Essex and similar ships.
This manual contained export-controlled data that could not be exported without a license from the U.S. government. The indictment alleges that Wei knowingly violated the International Traffic in Arms Regulations by transmitting this manual to the Chinese intelligence officer without obtaining a required license.
The intelligence officer continued to request information in 2023, including information about the overhaul and upgrades to the Essex. Specifically, he requested blueprints, especially those related to modifications to the flight deck. Wei provided information related to the repairs the Essex was undergoing, as well as other mechanical problems with similar vessels.
During the alleged conspiracy, the intelligence officer instructed Wei to gather U.S. military information that was not public and admonished him not to discuss their relationship and to destroy any evidence regarding the nature of their relationship and their activities.
“We have entrusted members of our military with tremendous responsibility and great faith,” said U.S. Attorney Randy Grossman for the Southern District of California. “Our nation’s safety and security are in their hands. When a soldier or sailor chooses cash over country, and hands over national defense information in an ultimate act of betrayal, the United States will aggressively investigate and prosecute.”
U.S. Attorney Grossman thanked the prosecution team and investigating agencies for their excellent work on this case.
The FBI and Naval Criminal Investigative Service (NCIS) investigated the case.
Assistant U.S. Attorneys John Parmley and Fred Sheppard for the Southern District of California and Trial Attorney Adam Barry of the National Security Division’s Counterintelligence and Export Control Section are prosecuting the case.
United States v. Wenheng Zhao, Central District of California
A U.S. Navy servicemember, Petty Officer Wenheng Zhao, aka Thomas Zhao, 26, of Monterey Park, California, was arrested following an indictment by a federal grand jury, charging him with receiving bribes in exchange for transmitting sensitive U.S. military information to an individual posing as a maritime economic researcher, but who was actually an intelligence officer from the PRC.
The indictment alleges that Zhao, who worked at Naval Base Ventura County in Port Hueneme and held a U.S. security clearance, received bribes from a Chinese intelligence officer in exchange for violating his official duties as a U.S. sailor by, among other actions, disclosing non-public sensitive U.S. military information.
Beginning in August 2021 and continuing through at least May 2023, at the Chinese intelligence officer’s direction, Zhao allegedly violated his official duties to protect sensitive military information by surreptitiously recording, and then transmitting to the intelligence officer, U.S. military information, photographs and videos.
According to the indictment, the Chinese intelligence officer told Zhao that the intelligence officer was a maritime economic researcher seeking the information for investment decisions.
In exchange for bribes, Zhao allegedly sent the Chinese military officer non-public and controlled operational plans for a large-scale U.S. military exercise in the Indo-Pacific Region, which detailed the specific location and timing of Naval force movements, amphibious landings, maritime operations and logistics support.
The indictment further alleges that in exchange for bribes, Zhao also photographed electrical diagrams and blueprints for a radar system stationed on a U.S. military base in Okinawa, Japan.
The intelligence officer allegedly directed Zhao to conceal their relationship and to destroy evidence of the unlawful and corrupt scheme.
In exchange for the sensitive information Zhao provided – information Zhao accessed as a result of his position within the U.S. Navy – the Chinese intelligence officer paid Zhao approximately $14,866, the indictment alleges.
“By sending this sensitive military information to an intelligence officer employed by a hostile foreign state, the defendant betrayed his sacred oath to protect our country and uphold the Constitution,” said U.S. Attorney Martin Estrada for the Central District of California.
“Unlike the vast majority of U.S. Navy personnel who serve the nation with honor, distinction and courage, Mr. Zhao chose to corruptly sell out his colleagues and his country.”
If convicted, Zhao faces a maximum penalty of 20 years in prison.
The FBI Los Angeles Field Office’s Counterintelligence and Cyber Division and NCIS investigated the case. IRS Criminal Investigation provided substantial assistance.
Assistant U.S. Attorneys Annamartine Salick, Sarah Gerdes, Christine Ro and Kathrynne Seiden of the Terrorism and Export Crimes Section for the Central District of California are prosecuting this case. Trial Attorney Adam Barry of the National Security Division’s Counterintelligence and Export Control Section is providing substantial assistance.
An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.