Last week, the Department of Justice (DOJ) announced the results of two significant cyber investigations. In United States v. Wang Dong, the first criminal case to be brought against known state actors, the government charged five Chinese military officials with hacking into the computers of a number of major U.S. companies, in order to steal information useful to their Chinese competitors. In the second case, United States v. Yucel, an organized group of hackers, including the founder of an organization known as "Blackshades," have been charged with marketing a sophisticated form of "malware," which enabled its users to spy on victims' computers and steal files and account information. In addition to reflecting the government's increasing focus and crackdown on cybercrime, both cases illustrate the pervasiveness and potentially severe consequences of cybersecurity threats and the importance of taking measures to guard against them.
DOJ Charges Chinese Officials with Hacking and Cyber Espionage
On May 19, 2014, the DOJ unsealed an indictment in the Western District of Pennsylvania charging five Chinese military officials with hacking into the computers of at least five prominent U.S. companies in the nuclear power, steel manufacturing and solar energy industries, as well as a major labor union. The indictment contains 31 charges against the five defendants, including conspiracy to commit computer fraud and abuse, aggravated identity theft, trade secret theft and economic espionage.
The indictment alleges that for approximately eight years, from at least 2006 until April 2014, the five defendants - alleged to be members of a Chinese cyber hacking military unit - successfully schemed to hack into the victims' computer systems to steal trade secrets that would be useful to the companies' competitors in China. Among other things, the defendants allegedly obtained confidential and proprietary design specifications of a U.S. company and the company's strategy for doing business with state-owned enterprises (SOEs) in China. The indictment alleges that the defendants stole thousands of sensitive internal communications, including privileged attorney-client communications, that would provide insight into the strategy and vulnerabilities of the Chinese entities' U.S. competitors.
The ways in which the defendants allegedly operated are strikingly straightforward and easily implemented. For example, a common tactic was "spearphishing," i.e., sending emails made to look like innocuous messages from colleagues and friends, but in fact containing surreptitiously installed malware in an attachment or hyperlink. According to the indictment, one of the military hackers allegedly sent an email to several employees of a U.S. company using an account designed to impersonate a member of the company's board of directors, attaching a file disguised as the agenda for an upcoming board meeting. Once opened, this spearphishing email would install malware on the recipients' computers, enabling the hacker to steal the company's confidential and proprietary information, including nearly 3,000 email messages and 900 attachments.
Although these defendants are unlikely to stand trial in the U.S., the indictment, as noted, highlights the pervasiveness and seriousness of cybersecurity threats and the importance of ensuring that proper procedures are in place to maintain the confidentiality of sensitive company data and information. The case also reflects a willingness by U.S. companies who are victims to cooperate, and to be identified publicly as victims, in an investigation.
DOJ "Blackshades" Malware Takedown
Also on May 19, the U.S. Attorney's Office for the Southern District of New York announced charges against an organized group of hackers, including the founder of the organization known as "Blackshades." According to the indictment, these hackers have, since 2010, sold and distributed to thousands of people in more than 100 countries, a form of malware known as the Blackshades Remote Access Tool, or "RAT." RAT enabled its users to surreptitiously and remotely spy on victims through their own computers by activating the computers' web cameras. It also permitted users to steal files and personal account information, hack into social media accounts, and access documents, photos and computer files, all without the victim's knowledge. Using a tool known as a "file hijacker," RAT also enabled its users to encrypt or lock a victim's computer files, effectively holding the computer for ransom. RAT also contained "spreaders" that helped maximize the number of infections by using already-infected computers to spread to other computers. For example, RAT allowed users to send links to others via a victim's social media account, making it appear as if a legitimate message came from the initial victim, but which in reality would install the RAT on the next computer. The Blackshades RAT was available for purchase online for as little as $40.
Prosecutors charged five defendants, including Alex Yücel, co-creator of RAT and owner of the Blackshades organization. He was arrested in Modova and is awaiting extradition. Yücel, who is charged with computer hacking, access device fraud and aggravated identity theft, allegedly operated Blackshades as a business with a corporate-like infrastructure and several paid employees, including a director of marketing, website developer, and a team of customer service representatives. Blackshades purportedly generated more than $350,000 in sales between September 2010 and April 2014. The government's investigation was aided by one of the co-creators of the Blackshades RAT, who agreed to cooperate after selling a copy of the malware to an undercover FBI agent.
The case is being prosecuted by the U.S. Attorney's Office's Complex Fraud and Cybercrime Unit, and signals a more aggressive effort to combat threats to cybersecurity. In a May 23, 2014 joint hearing before the House Counterterrorism and Intelligence and the Cybersecurity, Infrastructure Protection, and Security Technologies Subcommittees, FBI Assistant Director Joseph Demarest testified that cyber attacks are expected to "grow exponentially" and will continue to threaten privacy and cybersecurity for the foreseeable future: "[T]he frequency and impact of cyber attacks on our nation's private sector and government networks have increased dramatically in the past decade and are expected to grow exponentially."
The Blackshades charges similarly underscore the prevalence and availability of malicious software allowing even the most unsophisticated hacker to obtain malware easily and inexpensively. The case is a powerful reminder that companies must train employees and vendors concerning proper cybersecurity procedures and test the integrity of their systems on a regular basis.