Oct 15

Arrest of Chinese Hackers Not a First for U.S.

The Washington Post reported last week that the Chinese government has quietly arrested a handful of hackers at the urging of the U.S. government, a move described as “an unprecedented step to defuse tensions with Washington at a time when the Obama administration has threatened economic sanctions.” While this a welcome and encouraging development, it is not the first time Beijing has arrested Chinese hackers in response to pressure from the U.S. government.

Image: Democracynow.org.

Image: Democracynow.org.

The action reported by The Post and other media outlets came shortly before Chinese President Xi Jinping’s state visit to Washington late last month. The hackers arrested had reportedly been identified by U.S. officials as having stolen commercial secrets from U.S. firms to be sold or passed along to Chinese state-run companies.

Although The Post has described this action as unprecedented, U.S. government cybercrime investigators have had success convincing Chinese authorities to take such actions in at least one other case previously.

In a report (PDF) presented to Congress on Feb. 29, 2012, the Office of Inspector General for the National Aeronautics and Space Administration (NASA) noted that a lengthy investigation into the cyber theft of sensitive technical data from its systems culminated in the arrest of a Chinese national in China.

“As a result of an OIG investigation and lengthy international coordination efforts, a
Chinese national was detained in December 2010 by Chinese authorities for violations of
Chinese Administrative Law,” NASA Inspector General Paul K. Martin told a House oversight committee. “This case resulted in the first confirmed detention of a Chinese national for hacking activity targeting U.S. Government agencies. Seven NASA systems, many containing export-restricted technical data, were compromised by the Chinese national.”

Many readers probably would not consider NASA when they think about U.S. federal agencies fighting cybercrime, but in truth NASA investigators have been behind some of the more effective and cutting-edge cybercrime investigations of the past decade. As I noted in my book — Spam Nation: The Inside Story of Organized Cybercrime – From Global Epidemic to Your Front Door — NASA officials were deeply involved in the investigations into both McColo and 3FN, now-defunct Internet Service providers that ultimately were unplugged from the Internet by their Internet peers after it became apparent how much cybercrime activity was emanating from these providers.

In one instance, NASA investigators traveled to Moscow to meet with Russian authorities in the planned arrest of Gugle (pronounced “Google”), a Russian man named Dmitry Nechvolod — one of the world’s top cybercriminals at the time and the co-founder of the Cutwail spam botnet code. Here’s a snippet from Spam Nation in which one of the cybercrime kingpins profiled in the book — a Russian man named Pavel Vrublevsky who employed Gugle to send spam and develop malicious software — actually warned his best henchman in advance that NASA investigators were coming.

“It was late 2010, and Vrublebsky had just called me and was excitedly relaying some intelligence that he’d gleaned from his network of law-enforcement contacts. He’d received word that cybercrime investigators with the U.S. National Aeronautics and Space Administration (NASA) were coming to Moscow to meet with Russian FSB agents. The NASA officials, who have guns and badges and just as much investigative authority as other U.S. law enforcement agencies, were coming to discuss cooperating with Russian authorities over an investigation into Nechvolod.”

“By that time, NASA investigators had connected the dots between Nechvolod and Gugle, and had been building a criminal case against him for allegedly infecting countless NASA computers with [his] malware.”

“The Americans came to Moscow trying to find the Cutwail owner, who goes by the nickname ‘Gugle,'” Vrublevsky told me excitedly and proudly in a phone interview, speaking of a man who was among the top spammers for [him]. “They got his nickname and even his real name correct, but they were never able to catch him. Honestly, I think someone warned him. You know, Brian, the corruption level in Russian law enforcement related to cybercrime is really quite high.”

The NASA OIG report referenced at the top of this story does not state whether the Chinese national arrested for allegedly hacking NASA systems ever stood trial to face the charges. NASA officials did not return calls seeking comment.

Whether this latest series of arrests is in fact a turning point in U.S.-Chinese cyber relations or just a ploy to delay sanctions promised by President Obama is anyone’s guess. As The Post notes, U.S. officials will likely be unconvinced unless those arrested are put on trial.

“Now, administration officials are watching to see if China will follow through with prosecutions,” wrote Ellen Nakashima and Adam Goldman. “A public trial is important not only because that would be consistent with established principles of criminal justice, but because it could discourage other would-be hackers and show that the arrests were not an empty gesture. Administration officials say they are not sure whether the arrests mark a deeper shift in China’s stance — or whether they were a short-term move to avoid getting hit by sanctions.”

According to the White House, at a recent state visit Presidents Xi and Obama agreed to work together to manage their nations’ differences on a number of topics, including cybersecurity. These highlights were taken verbatim from The White House’s own talking points on the subject:

“The United States and China agree that timely responses should be provided to requests for information and assistance concerning malicious cyber activities. Further, both sides agree to cooperate, in a manner consistent with their respective national laws and relevant international obligations, with requests to investigate cybercrimes, collect electronic evidence, and mitigate malicious cyber activity emanating from their territory. Both sides also agree to provide updates on the status and results of those investigation to the other side, as appropriate.”

“The United States and China agree that neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”

“Both sides are committed to making common effort to further identify and promote appropriate norms of state behavior in cyberspace within the international community. The United States and China welcome the July 2015 report of the UN Group of Governmental Experts in the Field of Information and Telecommunications in the Context of International security, which addresses norms of behavior and other crucial issues for international security in cyberspace. The two sides also agree to create a senior experts group for further discussions on this topic.”

“The United States and China agree to establish a high-level joint dialogue mechanism on fighting cybercrime and related issues. China will designate an official at the ministerial level to be the lead and the Ministry of Public Security, Ministry of State Security, Ministry of Justice, and the State Internet and Information Office will participate in the dialogue. The U.S. Secretary of Homeland Security and the U.S. Attorney General will co-chair the dialogue, with participation from representatives from the Federal Bureau of Investigation, the U.S. Intelligence Community and other agencies, for the United States. This mechanism will be used to review the timeliness and quality of responses to requests for information and assistance with respect to malicious cyber activity of concern identified by either side. As part of this mechanism, both sides agree to establish a hotline for the escalation of issues that may arise in the course of responding to such requests. Finally, both sides agree that the first meeting of this dialogue will be held by the end of 2015, and will occur twice per year thereafter.”

Tags: , , , , , , , ,


  1. If not unprecedented, then maybe there is an element of Catch & Release to it.

  2. The day after this agreement was announced, a server here only had 1000 attempted logins from Chinese subnets, reduced thanks to dynamic firewall rules.

    The agreement must be working.

  3. HA ! I want to see some one making contact on a yearly basis with this crook who should be cracking rocks at one of their northern portions of China. If Russia is adamant about leaving the hackers alone so the government can receive some kickbacks in some sort of fashion – I am sure the Russians and other countries enjoy the hundreds of million of Bongo bucks that filter into their country.

    It tells me that MAYBE China still considers themselves losing face over this ordeal. I think its more of a situation of what the hacker did not benefit the government enough, or there are issues between the individual and the government and the government simply decided to give the hacker the ultimate slap in the face by arresting him.

    People get locked away for decades in China for simple things that the government take offense to. I bet the evidence was laid on the table and the government had no choice than to comply. It’s interesting to think what might have happened if the Chinese didn’t comply. Maybe we would have had an hour long 60 minutes style documentary that was broadcast world wide with a lot of “governmental documented facts” – and maybe some propaganda as well.

    All this means is, they now understand how we can find out who these crooks are and how we found out. It MAY make them smarter and a lot harder to catch in future attacks.

    This seems very trivial to me in the long road of things. The damage is done. The material is has been leaked and sold to the highest bidder. Sure, the info can be given back to us, but, when the crooks end up rolling out the same – or better devices, all we can do is shake our head and wonder why we don’t cut the cord.

  4. Trust me, we don’t tell the Chinese how we found out (although Snowden did).

  5. in a forum they are linked to a number of Chinese buyers in exclusive closed forums. You should make a reportage of this group. your notes are lagging far fallen behind .


    • Quite how krebs’ filters didn’t catch you, I don’t understand, but are you quite serious?

      Props for using a security blog to advertise, I guess?

  6. Hopefully he gets more of a sentence than that Lizard Squad twerp. Oh wait this is America we will put him in a hole for 25 years.

  7. Angelo Michaels

    How exactly does one go about data tracing/DOXing these nasty criminals. Certain hotkeys?Websites? What tools are at the general public’s use. I’v dealt with more than I wish I had with my business.Don’t be selfish with your wisdom Mr.Krebs.Impressive is understatement with your site Brian.The gold standard website for journalists within information security community indeed. Useful for the future know-how.Thank You.