On a wall facing dozens of cubicles at the FBI office in Pittsburgh, five guys from Shanghai stare from “Wanted” posters. Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui are, according to a federal indictment unsealed last year, agents of China’s People’s Liberation Army Unit 61398, who hacked into networks at American companies—U.S. Steel, Alcoa, Allegheny Technologies (ATI), Westinghouse—plus the biggest industrial labor union in North America, United Steelworkers, and the U.S. subsidiary of SolarWorld, a German solar-panel maker. Over several years, prosecutors say, the agents stole thousands of e-mails about business strategy, documents about unfair-trade cases some of the U.S. companies had filed against China, and even piping designs for nuclear power plants—all allegedly to benefit Chinese companies.
It is the first case the United States has brought against the perpetrators of alleged state-sponsored cyber-espionage, and it has revealed computer-security holes that companies rarely acknowledge in public. Although the attackers apparently routed their activities through innocent people’s computers and made other efforts to mask themselves, prosecutors traced the intrusions to a 12-story building in Shanghai and outed individual intelligence agents. There is little chance that arrests will be made, since the United States has no extradition agreements with China, but the U.S. government apparently hopes that naming actual agents—and demonstrating that tracing attacks is possible—will embarrass China and put other nations on notice, inhibiting future economic espionage.
That may be unrealistic. Security companies say such activity is continuing, and China calls the accusations “purely ungrounded and absurd.” But there’s another lesson from the indictment: businesses are now unlikely to keep valuable information secure online. Whatever steps they are taking are not keeping pace with the threats. “Clearly the situation has gotten worse, not better,” says Virgil Gligor, who co-directs Carnegie Mellon University’s computer security research center, known as CyLab. “We made access to services and databases and connectivity so convenient that it is also convenient for our adversaries.” Once companies accept that, Gligor says, the most obvious response is a drastic one: unplug.
Fracking and hacking
Sitting at a small conference table in his office in the federal courthouse in Pittsburgh, David Hickton, the United States attorney for western Pennsylvania, opened a plastic container he’d brought from home and removed and peeled a hard-boiled egg for lunch. Although we were discussing an investigation involving global players and opaque technologies, the homey feel of our meeting was apt: the case had many roots in close-knit business and political circles in Pittsburgh. Hickton showed me a framed photo on a shelf. In the picture, he and a friend named John Surma are standing next to their sons, the boys wearing hockey uniforms, fresh from the ice. Both fathers had attended Penn State. As Hickton rose in the prosecutorial ranks, Surma rose in the corporate world, becoming CEO of U.S. Steel. When Hickton became the top federal prosecutor in the area in 2010, one of his meet-and-greet breakfasts was with Surma and Leo Girard, the boss of United Steelworkers, which represents 1.2 million current or retired workers in several industries. “I was asking them in a completely unrelated matter to serve on a youth crime prevention council,” Hickton recalls. “They said, ‘Can we talk to you about something else?’”
At the time, the American fracking boom was in full swing, with ultra-low interest rates that had been set to stimulate the economy also lubricating the business of extracting previously hard-to-reach natural gas and oil. U.S. Steel had a flourishing business selling pipes specially designed for the extraction process. Among other traits, the pipes have no vertical seams, so they will hold up as they’re rammed thousands of feet into the earth and yet bend to convey oil and gas without breaking.
But U.S. Steel also noticed two unsettling developments. First, Chinese state-owned companies were exporting lots of similar pipe into the United States at low prices. So U.S. Steel filed complaints with the U.S. Department of Commerce and the U.S. International Trade Commission, accusing China of subsidizing its industries; the resulting cases ultimately led to sanctions against China. Second, both the company and the union were aware that suspicious e-mails had come in. But it wasn’t clear who was behind them or whether any damage was occurring. “There was a general awareness of intrusions, but not ‘when, where, how’ and the scope,” Hickton says.
The e-mails were cleverly designed. They purported to be from colleagues or board members, with subject lines relating to meeting agendas or market research, but they delivered malware by means of attachments or links. For example, the indictment says, on February 8, 2010—two weeks before a preliminary ruling from the Commerce Department—the hackers sent an e-mail to several U.S. Steel employees. It seemed to be from the CEO but included a link to a website that held malware. A few employees clicked it, and their computers were soon infected. The result: the hackers stole host names for 1,700 servers that controlled access to the company’s facilities and networks. The indictment says Wang then tried to exploit that access, but it doesn’t specify what information was exposed.
Debbie Shon, U.S. Steel’s vice president for trade, told me that the information included valuable business intelligence. “It wasn’t high-tech designs,” she says. “It was the equally important stuff—the business strategies, the pricing, the production amounts, and the timing and content of any trade complaints that U.S. Steel, as one of the biggest companies in this area, might be exploring.”
The indictment details several similar attacks. Between 2007 and 2013, Westinghouse was negotiating the details of a contract with a Chinese company to build four nuclear reactors. From 2010 to 2012, one of the defendants allegedly stole at least 1.4 gigabytes of data—roughly 700,000 pages of e-mail and attachments—from Westinghouse’s computers. The files included piping designs and communications in which Westinghouse disclosed worries about Chinese competition. At ATI, the hackers allegedly stole the passwords of 7,000 employees while the company was in a trade dispute focused on its sales to China. At Alcoa, prosecutors allege, the hackers stole 2,900 e-mails with more than 860 attachments around the time the company was negotiating deals with Chinese businesses. (Alcoa, Westinghouse, and ATI all declined to comment for this story.) And in 2012, after the steelworkers’ union started speaking out against Chinese industrial policies, Wen stole e-mails containing discussions among union leaders, the indictment says.
Meanwhile, SolarWorld had brought trade cases accusing Chinese companies of selling solar panels below cost, decimating their rivals. One day in 2012, a phone rang at its offices in Camarillo, California. It was the FBI calling, saying that agents had discovered e-mails stolen from the company, says Ben Santarris, its U.S. spokesman. In a sign of just how bad cybersecurity is, “there was no inkling this was going on until we got the phone call,” he says. Only when the indictment was unsealed in May 2014 did the company learn the full scope of the alleged theft. “There was access to trade-case strategy, company financials, costs, profit-and-loss statements, technology road maps, R&D, and so on,” Santarris says. Ultimately the company won its cases, securing duties on imports of solar equipment from China. During the trade dispute, “we were observing very tight controls over who gets to see what information,” he says. “At the time we were doing that, according to the FBI, the Chinese military was coming in the back door.”
Take it down
The failure of the companies’ supposed security technologies was stupefying. Lance Wyatt, the IT director for the steelworkers’ union, thought he ran a tight ship. An IT audit in 2010 had found no major deficiencies. His e-mail server screened all incoming messages for attachments that contained executable code. He had the latest antivirus software. His network checked IP addresses to avoid sites that contained malware. Yet Wyatt and the FBI eventually found infected computers, one of them used by the union’s travel manager. “None of those machines were on our radar as being infected or suspect,” he says.
According to the indictment, the hackers had various means of disguise. For one thing, they allegedly sent malicious e-mail into companies and the union from hop points—intermediate computers, including one in Kansas, that were under their control. Second, they skillfully manipulated the Internet’s system for naming computer addresses. The hackers set up domain names such as “arrowservice.net” and “purpledaily.com” and programmed malware on the corporate victim computers to contact them. Then the spies could continually change the computer addresses to which the domain names connected. When it was daytime in Shanghai and nighttime in Pittsburgh, the indictment says, they’d set a domain name to connect to hop-point computers and conduct espionage. When the Shanghai workday was done, the hackers would set the address to connect to innocuous sites such as Yahoo pages.
It’s not a surprise that such systems are relatively easy to co-opt for nefarious purposes. Ideas for making the Internet more secure have been around for decades, and academic and government labs have churned out interesting proposals. Yet very few of these ideas have been implemented; they require broad-based adoption and possibly trade-offs in network performance. “You don’t hear about rebuilding the Internet anymore,” says Greg Shannon, chief scientist at the CERT division of Carnegie Mellon’s Software Engineering Institute.
What’s a company to do? Wyatt tightened things at United Steelworkers; among other things, he now gives fewer employees so-called administrative privileges to their computers, and he searches the network for the telltale signs of communications by malware. But none of this would have prevented the intrusions. Wyatt says it “might have slowed them down.”
The best option, then, could be to get sensitive data off the Internet entirely. There are downsides to that: if e-mail is not used as freely, or a database is offline, keeping up with the latest versions of reports or other data could be more time-consuming. But as Gligor says: “We must pay the cost of security, which is inconvenience. We need to add a little inconvenience for us to make things much harder for the remote attacker. The way to do that is to—how should I put it?—occasionally go offline.”
After all, more attacks like the ones in Pittsburgh are still occurring. “This indictment,” Hickton says, “does not represent the full number of hackers, full number of victims, or full number of defendants.”