Connect with us

Hi, what are you looking for?



U.S. Indicts Chinese For Hacking Siemens, Moody’s

U.S. authorities filed charges Monday against three China-based hackers for stealing sensitive information from U.S. based companies, including data from Siemens industrial groups and accessing a high-profile email account at Moody’s. 

U.S. authorities filed charges Monday against three China-based hackers for stealing sensitive information from U.S. based companies, including data from Siemens industrial groups and accessing a high-profile email account at Moody’s. 

Wu Yingzhuo, Dong Hao and Xia Lei, who the Department of Justice (DOJ) says are Chinese nationals and residents of China, were indicted by a grand jury for a series of cyber-attacks against three corporate victims in the financial, engineering and technology industries between 2011 and May 2017.  

Victims named in the indictment include Moody’s Analytics, Siemens, and GPS technology firm Trimble.

According to the FBI, the hackers work for Guangzhou Bo Yu Information Technology Company Limited, a firm that purports to be a China-based Internet security firm also known as “Boyusec.”

Tracked as APT3 by FireEye, and Gothic Panda by CrowdStrike, the group is also known as UPS Team, Buckeye and TG-0110, and has previously been linked to the Chinese Ministry of State Security (MSS).

“We’ve tracked their activity back to 2007 and they are one of the most technically advanced state-affiliated actors in China,” Adam Meyers, VP of Intelligence at CrowdStrike, told SecurityWeek. “Their previous targeting includes industries such as Aerospace, Defense, Energy, Technology, NGOs, etc., that are primarily aligned with China’s economic objectives.”

In November 2016, the Washington Free Beacon learned from Pentagon intelligence officials that Boyusec had been working with Chinese telecoms giant Huawei to develop spyware-laden security products that would be loaded onto computers and phones. The unnamed officials said Boyusec was “closely connected” to the Chinese Ministry of State Security.

According to the indictment, the hackers:

Advertisement. Scroll to continue reading.

• Stole approximately 407 gigabytes of proprietary commercial data pertaining to Siemens’s energy, technology and transportation businesses.

• Accessed the internal email server of Moody’s Analytics and placed a forwarding rule in the email account of a prominent employee, and set it to forward all emails to and from the account to web-based email accounts controlled by the attackers.

• Stole at least 275 megabytes of data, including compressed data, which included hundreds of files that would have assisted a Trimble competitor in developing, providing and marketing a similar product without incurring millions of dollars in research and development costs.

“The primary goal of the co-conspirators’ unauthorized access to victim computers was to search for, identify, copy, package, and steal data from those computers, including confidential business and commercial information, work product, and sensitive victim employee information, such as usernames and passwords that could be used to extend unauthorized access within the victim systems,” the DOJ said.  “For the three victim entities listed in the Indictment, such information included hundreds of gigabytes of data regarding the housing finance, energy, technology, transportation, construction, land survey, and agricultural sectors.”

Intrusion Truth previously conducted an analysis of APT3’s command and control (C&C) infrastructure, and analyzed domain registration data. Their research led to two individuals, named Wu Yingzhuo and Dong Hao, who apparently registered many of the domains used by the threat actor.

Researchers noticed last year that the group had shifted its attention from the U.S. and the U.K. to Hong Kong, where it had mainly targeted political entities using a backdoor dubbed “Pirpi.” 

CrowdStrike has seen an uptick in activity by the group since 2016, Meyers said.

In addition to Pirpi, Symantec observed APT3 using various other tools, including keyloggers, remote command execution tools, system information harvesting tools, and browser password stealers. Researchers said the group appears to be focusing on file and print servers, which suggests they are mainly interested in stealing documents to support their espionage efforts.

“Defendants Wu, Dong and Xia launched coordinated and targeted cyber intrusions against businesses operating in the United States, including here in the Western District of Pennsylvania, in order to steal confidential business information,” said Acting U.S. Attorney Song. “These conspirators masked their criminal conspiracy by exploiting unwitting computers, called ‘hop points,’ conducting ‘spearphish’ email campaigns to gain unauthorized access to corporate computers, and deploying malicious code to infiltrate the victim computer networks.”

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.