Arrest of Chinese malware suspect highlights DOJ’s strategy against foreign hackers
The recent arrest of a Chinese national in connection with the development of high-profile malware serves to highlight the Justice Department’s modern and expansive efforts to prosecute foreign hackers in spite of extradition challenges, former U.S. officials told CyberScoop.
“I see this incident as part of a trend by DOJ to [go after] foreign actors that are aligned with governments,” said Joe Whitley, a former senior Justice Department official. “The issuance of warrants of arrest on these individuals can have a huge impact on alleged criminals who may find international travel and money transfers no longer available. Plus, there is a certain stigma that accompanies indictment [or criminal complaint].”
The Justice Department last week publicly released a criminal complaint alleging that Yu Pingan of Shanghai was involved in the creation and distribution of malware used to hack into multiple U.S. companies. The unique malware is known as “Sakula.” CNN reported that this same computer virus was used against the Office of Personnel Management, or OPM, as part of an operation that led to the now infamous breach of the agency in 2014.
The case appears significant, according to Edward McAndrew, a former federal cybercrime prosecutor in the U.S. Attorney’s Offices for the Eastern District of Virginia and for the District of Delaware, because of “the circumstantial theory of attribution and conspiracy laid out in the affidavit.”
Complaints need only establish probable cause, so there’s probably much more behind the scenes, explained McAndrew.
“This is an aggressive charging document based on the conduct attributed to Yu Pingan and others by online account subscriber records, limited electronic communications, and the overlapping use of the same or similar malware, other hacking tools and infrastructure in multiple attacks,” McAndrew said. “I presume that the government had a limited window of opportunity to get hands on Pingan, and this charging document was the result.”
It’s not clear if Yu worked with the Chinese government, which has been blamed for breaching OPM. Yu’s lawyer has denied that a connection exists between Yu and China’s intelligence community. The lawyer claims Yu is a teacher and not a spy.
Law enforcement agents arrested Yu last week while he was waiting for a flight at Los Angeles International Airport. A picture of Yu was published in the criminal complaint.
“The visual depiction of the defendant in the FBI affidavit is a first step toward making the alleged offender visible worldwide on the internet,” Whitley explained.
Although Yu is currently accused of violating the Computer Fraud and Abuse Act, or CFAA, in addition to conspiracy to defraud the United States, others charges could soon follow, said Marcus Christian, a former prosecutor at the U.S. Attorney’s Office for the Southern District of Florida.
“My main takeaway based upon the allegations in the complaint is that we should stay tuned for much more information,” Christian said. “This case provides more evidence that federal law enforcement agencies are working intently on cybercrime investigations, watching suspected individuals closely, and waiting for opportunities to arrest them.”
Based on his own interpretation of the criminal compliant, Christian said it appears as if the Justice Department is already in contact with other individuals who are familiar with Yu’s actions.
“I would describe this case as one that (1) is in its early stages, (2) alleges that an individual conspired with others from 2011 to 2014 to hack into several US companies, (3) involves alleged uncharged co-conspirators who apparently are cooperating with the government, (4) is the product of a long and ongoing investigation, and (5) is likely to continue to develop significantly before it is over,” Christina explained via email.
While the investigation into Yu’s dealings is likely still ongoing , the arrest itself should be considering a win for the Justice Department, McAndrew said.
“This is another great example of the DOJ’s patient, painstaking and aggressive effort to identify, pursue and prosecute foreign-based cybercriminals for rampant, digital looting of U.S. companies,” McAndrew told CyberScoop. “These investigations take a long time to develop, and many of them may never end up with a foreign cybercriminal in U.S. custody. It’s a major accomplishment every time one of these foreign cybercriminals lands in a U.S. courtroom. And it’s another illustration of the government’s focus on attacking the cybercriminal ecosystem that supplies the tools and infrastructure that others use to commit computer crimes.”
Adam Hickey, deputy assistant attorney general for the National Security Division, said earlier this year that there’s a “silver lining” in the fact that Russia’s Federal Security Service (FSB) relied on a pair of alleged cybercriminals to hack into Yahoo. Two contractors with cybercrime connections were among four individuals indicted in March by the Justice Department in a massive data breach that occurred at the internet company in 2014.
Hickey explained the reasoning behind his “silver lining” comment by telling an audience at a conference that cybercriminals are more likely to be arrested than intelligence officers. And these arrests can ultimately provide actionable information.
“It’s an advantage to us because those are individuals that are more willing to travel, they are more likely to be less opsec-savvy in certain respects compared to an intelligence officer and that matters because apprehending them can … give us that human intelligence into the state-sponsored hacking,” Hickey said in April. “That can be very, very valuable in supplementing all-source intelligence.”
Employing a freelancer to develop malware, as the recent criminal complaint against Yu appears to outline, could be one example of a nation state making a risky decision.
“You’re more vulnerable working with criminal hackers than not,” Hickey previously said. “There’s a reason to be concerned about blended threats but I also think that working with criminals or those who travel or those who are not sworn intelligence officers leaves your organization more vulnerable, because I see we can pick those people up, we can reach those people.”