China’s Clock-Punching Hackers Show Spying as Routine Job
Five Chinese men indicted for stealing thousands of e-mails and documents from U.S. companies had classic hacker nicknames. Yet one thing made them different: their clock-punching day jobs.
Known by handles including UglyGorilla, WinXYHappy and KandyGoo, they worked from 8 a.m. to 6 p.m. with scheduled two-hour lunch breaks, according to a report by online security company FireEye Inc. (FEYE) Rarely working on weekends, the Shanghai-based team acted more like public servants than the stereotype of basement-dwelling loners working around the clock.
For about eight years, the group hacked into U.S. companies including Alcoa Inc. (AA), United States Steel Corp. (X) and Westinghouse Electric Co. to steal “sensitive, internal communications,” the Department of Justice alleges. The hackers, all officers in Unit 61398 of the Third Department of the Chinese People’s Liberation Army, logged standard Chinese hours, rarely did overtime and almost never worked past midnight, according to FireEye research.
“They do treat it like a business, it’s not something that they treat like a hobby,” Bryce Boland, chief technology officer for Asia-Pacific at FireEye, said by phone. “They’re doing what they think of to be their job.”
The Justice Department charged Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu and Gu Chunhui with economic espionage linked to computer hacking of American nuclear power, metals and solar companies.
The indictment, which was unsealed May 19, represents the first charges against a state actor for that type of hacking, U.S. Attorney General Eric Holder said in a statement.
The Chinese government rejected the charges as “absurd.”
Mandiant, a cybersecurity provider bought by FireEye in January, tracked connections made by members of Unit 61398 to the remote servers they used to hack into target networks.
The research showed a spike in logins at 8 a.m. and again at 2 p.m., when Chinese workers finish their lunch break. About 75 percent of connections took place between 8 a.m. and midday or from 2 p.m. to 6 p.m., FireEye said in a blog post.
About 98 percent of logins took place on weekdays and 1.2 percent occurred in the period between midnight and 7 a.m. China time, FireEye said.
Mandiant first identified a Chinese hacking group it called APT1 in February last year, saying it attacked at least 141 companies globally since 2006. The company’s data matches that of the Justice Department.
“These data sets show that APT1 is either operating in China during normal Chinese business hours or that APT1 is intentionally going to painstaking lengths to look like they are,” FireEye said.
The military hacking team, which probably numbers in the hundreds, also appears to be very structured in terms of job skills and functions, Boland said.
Some members write code, creating the tools for hacking into remote networks, while others identify targets and information that is being sought, he said. Another group may be responsible for taking a more strategic role in directing proceedings, according to Boland.
At the front line are operators, the foot soldiers who use the tools and targets given to them to break into networks and collect data.
The five men identified by the U.S., with photographs, are unlikely to be the most-senior members of China’s hacking army, but instead are operators, logging on in the morning and heading home at night. The fact that the U.S. named them may be no accident.
“They are probably just cogs in a much bigger, broader program, and this is probably the first shot across the bow by the U.S.,” Boland said.
Wang Dong, also known as UglyGorilla, gained unauthorized access to at least one U.S. Steel computer in February 2010 and from there stole a virtual map -- host names and descriptions -- of more than 1,700 of the company’s computers, U.S. prosecutors allege.
In another case, the Justice Department said Sun Kailiang, who also has the moniker Jack Sun, stole proprietary technical and design specifications for piping from Westinghouse, the nuclear reactor arm of Tokyo-based Toshiba Corp. (6502)
The Chinese government denied engaging in economic espionage and warned that the charges would harm relations with the U.S. The five men couldn’t be contacted for comment, and Chinese Defense Ministry officials haven’t responded to questions faxed on May 23.
China is pushing domestic banks to remove high-end servers made by International Business Machines Corp. and replace them with a local brand, according to people familiar with the matter.
Government agencies, including the People’s Bank of China and the Ministry of Finance, are reviewing whether Chinese commercial banks’ reliance on IBM servers compromises the country’s financial security, said the four people, who asked not to be identified because the review hasn’t been made public.
To contact the reporter on this story: Tim Culpan in Taipei at firstname.lastname@example.org
To contact the editors responsible for this story: Michael Tighe at email@example.com Robert Fenner