Throwback Attack: Chinese military hackers hit multiple companies, including U.S. Steel

Courtesy of Brett Sayles

Trade disputes are not uncommon in a competitive marketplace, whether they’re between companies or economic superpowers. But in 2014, the U.S. Department of Justice (DOJ) charged five Chinese military hackers with taking their trade war a little too far by spying on several major corporations, including U.S. Steel, to gain a commercial advantage.

According to a release by the DOJ, a grand jury in the Western District of Pennsylvania indicted the hackers on 31 counts of conspiring to commit computer fraud and abuse; accessing a protected computer without authorization to obtain information for the purpose of commercial advantage and private financial gain; transmitting a program, information, code or command with the intent to cause damage to protected computers; aggravated identity theft; economic espionage; and trade secret theft. The hacking took place from 2006-14 and hit a number of major U.S. corporations, including Westinghouse, SolarWorld, U.S. Steel, Alcoa and the Service Workers International Union.

“This is a case alleging economic espionage by members of the Chinese military and represents the first ever charges against a state actor for this type of hacking,” said then-U.S. Attorney General Eric Holder in the DOJ release. “The range of trade secrets and other sensitive business information stolen in this case is significant and demands an aggressive response. Success in the global marketplace should be based solely on a company’s ability to innovate and compete, not on a sponsor government’s ability to spy and steal business secrets.”

The incursion into U.S. Steel occurred in 2010, when the company was participating in trade cases with Chinese steel companies. During that time, the hacking group sent spear-phishing emails to U.S. Steel employees, some of whom were in a division associated with the litigation. These emails ultimately resulted in the installation of malware on U.S. Steel computers. Shortly thereafter, the malicious actors stole hostnames and descriptions of U.S. Steel computers, including those that controlled physical access to company facilities and mobile device access to company networks. From there, they took steps to identify and exploit vulnerable servers on that list.

Cyberattacks like this have continued since, as trade wars have escalated between the U.S. and China during the last several years. It’s not limited to China, either. In April, the Biden administration formally blamed the recent SolarWinds attack on Russia’s intelligence service and imposed economic sanctions on the foreign power. While ransomware attacks may be getting most of the recent headlines, stealing trade secrets is always on the menu.

“We see lots of threads being pulled,” said Rick Peters, chief information security officer (CISO) of operational technology North America at Fortinet. “You could argue, ‘Well, sure, we see lots of phishing attacks and ransomware. That’s popular. Yeah, it looks like extortion might be top of mind.’ But the reality is what you’re really seeing with the majority of these efforts, if you peel them back and start to really study them, is industrial espionage. What they’re really after is that information, that intellectual capital, which is proprietary likely. It’s your secret sauce. It’s what you bake in. It’s your tradecraft. That’s really the value that they’re going to go after.”

Tensions further escalated in 2016, when U.S. Steel filed a trade complaint against China with the International Trade Commission alleging both price-fixing and cyber-espionage.

“The Chinese industry has used its government to steal U.S. Steel’s closely guarded trade secrets and uses those trade secrets to produce advanced steel products it could not make on its own,” read the complaint.

According to Ryan Heidorn, co-founder and managing partner at Steel Root, a national leader in helping U.S. government and defense contractors meet cybersecurity and compliance requirements, this kind of theft is rampant, which is why the federal government is taking actions like signing the recent cybersecurity executive order and implementing the Cybersecurity Maturity Model Certification (CMMC).

“If you look at things like China’s J-31 stealth fighter, it looks an awful lot like our F-35, and that’s because they literally stole the designs,” Heidorn said. “We have way too many examples of this, even public examples. When I talk on the subject, one of my favorite quotes comes from Ron Ross at NIST (the National Institute of Standards and Technology). … He puts it really bluntly. He says we’re literally hemorrhaging critical Information.”

The indictment from 2014 alleges the defendants “conspired to hack into American entities, to maintain unauthorized access to their computers and to steal information from those entities that would be useful to their competitors in China, including state-owned enterprises (SOEs).”  According to the DOJ, the conspirators stole trade secrets that would have been beneficial to Chinese companies as well as sensitive, internal communications that “would provide competitors, or an adversary in litigation, with insight into the strategy and vulnerabilities of the American entity.”

“For too long, the Chinese government has blatantly sought to use cyber-espionage to obtain economic advantage for its state-owned industries,” said then-FBI Director James B. Comey. “The indictment announced today is an important step. But there are many more victims, and there is much more to be done. With our unique criminal and national security authorities, we will continue to use all legal tools at our disposal to counter cyber-espionage from all sources.”




Keep your finger on the pulse of top industry news