Connect with us

Hi, what are you looking for?



Analysis of Victim Companies in PLA Indictment

Newly appointed U.S. Attorney David Hickton convinced a Western Pennsylvania grand jury that “five officers in Unit 61398 of the Third Department of the Peoples Liberation Army hacked or attempted to hack into U.S. entities named in the indictment.” This indictment fails on multiple levels, which I’ll demonstrate in this article, but the bottom line is that it isn’t actionable.

Newly appointed U.S. Attorney David Hickton convinced a Western Pennsylvania grand jury that “five officers in Unit 61398 of the Third Department of the Peoples Liberation Army hacked or attempted to hack into U.S. entities named in the indictment.” This indictment fails on multiple levels, which I’ll demonstrate in this article, but the bottom line is that it isn’t actionable.

It will not only fail to stop China’s long-term goal of accelerating its technological development through an entire spectrum of technology transfer activities including hacking, it will make future efforts to work collaboratively with China harder to do. Furthermore, it is a continuation of the already failed “China Pivot” strategy that the U.S. tried to implement against the expansion of China’s ADIZ (Air Defense Identification Zone) earlier this year.

The great irony in this indictment is that all of the companies mentioned as victims of Chinese government hacking continue to not only do business in China but are working hard to increase sales there. One of the victims, Westinghouse, didn’t even know that DOJ was pursuing an indictment. How is it that CEOs understand what the President of the U.S. and his Attorney General do not; that to a certain extent, theft of intellectual property is a cost of doing business. In fact, as the CEO of a company who advises several multi-nationals (MNCs) on how to securely operate in China and other high risk states, I don’t know of a single company who has abandoned that market because of hacking attacks.

This article will take a close look at each of the victim companies to see if there is any corroborating evidence that supports the charge that the PLA and by extension the Chinese government is responsible.

SolarWorld AG

SolarWorld AG is a German company with a U.S. subsidiary. It sells expensive Silicon-based solar panels and has been losing money steadily for three years. It filed the German equivalent of a Chapter 13 bankruptcy in August, 2013. It has blamed its poor sales on alleged unfair trade practices by China who sell a cheaper Silicon version as well as a thin-film version (something that SolarWorld doesn’t). Since it’s a cheaper product, U.S. companies who sell and install solar panels prefer to buy from China instead of SolarWorld. The U.S. International Trade Commission ruled affirmatively to support the dumping charge against China while the U.S. Solar Industry lobby group sought to find a compromise.

The indictment alleges that the defendant Wen Xinyu stole thousands of files including ones related to the case “which would have enabled a Chinese competitor to target SolarWorld’s business operations aggressively from a variety of angles.” However, had the U.S. Attorney’s office done a bit more research, they would have learned that SolarWorld was already in financial trouble, so unless someone wanted to learn how to fail at being a profitable company, there was nothing about SolarWorld’s business operations worth targeting.

Advertisement. Scroll to continue reading.

More importantly, the Chinese government has only ever been interested in “acquiring” IP related to technologies that it wants to develop, or to accelerate development that’s already underway. SolarWorld’s technology was Silicon-based while China and SolarWorld’s U.S. competitors had shifted to a thin-film module that’s cheaper and more powerful. Since China already had a superior technology it would gain nothing by hacking SolarWorld.


The indictment alleges that in 2010 the defendant Sun Kailiang stole technical and design specifications for pipes, pipe supports and pipe routing for four AP1000 power plants that it was building with its Chinese partner, a State-Owned Enterprise (SOE) and then later in 2010-2011 Sun stole some Westinghouse executive emails. The SOE is the State Nuclear Power Technology Corporation (SNPTC).

While nuclear technology definitely qualifies as something that China would be willing to steal, in this case it didn’t need to. Westinghouse had agreed to sell China its nuclear technology and transfer that knowledge through the creation of a joint venture with a State-owned entity to build four nuclear power plants. In fact, the SNPTC was created solely for that purpose.

Then, on November 23, 2010, Westinghouse handed 75,000 documents over to the SNPTC “as the initial part of a technology transfer agreement relating to Sanmen and Haiyang reactors”.

Had Westinghouse not made this technology transfer deal with the Chinese government, this would have been a perfect case for the U.S. Attorney. He could site the State Council’s 2006-2020 National Medium and Long-Term Program for Science and Technology Development, which called for “advanced pressurized water reactor technology” and then point to this Westinghouse breach of data about pipes that are used for just that purpose!

Unfortunately for Hickton and Attorney General Holder, the “victim” (Westinghouse) had already sold the technology to the alleged “criminal”, the Chinese government. You don’t have to steal something that you already own.

U.S. Steel

The indictment alleges that in 2010, the defendant Sun Kailiang successfully used a spear phishing attack against employees at U.S. Steel and obtained host names and descriptions for servers because of a WTO complaint.

China has long been the world’s top steel exporter. In 2013, its share was 48.5%. The U.S. was in 4th place with 7%. What possible motive could the Chinese government have to hack the network of U.S. Steel? There was no technological transfer at stake, and at least according to the indictment, nothing happened to U.S. Steel apart the spear phishing incident. Why is this even in the indictment?


The indictment alleges that in 2008, Alcoa formed a partnership with a Chinese State-owned company to acquire a stake in a foreign mining company and that soon after that partnership was formed, Sun Kailiang sent a spear phishing email to Alcoa employees. There are no further details provided about this attack.

An Alcoa news release revealed that the Chinese SOE was the Aluminum Corporation of China (Chinalco) and that the foreign mining company was Australia’s Rio Tinto. The deal was worth about US$1B to Alcoa. However, Rio Tinto backed out of the acquisition just a few months later because of anti-China sentiment in the Australian government.

The relationship between Alcoa and Chinalco extended back to 2001 and Chinalco’s 2008 deal with Alcoa on the Rio Tinto acquisition was worth a lot of money to Alcoa. There was no tech transfer at stake and the Chinese government would not benefit by launching a clumsy spear phishing attack against its new joint venture partner. 

Allegheny Technologies, Inc. (ATI)

The indictment alleges that in April, 2012 defendant Wen Xinyu stole network credentials from Allegheny Technologies employees. Presumably, although the indictment doesn’t specify this, Wen used a spear phishing attack. Dan Greenfield, an Allegheny Technologies Inc. spokesman told Bloomberg reporters yesterday that Alcoa didn’t report the attack to the SEC because “there was no material incident.”

ATI’s FRP sector has two Chinese joint ventures:  a 60% share in Shanghai STAL Precision Stainless Steel Company Limited (STAL), and a 50% share in a titanium joint venture called Uniti LLC. Overall, ATI isn’t doing well financially and its sales to China account for only 5% of its income. Like U.S. Steel, and Alcoa, ATI has no technology transfer value to China. Even worse, nothing adverse happened to the company.


The Chinese government uses many tactics to acquire advanced technology, especially if the foreign company whose technology it wants is doing business in China. It monitors and collects all communications inside its borders. It can demand to see source code. A percentage of every China-based foreign company’s employees must be Chinese nationals and all of them effectively work for the Chinese government while they are working for you. If you’re a visiting executive from a company which is considered high value to China’s national interests, you may be provided with a beautiful translator/tour guide for the duration of your stay who will undoubtedly find you and your work equally fascinating. At the very least, your hotel room will be wired, your laptop compromised, and the hotel staff bribed to report on your activities. And yes, your corporate network will be attacked by government-employed hackers and your files copied – BUT – only if your company’s technology is of interest to the Chinese government. Of the five companies mentioned in this indictment, not a single one had technology valuable to China except for Westinghouse which sold China the technology it wanted, and then taught Chinese engineers how to use it.

I haven’t seen any proof that these five men were employed by the PLA at the time of these attacks. At least one researcher has convincingly argued that “Defendant Wang” was never a member of the PLA at all; just an admirer. Considering the low skill level of these five defendants, it’s much more likely that these hackers were acting on their own, looking for anything that they might be able to sell.

And while I can’t point to any hard evidence, I have a strong suspicion that this indictment was borne out of political pressure or ambition. I personally know some outstanding FBI cyber crime professionals and I can’t believe that any of them would sign off on this had they been consulted. The problem of IP theft by nation states against U.S. companies is ongoing and unrelenting. If this is the best that the Dept of Justice can do, things will get much, much worse for U.S. companies.

Related Reading:Why Did DOJ Indict The Chinese Military Officers” by Jack Goldsmith

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.