SEP 13 2017 IN THE UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF US DISTRICT COURT MST 0131 OF a k a Dong Shi Ye a k a Tianyu XIA LEI a k a Sui Feng Yan Mic UNDER SEAL UNITED STATES OF AMERICA Criminal No 7 7 v 18 U S C 1030 a 2 C 1030 a 5 A WU YIN GZHUO 1030 b a k a 18 U S C 1832 a 1 1832 a 2 a k a Christ Wu 1832 a 5 a k a wyz 18 U S C 1343 DONG HAO 18 U S C 1028A a k a Bu Yi INDICTMENT The grand jury charges 1 At all times relevant to the indictment BOY USEC a The defendants vvere Owners employees and associates of the Guangzhou Bo Yu Information Technology Company Limited hereinafter Boyusec b Boyusec purported to be a Chinese cybersecurity rm located at 1103 West Tower Huapu Plaza Number 9 Huaming Road Pearl River New City Tianhe District Guangzhou Guangdong Province China 0 According to its website Boyusec provided cybersecurity services for Chinese companies including Information Security and Testing Software Development and Testing and Data Analysis in partnership with a large Chinese telecommunications company and another cybersecurity center in Guangdong Province d In or around November 2013 Boyusec was registered as a limited liability company with the Tianhe Branch of the Guangzhou Administration for Industry and Commerce THE DEFENDAN TS 6 Defendant WU YINGZHUO was a resident of Guangzhou and used the aliases Christ wu and wyz WU was a founding member and equity shareholder of Boyusec f Defendant DONG HAO was a resident of Guangzhou and used the aliases Bu Yi Dong Shi Ye and Tianyu DONG was a founding member equity shareholder of Boyusec and held the title of Executive Director and Manager of Boyusec g Defendant XIA LEI was a resident of Guangzhou and used the alias Sui Feng Yan Mie XIA was an employee of Boyusec THE US VICTIMS h Moody s Analytics was an economic analysis firm which provided financial and economic services Moody s Analytics employs economists modelers and statisticians and primarily serves asset managers banks corporations and insurers Specifically Moody s Analytics provided tools and information for measuring and managing risk through its expertise in credit analysis economic research and nancial risk management Moody s Analytics is headquartered in New York New York i Siemens AG Siemens is a multinational manufacturing and electronics conglomerate specializing in nancial services building technologies mobility operations healthcare transportation digitalization power generation power systems and energy management Siemens employs over 375 000 employees located in over 200 countries Siemens is headquartered in Germany and had of ces located in the Western District of j Trimble Inc formerly known as Trimble Navigation Limited Trimble is a manufacturer developer and provider of geospatial positioning technology including Global Positioning System GPS and Global Navigation Satellite Systems GNSS technology and related software and services which are used in a variety of commercial industries including the construction land survey and agricultural sectors Trimble s products are sold and used in over 150 countries around the world Trimble s innovations in positioning technology have resulted in over 1 200 patents Trimble is headquartered in Sunnyvale California COUNT ONE Conspiracy to Commit Computer Fraud and Abuse 2 Beginning no later than 2011 and continuing until at least May 2017 in the Western District of and elsewhere the defendants WU YIN GZHUO a k a a k a Christ Wu a k a wyz DONG HAO a k a Bu Yi a k a Dong Shi Ye a k a Tianyu and XIA LEI a k a Sui Feng Yan Mie did knowingly and willfully conspire and agree together with each other and with others known and unknown to the grand jury to commit computer fraud and abuse namely a to access computers without authorization and exceed authorized access to computers and to obtain thereby information from protected computers for the purpose of commercial advantage and private nancial gain in furtherance of a criminal and tortious act in violation of the laws of the Commonwealth of namely the common law tort of Invasion of Privacy and where the value of the information did and would if completed exceed $5 000 in violation of Title 18 United States Code Sections 1030 a 2 C and and b to cause the transmission of programs codes and commands and as a result of such conduct to cause damage without authorization to protected computers and where the offense did cause and would if completed have caused lo'ss aggregating $5 000 in value to at least one person during a one-year period from a related course of conduct affecting a protected computer and damage affecting at least 10 protected computers during a one-year period in Violation of Title 18 United States Code Sections 1030 a 5 A and 103 MANNER AND MEANS OF THE CONSPIRACY 3 It was part of the conspiracy that defendants WU DONG XIA and others known and unknown to the grand jury collectively the cc conspirators agreed to participate in coordinated and unauthorized targeted cyber-intrusions against businesses and entities operating in the United States and elsewhere in order to steal con dential business information and intentionally cause damage to those Victims computer systems 4 The co-conspirators exploited vulnerabilities in computer systems or used malware or malicious code to obtain and maintain unauthorized access into computers in order to steal hundreds of gigabytes of data including con dential business and commercial information work product and sensitive victim employee information such as usernames and passwords 5 The co-conspirators attempted to hide their true identities and location by using aliases and intermediary computer servers known as hop points The co conspirators compromised the hop points which were private computer networks owned by third parties and used these networks without authorization By using the hop points the co-conspirators misrepresented their true Internet Protocol addresses location and identities to the victims and used the hop points for the purpose of identifying collecting packaging and stealing data from the victims In order to thwart identi cation the co-conspirators also used aliases when registering for online communications services SPEARPHISHIN EAMILS 6 The co-conspirators used spearphishing campaigns to gain unauthorized access to the computer networks of US and foreign businesses The conspirators sent and caused to be sent spearphishing emails to computers located in the Western District of and around the world 7 The spearphishing emails misrepresented the identity of the sender the subject matter of the email and nature of any links or les contained within or attached to the email In fact many of the emails contained fraudulent links to either computer les that contained malware that provided unauthorized access to the recipient s computer known as a backdoor thereby allowing the co conspirators to bypass normal authentication procedures on the recipient s computer or servers software designed to scan for vulnerabilities on the computers that connect to them WARE 8 The co conspirators used different types of customized malware to gain and maintain unauthorized access into the computer networks In order to initially access the Victims networks the co conspirators typically used a backdoor designed to bypass the Victims security systems and rewalls The co-conspirators also commonly used malware referred to as ups and exeproxy collectively the UPS Backdoor Malware to remotely access and control infected computers within the victims networks Speci cally the co-conspirators used multiple versions of UPS Backdoor Malware to misrepresent their status as authorized users of the Victims computers in order to issue commands to search identify copy package and steal data stored on such computers CONCEALMENT 9 Beginning no later than 2013 and during their employment at Boyusec defendants WU DONG XIA and others known and unknown to the grand jury worked together to conduct targeted cyberattacks against US and foreign businesses which had never retained Boyusec for any services or otherwise authorized access into their computer networks 10 Defendants WU DONG and XIA shared access to common hop points in order to conceal their identities location and af liation with Boyusec during the course of their cyberattacks 11 Defendants WU and DONG used stolen network credentials to conceal their unauthorized access to victim computer networks from the victims security measures TARGETED ATTACKS OF US BUSINESSES Moody s Analytics 12 In 2005 Moody s Analytics purchased an economic analytics company that employed an in uential economist who had expertise in macroeconomics and the housing nance sector Employee Employee A became a public gure in the industry and was viewed by Moody s Analytics as a branding asset Employee A commonly appeared on national TV and in newspapers with large circulations 13 Beginning no later than 2011 the co conspirators placed a forwarding rule on a Moody s Analytics email server directing all of Employee A s incoming emails to forward to co-conspirator-controlled web-based email accounts the Fraudulent Email Accounts 14 Between June 21 2013 and January 31 2014 defendant XIA accessed a Fraudulent Email Account and its contents These emails contained among other things Employee A s communications which contained proprietary and con dential economic analyses ndings and opinions Siemens 15 In 2014 Siemens was an international conglomerate servicing multiple industry- sectors including nancial services building technologies mobility operations healthcare transportation digitalization power generation power systems and energy management 16 In May and June 2014 the co-conspirators used hop points to target and gain unauthorized access to Siemens computer networks for the purpose of obtaining and using Siemens employees usernames and passwords and to steal proprietary commercial data 17 In June 2014 defendant DONG accessed the Siemens computer network in the Western District of and elsewhere using UPS Backdoor Malware and ex ltrated computer password information known as hashes I 18 From approximately June 2015 to August 2015 the conspirators removed approximately 407GB of data from Siemens s network The data included les and data created by Siemens energy technology and transportation businesses rm 19 In 2015 and 2016 Trimble was engaged in the development of a new GNSS product that combined software with a relatively low cost antenna to significantly improve the positioning accuracy of mobile devices including tablets and mobile telephones the Commercial GNSS Project The Commercial GNSS Project allowed Trimble customers to receive and process GNSS satellite signals and data from Trimble s subscription corrections services Using the data received from the GNSS satellites and Trimble s proprietary corrections services 1 users could obtain high precision position accuracy up to a few centimeters in a cost effective manner Trimble s targeted customer markets for the Commercial GNSS Project were among others the construction land survey and agricultural sectors The Commercial GNSS Project had no military applications 20 This Commercial GNSS Project had been in development for approximately three years and had represented an investment of millions of dollars by Trimble As such Trimble s computer networks contained documents and other data pertaining to both the Commercial GNSS Project s technical development and the business and marketing strategy Access to certain documents and data were restricted by Trimble based on a need to know In addition Trimble required that its employees and contractors Sign Non-Disclosure Agreements to protect the development of the Commercial GNSS Project 21 Beginning no later than December 2015 and continuing through March 2016 the co-conspirators targeted the servers within Trimble s network including those that hosted documents and data relating to the Commercial GNSS Project Beginning no later than January 11 2016 defendant WU accessed Trimble s network and copied packaged and stole computer les containing commercial business documents and data relating to the Commercial GNSS Project Speci cally on January 11 2016 WU prepared a zip archive le containing approximately 252 megabytes of compressed data from Trimble s network and removed the le from the network This zip le contained hundreds of les of Trimble s technical design and business marketing documents pertaining to the Commercial GNSS Project 9 23 The stolen zip le contained les marked con dentia or proprietary and contained market research and strategy for the Commercial GNSS Project which were a trade secret and commercial in nature Trade Secret 1 and Trade Secret Trade Secret 1 and Trade Secret 2 contained con dential information regarding Trimble s market share costs of production and a timetable for the release and marketing of the Commercial GNSS Project 24 The stolen zip le also contained a con dential and proprietary schematic design for the hardware receiver equipment component of the Commercial GNSS Project Trade Secret 25 On or about January 12 2016 a co-conspirator accessed Trimble s network and stole an additional 23 megabytes of data including testing data for Trimble s proprietary subscription services 26 This stolen data included con dential testing data of Trimble technology Trade Secret 27 On or about January 22 2016 the co-conspirators accessed Trimble s network and executed commands to steal two directory lists One of these directory lists included listed les containing the name of a Trimble engineer and related to the Commercial GNSS Project 28 In total conspirators stole at least 275 megabytes of data including compressed data which included hundreds of les that would have assisted a Trimble competitor in developing providing and marketing similar software and subscription services without incurring millions of dollars in research and development costs OVERT ACTS 29 In furtherance of the conspiracy and to effect the objects of the conspiracy the defendants and others both known and unknown to the grand jury committed the following overt acts 1 a On or about August 26 2011 a co-conspirator created a Fraudulent Email Account in the name of Employee A of Moody s Analytics b On or about August 26 2011 the exact date being unknown a co-conspirator accessed the mail server within the Moody s Analytics computer network and placed a forwarding rule on the server directing all emails sent to Employee A to be forwarded to the Fraudulent Email Account o On or about June 21 2013 defendant XIA accessed emails which had been forwarded to Employee A s fraudulent account d On or about January 21 2014 defendant XIA accessed a hop point and logged into a Fraudulent Email Account and accessed emails which had been forwarded from Employee A s email account e On or about June 6 2014 defendant DONG accessed a Siemens computer with hostname without authorization f On or about June 6 2014 defendant DONG transferred a le containing Siemens password hashes among computers within the Siemens network and attempted to some of those hashes g On or about June 6 2014 defendant DONG connected to host a Siemens network computer located in the Western District of and attempted to log in as a network administrator using stolen credentials h On or about June 7 2014 defendant DONG attempted to log on to Siemens host computer using stolen credentials belonging to Siemens employee i On or about June 7 2014 defendant DONG attempted to log on to Siemens host computer using stolen credentials belonging to Siemens employee j On or about December 18 2015 defendant WU accessed a hop point and then further accessed a Trimble computer with hostname k On or about December 26 2015 a co conspirator accessed a hop point and accessed Internet web pages of Trimble 1 On or about January 9 2016 defendant WU possessed and used the stolen credentials of Trimble employee in order to connect to a Trimble computer at IP address m On or about January 11 2016 defendant WU entered a series of commands resulting in the theft of approximately 773 les containing trade secrets and other proprietary information from Trimble s computer network 10 n On or about January 11 2016 defendant WU entered a command to delete a log le named Lo g zip from a computer Within the Trimble network 0 On or about January 12 2016 a co-conspirator stole approximately four les containing proprietary information from the computer network of Trimble p On or about January 14 2016 defendant WU attempted to log into a Trimble computer using stolen credentials belonging to Trimble employee q On or about January 22 2016 defendant WU used stolen credentials belonging to Trimble employee to gain unauthorized access to Trimble s computers In Violation of Title 18 United States Code Section 1030 b ll COUNT TWO Conspiracy to Commit Trade Secret Theft The grand jury further charges 30 Paragraphs 1-29 of this indictment are incorporated herein as if set forth in full 31 Beginning at least in or about 2011 and continuing until at least May 2017 in the Western District of and elsewhere the defendants WU YIN GZHUO a k a a k a Christ Wu a k a DONG HAO a k a Bu Yi a k a Dong Shi Ye a k a Tianyu and XIA LEI a k a Sui Feng Yan Mie did knowingly conspire and agree together and with each other and with other persons both known and unknown to the grand jury to copy duplicate download upload replicate transmit deliver send mail communicate and convey trade secrets without authorization that were related to products or services used in or intended for use in interstate and foreign commerce with the intent to convert the trade secrets to the economic bene t of someone other than the owner of the trade secrets and with the intent and knowledge that the offense would injure the owner of the trade secrets in violation of Title 18 United States Code Section 1832 a 1 and 2 OVERT ACTS 32 In furtherance of the conspiracy and to effect the objects of the conspiracy the defendants and their co conspirators committed the overt acts alleged in paragraph 29 In violation of Title 18 United States Code Section 1832 a 5 12 COUNT THREE Wire Fraud The grand jury further charges 33 Paragraphs 1-29 of this indictment are incorporated herein as if set forth in full 34 Beginning no later than 2011 and continuing until at least May 2017 in the Western District of and elsewhere the defendants WU YIN GZHUO a k a a k a Christ Wu a k a wyz DONG HAO a k a Bu Yi a k a Dong Shi Ye a k a Tianyu and XIA LEI a k a Sui Feng Yan Mie did devise intend to devise and participate in a scheme with others known and unknown to the grand jury to defraud and to obtain money and property by means of materially false and fraudulent pretenses and representations and by concealment of materials facts 35 It was part of the scheme that defendants used hop points to misrepresent their true IP address location and identities 36 It was further part of the scheme that the defendants used the Fraudulent Email Accounts in order to misrepresent to the Moody s Analytics network that Employee A s emails were being forwarded to Employee A s personal email account when in fact the emails were forwarded to the Fraudulent Email Accounts 37 It was further part of the scheme that the defendants used stolen credentials to gain access to parts of the victims networks 38 It is further part of the scheme that the defendants sought and stole internal and proprietary information belonging to commercial entities l3 39 On or about June 6 2014 in the Western District of and elsewhere the defendants for the purpose of executing the scheme to defraud knowingly caused to be transmitted by means of wire communication in interstate commerce certain writings signs and signals namely an electronic signal containing credentials to a Siemens network computer In Violation of Title 18 United States Code Section 1343 14 COUNTS FOUR THROUGH EIGHT Aggravated Identity Theft The grand jury further charges 40 Paragraphs 1 29 are incorporated herein as if set forth in full 41 Beginning at least on or about June 6 2014 and continuing until at least January 22 2016 in the Western District of and elsewhere the defendants WU YINGZHUO a k a a k a Christ Wu a k a DONG HAO a k a Bu Yi a k a Dong Shi Ye a k a Tianyu and XIA LEI a k a Sui Feng Yan Mie aided and abetted by others known and unknown to the grand jury during and in relation to the crime of conspiracy to commit computer fraud and abuse in violation of Title 18 United States Code Section 1030 b and wire fraud in violation of Title 18 United States Code Section 1343 as more fully set forth in Counts One and Three above did knowingly transfer possess and use without lawful authority a means of identification of another person 42 On or about the dates identi ed in Column of the chart set forth below each date constituting a separate count as set forth in Colunm A defendants did knowingly transfer possess and use without lawful authority a means of identi cation of another person listed by initials in Column C who was associated with a victim listed in Column D 15 A Count Date 011 or About Means of Victim Identi cation Belonging to 4 June 6 2014 RP Siemens 5 June 7 2014 BR Siemens 6 January 9 2016 KB Trimble 7 January 14 2016 RM Trimble 8 January 22 2016 BM Trimble In Violation of Title 18 United States Code Sections 1028A a 1 1028A b 1028 c 4 and 2 A true bill a Mame m a Mr f V'epf-SONG Acting United States Attorney DC ID No 457268 l6 National Security Archive Suite 701 Gelman Library The George Washington University 2130 H Street NW Washington D C 20037 Phone 202 994‐7000 Fax 202 994‐7005 nsarchiv@gwu edu
OCR of the Document
View the Document >>