Five Chinese men indicted for stealing thousands of e-mails and documents from U.S. companies had classic hacker nicknames. Yet one thing made them different: their clock-punching day jobs.
Known by handles including UglyGorilla, WinXYHappy and KandyGoo, they worked from 8 a.m. to 6 p.m. with scheduled two- hour lunch breaks, according to a report by online security company FireEye Inc. Rarely working on weekends, the Shanghai- based team acted more like public servants than the stereotype of basement-dwelling loners working around the clock.
For about eight years, the group hacked into U.S. companies including Alcoa Inc., United States Steel Corp. and Westinghouse Electric Co. to steal “sensitive, internal communications,” the Department of Justice alleges. The hackers, all officers in Unit 61398 of the Third Department of the Chinese People’s Liberation Army, logged standard Chinese hours, rarely did overtime and almost never worked past midnight, according to FireEye research.
“They do treat it like a business, it’s not something that they treat like a hobby,” Bryce Boland, chief technology officer for Asia-Pacific at FireEye, said by phone. “They’re doing what they think of to be their job.”
The Justice Department charged Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu and Gu Chunhui with economic espionage linked to computer hacking of American nuclear power, metals and solar companies.
The indictment, which was unsealed May 19, represents the first charges against a state actor for that type of hacking, U.S. Attorney General Eric Holder said in a statement.
The Chinese government rejected the charges as “absurd.”
Mandiant, a cybersecurity provider bought by FireEye in January, tracked connections made by members of Unit 61398 to the remote servers they used to hack into target networks.
The research showed a spike in logins at 8 a.m. and again at 2 p.m., when Chinese workers finish their lunch break. About 75 percent of connections took place between 8 a.m. and midday or from 2 p.m. to 6 p.m., FireEye said in a blog post.
About 98 percent of logins took place on weekdays and 1.2 percent occurred in the period between midnight and 7 a.m. China time, FireEye said.
Mandiant first identified a Chinese hacking group it called APT1 in February last year, saying it attacked at least 141 companies globally since 2006. The company’s data matches that of the Justice Department.