UglyGorilla Hacker Left Tracks, U.S. Cyber-Hunters Say

Prosecutors building a case against Wang Dong, one of five Chinese military hackers indicted this week for economic espionage, were helped by Wang’s apparent willingness to break a cardinal rule of spying: Leave no tracks.

Known as UglyGorilla, Wang is a pun-making hacker who left a string of clues dating back years, according to several security professionals who have pursued him. He became famous in counterintelligence circles as China’s most flamboyant hacker, as he seeded malicious code with his handle and left the initials “UG” in the logs of thousands of compromised computers.

This week, the U.S. Justice Department unveiled the indictment of the People’s Liberation Army officers it says broke into computers at five U.S. companies, including Westinghouse Electric Co. and United States Steel Corp., to steal trade secrets and other information.

Among those indicted was a hacker the prosecutors identified as Wang, also known as UglyGorilla -- the first time the government had linked the two names. The indictment offered little other information on Wang. Yet to cybersecurity experts, the indictment merely cast a public spotlight on a hacker who for years had left a trail that was obvious to those more accustomed to scrutinizing wisps of digital information for clues.

Nuclear Hack

“When the indictment came out, my wife asked me if I knew this UglyGorilla guy,” said Adam Meyers, who first encountered China’s cyber spies as a security specialist at the U.S. State Department. “I told her, ‘I’ve known him longer than I’ve known you,’” said Meyers, who celebrates his three-year wedding anniversary next week.

The U.S. indictment focuses on a narrow set of cases, including the theft of plans for a next-generation nuclear power plant from Westinghouse. Wang gained unauthorized access to at least one U.S. Steel computer in February 2010, and from there stole a virtual map -- host names and descriptions -- of more than 1,700 of the company’s computers, prosecutors allege.

Courtney Boone, a spokeswoman for Pittsburgh-based U.S. Steel, referred questions to the Justice Department. Westinghouse declined to comment.

UglyGorilla’s activities are likely much broader, according to cybersecurity experts, who link him to hundreds of intrusions. Those include missions to steal technical details of valuable American technology, obtain data on deals U.S. companies were doing with Chinese counterparts, and, in 2011, wage a campaign to breach the security of U.S. nuclear power plants, according to commercial forensics reports and investigators who examined those attacks.

“Fabricated Facts”

China’s foreign ministry said the May 19 indictment was based on “intentionally fabricated facts,” and publicly summoned U.S. Ambassador Max Baucus to the ministry that day for a scolding.

The indictment contains what appear to be the first photographs of the five People’s Liberation Army hackers published in the U.S. The images include a shot of an unsmiling Wang wearing rimless glasses that could be an ID photo or cropped from an official group portrait.

Based on posts from Chinese online bulletin boards and social-media accounts, Wang is 37 years old and may have attended Shanghai’s elite Jiaotong University, which has a strong computer-science department, investigators said in interviews.

Chinese Defense Ministry officials, when contacted today, asked that a request for comment be submitted by fax. They didn’t immediately respond.

Jack Wang

Several cybersecurity experts say their knowledge of UglyGorilla goes back at least a decade. While hackers routinely change online personas in an effort to obscure their identity, Wang’s has been remarkably consistent, they said.

In 2004, a user under the name of Jack Wang, with an e-mail address of, posted a question about digital warfare on a forum hosted by China Military Online.

That same e-mail account was used over and over, including to register websites used in attacks on hundreds of U.S. entities, the security experts said.

U.S. investigators say Wang may have taken the typical hacker penchant for showing off to an extreme.

“You can leave little pieces of yourself in your work,” Meyers said. “It’s one of the perks of the job.”

In 2006, UglyGorilla created an account on a Chinese developer site as Wang Dong -- his real name, the U.S. would say eight years later -- according to a report by Mandiant Corp., a data-security division of FireEye Inc. The report, published last year, also linked Wang and the gorilla handle to the PLA.

“Too Easy”

“We were baffled. Why is he putting his name in everything? It was like he was making it too easy,” said Kevin Albano, an intelligence analyst for Mandiant. “Maybe it’s just ego, but he also did seem to be proud of what he was doing.”

He also appeared to feel safe, said Jaime Blasco, a malware researcher and director of AlienVault Labs. UglyGorilla and the rest of a crew of Chinese hackers that cybersecurity researchers call the Comment group -- known for their trademark of infiltrating computers using hidden code on Web pages known as comments -- appeared to feel protected from any consequences of hacking overseas companies, he said.

“They didn’t care about being caught,” Blasco said. “They are in China.”

Hijacked Servers

In many of the breaches described in the private forensic reports, the PLA hackers would relay commands and send stolen data through U.S.-based servers that they hijacked or rented. Wang registered some of those servers under the domain name, a pun combining adjectives that describe a gorilla, according to Mandiant and other security companies. Subdomains often included the initials UG.

He also included the initials in commands to victims’ computers, security experts said, like a calling card that forensic investigators would discover later.

“We found his name all over the place in dealing with intrusions over the last few years,” Blasco said. “You can link this guy to hundreds of attacks.”

One of the domains,, was involved in an attack on Telvent Canada Ltd., a maker of industrial control systems to monitor oil and gas pipelines and electrical grids, according to security blogger Brian Krebs. Krebs posted what he said was an alert letter Telvent sent to customers in September 2012 online, in which Telvent flagged the hugesoft site.

Coke Files

Malware that helped China break into the computers of Coca-Cola Co. in 2009 was programmed to communicate with the website The PLA hackers broke into the company’s computer systems and were pilfering sensitive files about its attempted $2.4 billion acquisition of China Huiyuan Juice Group, according to an internal company document detailing the intrusion.

The Huiyuan deal, which was blocked by Chinese regulators over concerns about competition, would have been the largest foreign takeover of a Chinese company at the time. It’s unknown if the stolen information contributed to China’s decision.

Coca-Cola spokesman Kent Landers said the company wouldn’t discuss internal “security matters” when Bloomberg News reported the breach by PLA hackers in 2012.

Car Talk

Wang may also have been involved in an intrusion at a California nuclear plant operated by Pacific Gas & Electric in 2011, according to an internal report on the intrusion viewed by Bloomberg News. The report said that the computer of one of the plant’s managers had been hacked by UglyGorilla’s unit, and also linked UglyGorilla to a broader effort to steal secrets from the American nuclear energy sector. The company declined to comment at the time.

As Wang’s notoriety grew, at least within the community of U.S. counterintelligence officials and data security experts, investigators sought to fill in more pieces of the puzzle.

They found a 2004 post on a popular Chinese auto forum in which someone identifying himself as UglyGorilla was seeking advice on buying a car for his wife to use.

Wang may have been a legend, but he also had everyday problems, Albano said.

“Underneath it all, he’s serving his military, doing his time -- just a regular guy,” he said.

Before it's here, it's on the Bloomberg Terminal.