By Nick Keppler, Karen Freifeld and John Walcott
PITTSBURGH, Pa./NEW YORK/WASHINGTON (Reuters) – U.S. prosecutors have charged three Chinese nationals affiliated with a cyber security company in China with hacking into Siemens AG, Trimble Inc and Moody’s Analytics to steal business secrets.
An indictment unsealed on Monday in federal court in Pittsburgh, Pennsylvania, charged the three with launching “coordinated and unauthorized” cyber attacks between 2011 and 2017.
The defendants were identified as Wu Yingzhuo, Dong Hao and Xia Lei. The indictment said they were owners, employees and associates of Guangzhou Bo Yu Information Technology Company Ltd, a firm located in Guangzhou, in southern China, that offers cyber security services.
Two U.S. government officials told Reuters that Guangzhou Bo Yu, also known as Boyusec, is affiliated with China’s People’s Liberation Army Unit 61398, and that most if not all its hacking operations are state-sponsored and directed.
Chinese foreign ministry spokesman Geng Shuang told a regular press briefing on Tuesday that he was unclear on the details of the case but added that China opposes hacking and wants to work with other countries to ensure global security.
“China firmly opposes and responds in accordance with the law to all forms of cyber attacks,” Geng said.
U.S. prosecutors in Pittsburgh in May 2014 indicted five officers from the secretive unit 61398 with hacking into U.S. nuclear, metal and solar firms to steal trade secrets. The indictments prompted warnings from Beijing that it would retaliate if Washington followed through with the charges.
The acting U.S. attorney for Western Pennsylvania, Soo C. Song, said arrest warrants had been issued for the three men, but the case was not being prosecuted as state-sponsored hacking.
“It is not an element or subject of this indictment that there is state sponsorship,” Song said. However, the Justice Department’s National Security Division participated in the case, according to the indictment.
The hackers monitored email correspondence of an unidentified Moody’s economist; stole data from transportation, technology and energy units at Siemens; and targeted Trimble as it developed a new and more precise global navigation satellite system, the indictment said.
Siemens, based in Munich, Germany, is a technology company with interests in electrification, automation and digitalization. Trimble, based in Sunnyvale, California, provides technology for a range of industries.
Moody’s Analytics, part of New York-based Moody’s Corp, provides products and services for financial analysis and risk management.
Trimble’s advances in geolocation and Siemens’ work in guidance and navigation are of interest to the Chinese for internal security and military purposes, as well as commercial, ones, according to one of the officials, who declined to be named because some details of the case remain classified.
“Gleaning precise locations from mobile phones and other devices is valuable to the Ministry of State Security for monitoring dissidents as well as foreigners,” the official said. “Overseas, it can be valuable to keep track of where your own people are going, as well as keeping track of foreigners’ movements, whether they’re government or commercial.”
The official said that data collected by Moody’s could be used to help identify businesses and people that might be vulnerable to commercial or government exploitation, blackmail or bribery.
Representatives for the three defendants and the Chinese company could not immediately be identified to seek comment on the charges.
The company’s website was down on Tuesday. An archived copy of the site from 2016 listed Chinese telecommunications and technology company Huawei as a partner.
A Huawei spokesman said the indictment had nothing to do with the Shenzhen-based company. “The issue has no relation to Huawei,” the spokesman said.
The indictment was filed in September, and the Chinese government has been aware of it, prosecutors said.
In 2015, then-U.S. President Barack Obama and Chinese President Xi Jinping reached an agreement prohibiting both countries from stealing intellectual property for the benefit of domestic firms. The U.S. officials said classified intelligence indicates that Chinese hackers recently have begun violating the deal more frequently.
The hacking group described in the indictment has been active since 2007, said Adam Meyers, a researcher with cyber firm CrowdStrike.
The group, known to some cyber researchers as “Gothic Panda,” was active as of September, Meyers said. It has targeted aerospace and defense, chemical, energy, financial, healthcare, industrial and transportation firms in Britain, France, Hong Kong, the United States and other western nations, he said.
Trimble said no client data was breached in the hack.
“Trimble responded to the incident and concluded that there is no meaningful impact on its business,” the company said in a statement.
A Siemens representative declined comment on the details of the hack, saying the company does not discuss “internal security matters.”
A Moody’s spokesman said the firm worked closely with investigators, and “to our knowledge, no confidential customer data or other personal employee information was compromised.”
(Reporting Nick Keppler in Pittsburgh and Karen Freifeld in New York; Additional reporting by David Alexander in Washington, Georgina Prodhan in London, Christian Shepherd in Beijing and Jeremy Wagstaff in Singapore; Writing by Jim Finkle in Toronto; editing by Grant McCool and Raju Gopalakrishnan)