The three Chinese nationals, named as Wu Yingzhuo, Dong Hao and Xia Lei, are accused of conducting a series of “coordinated and unauthorised” cyber-attacks between 2011 and 2017. The three are owners, employees and associates of Guangzhou Bo Yu Information Technology Company Ltd, or Boyusec, a cyber-security firm located in Guangzhou, in southern China, according to the indictment.
Several reports from May 2017 connected Boyusec with the notorious cyber-espionage unit APT3, a hacking unit credited with a long string of attacks, compromises and thefts of IP. Also known as UPS, Gothic Panda, and TG-011, the group has been active since 2010, and has been tied to attacks all over the world, often in the US.
Chris Doman, security researcher, AlienVault, told SC Media UK: “It's not a surprise this indictment comes from the FBI's Pittsburgh office - they have been very aggressive at going after cyber-criminals. Much of the activity within the indictment dates back some time, and the group known as APT3 were outed earlier this year by independent researchers as Boyusec. Historically, they targeted a number of western defence contractors and aerospace companies. It's possible that they have continued attacks against the West but it's likely that the FBI are indicating they will go after people for historical activity regardless of location.”
“Once again, the Justice Department and the FBI have demonstrated that hackers around the world who are seeking to steal our companies' most sensitive and valuable information can and will be exposed and held accountable,” said Acting Assistant Attorney General Boente in a statement.
All three suspects remain at large and are believed to be residing in China.
NNT CTO, Mark Kedgley, CTO, NNT said: “It's an alarming reminder that all organisations represent a hacking target, whether for a calculated theft of intellectual property, or a more randomly targeted ransomware attack. It also shows that defences must be fit-for-purpose against subversive inside-man hacks and not just attacks on the network perimeter.
“Any change to system integrity – email rules, new accounts, file system activity – serves as an indicator of compromise, but organisations need to ensure they have the detection tools and the internal procedures to investigate thoroughly.”