Two Chinese government soldiers were part of a hacking conspiracy allegedly carried out by a Chinese resident of Canada to steal secrets relating to components of F-35s and other American warplanes, according to court-filed documents.
Prosecution "books of record," recently released by a Vancouver court following a request from The Globe and Mail, make explicit Chinese military ties that were not publicly alleged when this rare cyberespionage prosecution was launched in 2014.
The case centres on Su Bin, a 50-year-old Chinese aviation-industry entrepreneur residing in Vancouver, and the two unnamed "co-conspirators" revealed to be Chinese soldiers. Despite their military connection, it remains unclear whether the alleged scheme was state-sponsored, or whether the conspirators were essentially soldiers moonlighting to enrich themselves.
Prime Minister Justin Trudeau is considering a visit to China this spring to talk about free trade. In recent years, both U.S. President Barack Obama and former prime minister Stephen Harper have gone public with concerns about Chinese cyberespionage.
While most countries spy, China is feared to be in class of its own, when it comes to using hackers to steal military and commercial secrets. Four years ago, now-retired American spymaster Keith Alexander claimed that cybercrime costs the United States hundreds of billions of dollars each year.
In June, 2014, such fears were given a human face. That's when Canadian police arrested Mr. Su on a U.S. warrant that charged him with being part of an illegal hacking conspiracy. The ongoing extradition case against him relies on intercepted e-mail exchanges, where Mr. Su allegedly helped to focus the hacking efforts of the two Chinese co-conspirators.
The allegation is that the conspirators worked together to identify and raid secure databases belonging to U.S. military contractors who make jets for the Pentagon.
Mr. Su allegedly directed the two hackers toward the e-mail accounts of American aviation engineers whose accounts he felt to be worth breaking into; from there, the China-based hackers mined corporate networks for engineering manuals related to F-35, C-17 and F-22 military jets, documents show. During such breaches, the co-conspirators allegedly circled back to Mr. Su with long lists of files, to ask him what documents they should try to take.
The original U.S. charging documents released in 2014 mention the two "unindicted co-conspirators," but only as people "affiliated with multiple organizations and entities." No mention was then made of potential ties to China's People's Liberation Army (PLA).
Yet materials recently released to The Globe explicitly describe them as "two Chinese military officers." And U.S. authorities say they know this because they intercepted an e-mail attachment bearing a digital image of one co-conspirator's "Chinese military identification showing his photograph, name, rank, military unit, and year and month of birth." He is also said to have used certain "monikers or nicknames" within the Chinese military.
Other intercepted photos allegedly show the other conspirator's "Hong Kong identification" and a picture of him wearing a Chinese military uniform.
No names are revealed in the documents. It is not clear why U.S. prosecutors minimized the military connection at first, nor why they declined to lay charges against the two co-conspirators if their identities are known. "I'm going to decline to comment on the matter at this time, as the extradition proceeding is ongoing in Canada," said Thom Mrozek, a U.S. Justice Department spokesman.
Mr. Su's extradition hearing took place in Vancouver last July. According to news reports, Canadian Crown lawyers did refer in passing to the two co-conspirators as Chinese military officers, but gave no additional information. In September, a Canadian judge ordered Mr. Su extradited, but he remains in Vancouver pending an appeal to be heard later this year.
Most of the e-mails intercepted in the case were sent between 2009 and 2012. Some speak of bids to sell stolen data; at one point, Mr. Su allegedly tells his co-conspirators that it is hard to collect "big money." At another, he tells them a certain Chinese aviation company is likely "too stingy" to pay them much.
This illustrates how both profit and patriotism motivate spying done on China's behalf. Observers have long pointed out that Beijing leverages two types of hackers: squads of PLA soldiers whose full-time jobs are to hack away at the West's secrets, and also unaffiliated, arms-length hackers who sell their wares to Chinese firms. What the Su Bin prosecution suggests is that the soldiers and freelancers are, at times, the same people.
"The problem has always been the hackers seem to do the same work from 9 to 5, and then 5 to midnight when they got home," says Adam Segal, a New York-based scholar who is releasing a book next month called The Hacked World Order. "So it's very hard to very clearly say this guy is a freelancer, this guy is a PLA hacker. Sometimes they are doing it under the direction of the PLA, sometimes they are doing it as freelancers to make money."
Chinese hacking "is going to continue to be a big issue" in coming years, Mr. Segal says, despite a recent détente. In September, Chinese President Xi Jinping met with Mr. Obama, and the two nations publicly pledged to curtail cyber activities aimed at stealing commercial trade secrets. No mention was made, however, of the kinds of spying that aim to secure a military edge – or to blunt that of a potential adversary. (Such campaigns have been the prerogative of world leaders since antiquity. "Be subtle! Be subtle! And use your spies for every kind of business," was the advice philosopher Sun Tzu gave to kings 2,500 years ago.)
Mr. Su is not accused of being a hacker himself. But, according to the documents, engineers and executives with Boeing, Lockheed Martin and Airbus are preparing to testify that his e-mail trails show that he helped the Chinese hackers take bona fide engineering documents off secure servers; this work, they will say, essentially gave China a free ride on aspects of jet projects that cost the U.S. military billions to develop.
While the China-based hackers allegedly used a network of Internet "hop points" to hide the trail of the stolen data, Mr. Su himself appears to have violated some rudimentary Internet-secrecy principles.
For example, he allegedly talked to his co-conspirators using Gmail and Hotmail services based in the United States, services which U.S. federal agents readily searched once they got the warrants to do so. At one point, he allegedly e-mailed his conspirators a password for an encrypted document – saying that the password was his phone number, then going the extra step of typing out that phone number.
Mr. Su appears to have moved to Vancouver from Beijing only a short while before his arrest.
In 2012, The Wall Street Journal profiled Mr. Su as a resident of Beijing, describing him as an army officer's son who had become a multi-millionaire Chinese aerospace entrepreneur. Mr. Su was quoted as saying that he and his family were heading to Canada because he didn't like living under Chinese rule.
The newly released documents say Mr. Su carried a Canadian permanent resident card and also a business card saying he had worked as a project manager for a "test flight academy in Africa." Most of his other personal documentation described him as the founder of Lode Tech, a China-based company that bought and sold harness cables used in the aviation industry.
When Mr. Su was arrested in 2014, allegations of Chinese cyberespionage were front-page news. In Canada, Mr. Harper publicly alleged China had stolen secrets from the National Research Council in Ottawa. That same year, the U.S. Federal Bureau of Investigation criminally charged five alleged cyberspies from a dedicated PLA hacking group known as "Unit 61398."
In accusing that group of a distinct conspiracy to plunder data from U.S. corporations, the FBI went so far as to circulate wanted posters bearing the uniformed suspects' faces, while alleging they used online monikers such as "Ugly Gorilla" and "KandyGoo."
Should Mr. Su eventually be convicted in the U.S., his unnamed co-conspirators' military ties could stiffen any sentence against him. The newly released documents allege that passing stolen aviation data to "Chinese military officers located in China, or to third parties for intended sale to interested bidders, is prejudicial to the safety or interests of the United States."
Certification of Record of the Case for Prosecution (PDF)