Chinese spy left tracks with his hacks

Prosecutors building a case against Wang Dong, one of five Chinese military hackers indicted this week for economic espionage, were helped by Wang’s apparent willingness to break a cardinal rule of spying: Leave no tracks.

Known as UglyGorilla, Wang is a pun-making hacker who left a string of clues dating back years, according to several security professionals who have pursued him. He became famous in counterintelligence circles as China’s most flamboyant hacker, as he seeded malicious code with his handle and left the initials “UG” in the logs of thousands of compromised computers.

This week, the U.S. Justice Department unveiled the indictment of the People’s Liberation Army officers it says broke into computers at five U.S. companies, including Westinghouse Electric Co. and United States Steel Corp., to steal trade secrets and other information.

Among those indicted was a hacker the prosecutors identified as Wang, also known as UglyGorilla -- the first time the government had linked the two names. The indictment offered little other information on Wang. Yet to cybersecurity experts, the indictment merely cast a public spotlight on a hacker who for years had left a trail that was obvious to those more accustomed to scrutinizing wisps of digital information for clues.

Nuclear Hack

“When the indictment came out, my wife asked me if I knew this UglyGorilla guy,” said Adam Meyers, who first encountered China’s cyber spies as a security specialist at the U.S. State Department. “I told her, ‘I’ve known him longer than I’ve known you,’” said Meyers, who celebrates his three-year wedding anniversary next week.

The U.S. indictment focuses on a narrow set of cases, including the theft of plans for a next-generation nuclear power plant from Westinghouse. Wang gained unauthorized access to at least one U.S. Steel computer in February 2010, and from there stole a virtual map -- host names and descriptions -- of more than 1,700 of the company’s computers, prosecutors allege.

Courtney Boone, a spokeswoman for Pittsburgh-based U.S. Steel, referred questions to the Justice Department. Westinghouse declined to comment.

UglyGorilla’s activities are likely much broader, according to cybersecurity experts, who link him to hundreds of intrusions. Those include missions to steal technical details of valuable American technology, obtain data on deals U.S. companies were doing with Chinese counterparts, and, in 2011, wage a campaign to breach the security of U.S. nuclear power plants, according to commercial forensics reports and investigators who examined those attacks.

“Fabricated Facts”

China’s foreign ministry said the May 19 indictment was based on “intentionally fabricated facts,” and publicly summoned U.S. Ambassador Max Baucus to the ministry that day for a scolding.

The indictment contains what appear to be the first photographs of the five People’s Liberation Army hackers published in the U.S. The images include a shot of an unsmiling Wang wearing rimless glasses that could be an ID photo or cropped from an official group portrait.

Based on posts from Chinese online bulletin boards and social-media accounts, Wang is 37 years old and may have attended Shanghai’s elite Jiaotong University, which has a strong computer-science department, investigators said in interviews.

Chinese Defense Ministry officials, when contacted today, asked that a request for comment be submitted by fax. They didn’t immediately respond.

Page 1 of 3 >>

Copyright 2014 Bloomberg. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.

Comments
comments powered by Disqus