USDC D pl Ifk UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF NEW YORK Dm' UNITED STATES OF AMERICA U5 7 i SEALED INDICTMENT ZHU HUA 18 Cr a k a Afwar a k a I a k a i a k a Godkiller and a LTHV k e mi ZEANG SHILONG a k a Baobeilong a k a Zhang Jianguo a k a Atreexp Defendants COUNT ONE Conspiracy to Commit Computer Intrusions The Grand Jury charges OVERVIEW 1 At all times relevant to this Indictment ZHU HUA a k a Afwar a k a a k a Alayos a k a Godkiller and ZHANG SHILONG a k a Baobeilong a k a Zhang Jianguo a k a Atreexp the defendants both of whom were nationals of the People s Republic of China China were members of a hacking group operating in China known within the cyber security community as Advanced Persistent Threat lO the Group 1 or alternatively as Red Apollo Stone Panda MenuPass and 2 From at least in or about 2006 up to and including in or about 2018 members of the Group including ZHU HUA a k a Afwar a k a a k a Alayos a k a Godkiller and ZHANG SHILONG a k a Baobeilong a k a Zhang Jianguo a k a Atreexp the defendants conducted extensive campaigns of global intrusions into computer systems The defendants worked for Huaying Haitai Science and Technology Development Company Huaying Haitai in Tianjin China and acted in association with the Chinese Ministry of State Security s Tianjin State Security Bureau 3 While the Group employed similar hacking tools and techniques over the course of its campaigns the Group s hacking operations evolved over time demonstrating advances in overcoming network defenses victim selection and tradecraft Moreover the Group utilized some of the same online facilities to initiate facilitate and execute its 1 APT is'a designation given in the cyber security community to an individual or group that uses sophisticated techniques to exploit vulnerabilities in victim computer systems and employs an external command and control system to target a specific entity or range of entities and maintain a persistent presence on its targets networks campaigns during the conspiracy thereby reflecting the Group s continuous and unrelenting effort from in or about 2006 up to and including in or about 2018 to steal technologies and other information of value to the conspiracy For example as idetailed herein the Group was engaged in at least two computer intrusion campaigns during the relevant time period both aiming to steal among other data intellectual property and confidential business or technological information a First beginning in or about 2006 members of the Group including ZHU HUA a k a Afwar a k a a k a Alayos a k a Godkiller and ZHANG SHILONG a k a Baobeilong a k a Zhang Jianguo a k a Atreexp the defendants engaged in an intrusion campaign to obtain unauthorized access to the computers and computer networks of commercial and defense technology companies and U S Government agencies in order to steal information and data concerning a number of technologies the Technology Theft Campaign Specifically the Group obtained unauthorized access to the computers of more than 45 such entities based in at least 12 states including Arizona California Connecticut Florida Maryland New York Ohio Texas Utah Virginia and Wisconsin Through the Technology Theft Campaign the Group stole hundreds of gigabytes of sensitive data and targeted the computers of victim companies involved in a diverse array of commercial activity industries and technologies including aviation space and satellite technology manufacturing technology pharmaceutical technology oil and gas exploration and production technology communications technology computer processor technology and maritime technology b Second beginning at least in or about 2014 members of the Group including ZHU and ZHANG engaged in an intrusion campaign to obtain unauthorized access to the computers and computer networks of managed service providers for businesses and governments around the world the Theft Campaign MSPs are companies that remotely manage their clients information technology infrastructure including by providing computer servers storage networking consulting and information technology support The Group targeted MSPs in order to leverage the networks to gain unauthorized access to the computers and computer networks of the clients and steal among other data intellectual property and confidential business data on a global scale For example through the MSP Theft Campaign the Group obtained unauthorized access to the computers of an MSP that had offices in the Southern District of New York and compromised the data of that MSP and certain of its clients located in at least 12 countries including Brazil Canada Finland France Germany India Japan Sweden Switzerland the United Arab Emirates the United Kingdom and the United States Those compromised clients included companies that were involved in a diverse array of commercial activity industries and technologies including banking and finance telecommunications and consumer electronics medical equipment packaging manufacturing consulting healthcare biotechnology automotive oil and gas exploration and mining c In addition the Group compromised more than 40 computers in order to steal confidential data from those systems belonging to the United States Department of the Navy the Navy including the personally identifiable information of more than 100 000 Navy personnel MEANS AND METHODS OF THE CONSPIRACY The Technology Theft Campaign 4 Members of the Group including ZHU HUA a k a Afwar a k a a k a Alayos a k a Godkiller and ZHANG SHILONG a k a Baobeilong a k a Zhang Jianguo a k a Atreexp the defendants engaged in the following stages of activity to orchestrate and manage the computer intrusions committed during the Technology Theft Campaign which are generally summarized below a First members of the Group used a technique known as spear phishing to introduce malicious software malware onto targeted computers Members of the conspiracy sent customized emails to intended targets with attached documents and files that would surreptitiously install malware if opened In order to trick the recipients of the spear phishing emails into opening the attachments of the emails that installed the malware the emails purported to be sent from legitimate email addresses when in fact the emails were sent by members of the conspiracy In addition the content of the email messages and the filenames of the attachments appeared to be legitimate and contain information of interest to the recipients For example one spear phishing email purported to originate from an email address associated with a victim company Victim l involved in communications technology when it actually originated from a different account which was unaffiliated with Victim l and logged in from a computer assigned an Internet protocol address2 located in Tianjin China under the control of the Group That email which was sent to employees of another victim company Victim 2 involved in helicopter manufacturing had the subject line Antenna problems a malicious Microsoft Word attachment named 12 204 Side Load Testing doc and stated the following Please see the attached the files When the attachment named 12 204 Side Load Testing doc was opened malware was installed on the computer of Victim 2 By using these spear phishing methods the conspirators intended to and did cause the recipients of the emails to open the attachments without arousing suspicion as to the source of the email or its attachments b Second once a recipient of a spear phishing email opened the attachment to the email the attachment installed malware on the victim s computer The malware typically included customized variants of a remote access Trojan including one known as Poison Ivy and keystroke loggers which are programs that surreptitiously recorded 2 Each electronic device or computer resource connected to the Internet must be assigned a unique IP address so that communications from or directed to that electronic device are routed properly icomputer keystrokes to steal usernames and passwords as the user of the victim systems typed them The malware was programmed to automatically communicate with domains that were assigned IP addresses of computers under the control of members of the Group allowing them to maintain visibility and persistent remote access to the compromised computers over the Internet In particular the Group used dynamic Domain Name System service providers to host their malicious domains including a provider located in the Southern District of New York which allowed the Group to route the pre programmed malicious domains in their malware to different IP addresses of computers under their control This mode of operation enabled the Group to frequently and rapidly change the IP addresses associated with their malicious domains without having to adjust the malware or domains already on a victim s computers providing the Group with operational flexibility and persistence as well as helping them avoid detection by bypassing network security filters that might block identified malicious IP addresses c Third after the malware was successfully installed the Group downloaded additional malware and tools to compromised computer systems in order to further compromise the victim s computers d Fourth after the Group had gained unauthorized access to a victim s computers and identified data of interest on those computers the Group collected the relevant files and other information from the compromised computers and exfiltrated the stolen files and information in archives to computers under their control 5 Over the course of the Technology Theft Campaign the 'defendants and their coconspirators successfully obtained unauthorized access to at least approximately 90 computers belonging to among others commercial and defense technology companies and U S Government agencies located in at least 12 states and stole hundreds of gigabytes of sensitive data and information from their computer systems including from at least the following victims a seven companies involved in aviation space and or satellite technology b three companies involved in communications technology c three companies involved in manufacturing advanced electronic systems and or laboratory analytical instruments d a company involved in maritime technology e a company involved in oil and gas drilling production and processing f The National Aeronautics and Space Administration Goddard Space Center and g The NASA Jet Propulsion Laboratory 6 In addition to the above victims the defendants and their coconspirators successfully obtained unauthorized access to computers belonging to at least 25 other technology related companies involved in among other things industrial factory automation radar technology oil exploration information technology services pharmaceutical manufacturing and computer processor technology as well as the U S Department of Energy s Lawrence Berkeley National Laboratory The MSP Theft Campaign 7 In order to conduct the MSP Theft Campaign members of the Group including ZHU HUA a k a Afwar a k a a k a Alayos a k a Godkiller and ZHANG SHILONG a k a Baobeilong a k a Zhang Jianguo a k a Atreexp the 10 defendants generally engaged in the same stages of activity involved in the Technology Theft Campaign as set forth above in paragraph 4 In addition the Group engaged in the following conduct related to the MSP Theft Campaign a After the Group had gained unauthorized access into the computers of an MSP the Group installed multiple different customized variants of malware commonly known as Plng RedLeaves and QuasarRAT on MSP computers located around the world The malware was installed using malicious files that masqueraded as legitimate files used by a victim computer s operating system in order to mask the Group s actions as legitimate and thereby avoid antivirus detection Such malware enabled members of the Group to monitor victims computers remotely and steal user credentials using various credential theft tools The malware was also pre programmed to automatically communicate with domains hosted by DNS service providers that were assigned IP addresses of computers under the control of the Group In total the Group registered approximately 1 300 unique malicious domains in connection with the MSP Theft Campaign some of which were registered using accounts opened as early as in or about 2010 b Once the Group had stolen administrative credentials from computers of an MSP it used those stolen credentials to initiate Remote Desktop Protocol connections to other systems within an MSP and its clients networks This mode of operation enabled the Group to move laterally through the interconnected networks of an MSP and its clients networks and to compromise an MSP and its clients computers on which no malware had been previously installed c Finally after data of interest was identified on a compromised computer and packaged for exfiltration using archives the Group often used stolen credentials to move the data of an MSP client to one or more other compromised computers of the MSP or its other clients networks before the final exfiltration of the data to IP addresses under the control of the Group The Group usually deleted the stolen files from compromised computers thereby seeking to avoid detection and preventing identification of the specific files that were stolen 8 Throughout the conspiracy period after the U S Government or certain private sector firms issued various public reports identifying Group malware or domains as malicious -the Group modified or abandoned such hacking 12 infrastructure For example in or about February 2007 during the Technology Theft Campaign InfraGard a non profit organization serving as a public private partnership between U S businesses and the Federal Bureau of Investigation issued a public report identifying the malicious domains used by the Group Shortly after the Infragard report's release the Group stopped using the malicious domains identified in the report Similarly in or about April 2017 during the MSP Theft Campaign a private cyber security firm issued a public report identifying the malicious domains used by the Group Shortly after the report was issued the Group began using new variants of malware and new domains to commit intrusions which would be less likely to be detected by victim companies and antivirus software 9 Over the course of the MSP Theft Campaign members of the Group including ZHU HUA a k a Afwar a k a a k a Alayos a k a Godkiller and ZHANG SHILONG a k a Baobeilong a k a Zhang Jianguo a k a Atreexp the defendants successfully obtained unauthorized access to computers providing services to or belonging to victim companies located in at least 12 countries including from at least the following victims 13 a a global financial institution b three telecommunications and or consumer electronics companies c three companies involved in commercial or industrial manufacturing d two consulting companies e a healthcare company f a biotechnology company g a mining company h an automotive supplier company and i a drilling company 10 Finally the Group also compromised more than 40 computers in order to steal sensitive data belonging to the Navy including the names Social Security numbers dates of birth salary information personal phone numbers and email addresses of more than 100 000 Navy personnel The Defendants Participation in the Hacking Campaigns 11 At all times relevant to this Indictment the Group was a hacking group operating in Tianjin China among other places in China The members of the Group worked in an office environment and typically engaged in hacking operations during working hours in China 14 12 ZHU HUA a k a Afwar a k a a k a Alayos a k a Godkiller the defendant a penetration tester who worked fOr Huaying Haitai registered malicious domains and hacking infrastructure used in connection with the Group s intrusion campaigns and engaged in hacking operations on behalf of the Group ZHU was also involved in the recruitment of other individuals to the Group 13 ZHANG SHILONG a k a BaobeilOng a k a Zhang Jianguo a k a Atreexp the defendant who worked for Huaying Haitai registered malicious domains and hacking infrastructure used in connection with the Group s intrusion campaigns ZHANG also developed and tested malware used in connection with the Group s intrusion campaigns STATUTORY ALLEGATIONS 14 From at least in or about 2006 up to and including in or about 2018 in the Southern District of New York and elsewhere ZHU HUA a k a Afwar a k a a k a Alayos a k a Godkiller and ZHANG a k a Baobeilong a k a Zhang Jianguo a k a Atreexp the defendants who will first be brought to the Southern District of New York and others known and unknown willfully and knowingly combined conspired confederated and agreed together and with each other to commit 15 computer intrusion offenses in violation of Title 18 United States Code Sections 1030 a 2 C 1030 a 4 1030 c 3 A 1030 a 5 A VI and 15 It was a part and an object of the conspiracy that ZHU HUA a k a Afwar a k a a k a Alayos a k a Godkiller and ZHANG SHILONG a k a Baobeilong a k a Zhang Jianguo a k a Atreexp the defendants and others known and unknown would and did intentionally access computers without authorization and exceed authorized access and thereby would and did obtain information from protected computers and the value of the information obtained would and did exceed $5 000 in violation of Title 18 United States Code Sections 1030 a 2 C and 16 It was further a part and an object of the conspiracy that ZHU HUA a k a Afwar a k a a k a Alayos a k a Godkiller and ZHANG SHILONG a k a Baobeilong a k a Zhang Jianguo a k a Atreexp the defendants and others known and unknown knowingly and with the intent to defraud would and did access protected computers without authorization and exceed authorized access and by means of such conduct further the intended fraud and obtain anything of value in violation of 16 Title 18 United States Code Sections 1030 a 4 and 1030 c 3 A 17 It was further a part and an object of the conspiracy that ZHU HUA a k a Afwar a k a a k a Alayos a k a Godkiller and ZHANG SHILONG a k a Baobeilong a k a Zhang Jianguo a k a Atreexp the defendants and others known and unknown knowingly would and did cause the transmissions of programs information codes and commands and as a result of such conduct intentionally caused damage without authorization to protected computers which caused loss to one and more persons during any one year period aggregating at least $5 000 in value and damage affecting ten or more protected computers during any one year period in violation of Title 18 United States Code Sections 1030 a 5 A VI and Title 18 United States Code Sections 1030 b and 3238 COUNT TWO ConsPiracy to Commit Wire Fraud The Grand Jury further charges 18 The allegations contained in paragraphs 1 through 13 of this Indictment are repeated and realleged as if fully set forth herein l7 19 From at least in or about 2006 up to and including in or about 2018 in the Southern District of New York and elsewhere ZHU HUA a k a Afwar a k a a k a Alayos a k a Godkiller and ZHANG SHILONG a k a Baobeilong a k a Zhang Jianguo a k a Atreexp the defendants who will first be brought to the Southern District of New York and others known and unknown willfully and knowingly did combine conspire confederate and agree together and with each other to commit wire fraud in violation of Title 18 United States Code Section 1343 20 It was a part and object of the conspiracy that ZHU HUA a k a Afwar a k a a k a Alayos a k a Godkiller and ZHANG SHILONG a k a Baobeilong a kka Zhang Jianguo a k a Atreexp the defendants and others known and unknown willfully and knowingly having devised and intending to devise a scheme and artifice to defraud and for obtaining money and property by means of false and fraudulent pretenses representations and promises would and did transmit and cause to be transmitted by means of wire radio and television communication in interstate and foreign commerce writings signs signals pictures and sounds for the purpose of executing such scheme and artifice in violation of Title 18 18 United States Code Section 1343 to wit ZHU and ZHANG engaged in_a scheme together with others to fraudulently obtain intellectual property and confidential business or technological information from victim companies by remotely accessing through the Internet and without authorization the computers of the victims using stolen login credentials of victim employees Title 18 United States Code Sections 1349 and 3238 COUNT THREE Aggravated Identity Theft The Grand Jury further charges 21 The allegations contained in paragraphs 1 through 13 of this Indictment are repeated and realleged as if fully set forth herein 22 From at least in or about 2006 up to and including in or about 2018 in the Southern District of New York and elsewhere ZHU HUA a k a Afwar a k a a k a Alayos a k a Codkiller and ZHANG SHILONG a k a Baobeilong a k a Zhang Jianguo a k a Atreexp the defendants who will first be brought to the Southern District of New York knowingly transferred possessed and used without lawful authority a means of identification of another person during and in relation to a felony violation enumerated in Title 18 United States Code Section 1028A c and aided and abetted the same 19 to wit ZHU and ZHANG transferred possessed and used and aided and abetted the transfer possession and use of the name of another person and login credentials including usernames and passwords of various employees of victims of computer intrusions during and in relation to the computer fraud and wire fraud offenses charged in Counts One and Two of this Indictment Title 18 United States Code Sections 1028A a l 3238 and 2 FORFEITURE ALLEGATION AS TO COUNT ONE 23 As a result of committing the offense alleged in Count One of this Indictment ZHU HUA a k a Afwar a k a a k a Alayos a k a Godkiller and ZHANG SHILONG a k a fBaobeilong a k a Zhang Jianguo a k a Atreexp the defendants shall forfeit to the United States pursuant to Title 18 United States Code Section 1030 i any and all property real and personal constituting or derived from any proceeds obtained directly or indirectly as a result of said offense and any and all personal property that was used or intended to be used to commit or to facilitate the commission of said offense including but not limited to a sum of money in United States currency representing the amount of proceeds traceable to the commission of said offense 20 FORFEITURE ALLEGATION AS TO COUNT TWO 24 As a result of committing the offense alleged in Count Two of this Indictment ZHU HUA a k a Afwar a k a a k a Alayos a k a Godkiller and ZHANG SHILONG a k a Baobeilong a k a Zhang Jianguo a k a Atreexp the defendants shall forfeit to the United States pursuant to bTitle 18 United States Code Section and Title 28 United States Code Section 2461 c any and all property real and personal that constitutes or is derived from proceeds traceable to the commission said offense including but not limited to a sum of money in United States currency representing the amount of proceeds traceable to the commission of said offense Substitute Assets Provision 25 If any of the above described forfeitable property as a result of any act or omission of the defendants a cannot be located upon the exercise of due diligence b has been transferred or sold to or deposited with a third person c has been placed beyond the jurisdiction of the Court 21 d has been substantially diminished in value or e has been commingled with other property which cannot be subdivided without difficulty it is the intent of the United States pursuant to Title 21 United States Code Section 853 p and Title 28 United States Code Section 2461 c to seek forfeiture of any other property of the defendants up to the value of the above forfeitable property Title 18 United States Code Sections 981 1030 Title 21 United States Code Section 853 and Title 28 United ates Code Section 2461 s BERMAN United States Attorney 22 Form NO Ed 9 25-58 UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF NEW YORK UNITED STATES OF AMERICA v - ZHU HUA a k a Afwar a k a a k a Alayos a k a Godkiller and ZHANG SHILONG a k a Baobeilong a k a Zhang Jianguo a k a Atreexp Defendants SEALED INDICTMENT 18 Cr 18 U S C 1030 b 1349 1028A a l and 2 GEOFFREY S BERMAN United States Attorney FOREPERSON
OCR of the Document
View the Document >>