{ "id": "b95f0404-e25a-4718-848c-263229c8dfd8", "created_at": "2026-04-06T03:36:47.915482Z", "updated_at": "2026-04-10T03:32:24.105793Z", "deleted_at": null, "sha1_hash": "a9c4aaea6088e7a3cf8056dfe60131ee38c0a08c", "title": "DOJ reveals indictment against Chinese cyberspies that stole U.S. business secrets", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 37452, "plain_text": "DOJ reveals indictment against Chinese cyberspies that stole U.S.\r\nbusiness secrets\r\nBy Chris Bing\r\nPublished: 2017-11-27 · Archived: 2026-04-06 03:15:06 UTC\r\nA group of Chinese hackers recently indicted by the Department of Justice were involved in an international\r\ncyber-espionage operation connected to a foreign intelligence agency, security researchers tell CyberScoop.\r\nOn Monday, senior Justice Department officials announced eight relevant criminal charges against the Chinese\r\nhackers. Although the indictment was originally issued in September, it was sealed until Monday.\r\nThe criminal activity allegedly dates as far back as 2011.\r\nCourt documents describe that Chinese nationals Wu Yingzhuo, Dong Hao and Xia Lei hacked into and stole data\r\nfrom several American companies, including Siemens AG, Moody’s Analytics and GPS technology company\r\nTrimble. The trio worked together at a company named Boyusec, also known as the Guangzhou Bo Yu\r\nInformation Technology Co.\r\nBusiness registration records show that Wu and Dong are executives at Boyusec.\r\nConservative news outlet The Washington Free Beacon reported in November 2016 that Boyusec, which it\r\ndescribed as a Chinese cybersecurity firm, acts as a front for Beijing’s intelligence collection mission. Boyusec is\r\na technology contractor for China’s Ministry of State Security (MSS), according to The Free Beacon.\r\nOver the past several years, Wu and Dong have used their own names to register multiple dummy domains which\r\ndispensed malware.\r\nFurther technical review of Wu, Dong and Xia’s apparent intrusion techniques — which were extensively detailed\r\nby the FBI and Justice Department — now suggests the three Chinese nationals are likely affiliated with a known\r\nhacker group already identified by security researchers and labeled “APT3,” according to an analysis conducted\r\nby cybersecurity firms FireEye and Recorded Future.\r\n“We believe that the indicted individuals and Boyusec are linked to APT3,” said Ben Read, an analyst with\r\nFireEye.\r\nFireEye has stated that APT3 is “state-sponsored.”\r\nThe connection between the three Chinese nationals and APT3 underscores the thin border that divides China’s\r\ngovernment and private sector institutions, experts say. The indictment does not cite a connection between the\r\nsuspects and the Chinese government.\r\nChris Doman, a security analyst with AlienVault, told CyberScoop that APT3 is known for targeting western\r\ndefense contractors and American aerospace companies as well as domestic dissidents in Hong Kong. More\r\nhttps://www.cyberscoop.com/boyusec-china-doj-indictment/\r\nPage 1 of 2\n\nrecently, the hackers have focused on the latter, said Doman.\r\nRecorded Future, another firm which has done significant research on APT3, said they too were confident that the\r\nindicted individuals are associated with Boyusec and that the Chinese security company is an extension of\r\nAPT3 —which in turn represents China’s MSS.\r\n“We have a high degree of confidence that APT3 is the MSS,” said Priscilla Moriuchi, director of strategic threat\r\ndevelopment at Recorded Future. “The use of this MSS front company, Boyusec, is emblematic of how the MSS\r\nconducts operations in both the human and cyber domains.”\r\nMoriuchi continued, “the MSS is composed of national, provincial, and local elements. Many of these elements,\r\nespecially at the provincial and local levels, include organizations with valid public missions to act as a cover for\r\nMSS intelligence operations. Some of these organizations include think tanks such as CICIR, while others include\r\nprovincial-level governments and local offices.”\r\nAPT3, which is also known as Gothic Panda, Pirpi or UPS by the cybersecurity community, is responsible for\r\nmore than 75 breaches that have occurred between mid-2005 and 2016.\r\nResearchers told CyberScoop that APT3 was hacking into victim networks as recently as September 2016, leading\r\nsome to believe the group may still be active today.\r\n“[The indictments] are important because this is the first set of indictments against Chinese actors since 2014, and\r\nthe first ever indictments against intelligence officers as opposed to military officers,” said Moriuchi.\r\nIn 2015, former U.S. President Barack Obama and current Chinese President Xi Jinping came to an agreement\r\nthat China would discontinue its use of hackers to steal intellectual property and other valuable data from\r\nAmerican companies.\r\nExperts generally agree that the 2015 truce has resulted in a substantial decline in such activity.\r\nIn a statement sent to CyberScoop, a Justice Department spokesperson said the department had little luck working\r\nwith the Chinese government to arrest or investigate those indicted.\r\n“As part of the October 2017 Law Enforcement and Cybersecurity Dialogue, the Department used the established\r\nmechanism to request China’s assistance in investigating and putting a stop to Boyusec’s activities,” the\r\nspokesperson said. “We received no meaningful response. Accordingly, at this stage, we have pursued every\r\navailable avenue to hold the actors accountable in this case and have determined that there is no longer a law\r\nenforcement justification to keep the charges under seal.  We will continue to press the Chinese government to\r\ntake steps to prevent this kind of behavior in the future and to hold the actors accountable under Chinese law.” \r\nThe spokesperson reiterated that the indictment did not state that the hackers were working on behalf of the\r\nChinese government.\r\nSource: https://www.cyberscoop.com/boyusec-china-doj-indictment/\r\nhttps://www.cyberscoop.com/boyusec-china-doj-indictment/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.cyberscoop.com/boyusec-china-doj-indictment/" ], "report_names": [ "boyusec-china-doj-indictment" ], "threat_actors": [ { "id": "13354d3f-3f40-44ec-b42a-3cda18809005", "created_at": "2022-10-25T15:50:23.275272Z", "updated_at": "2026-04-10T02:00:05.36519Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "APT3", "Gothic Panda", "Pirpi", "UPS Team", "Buckeye", "Threat Group-0110", "TG-0110" ], "source_name": "MITRE:APT3", "tools": [ "OSInfo", "schtasks", "PlugX", "LaZagne", "SHOTPUT", "RemoteCMD" ], "source_id": "MITRE", "reports": null }, { "id": "761d1fb2-60e3-46f0-9f1c-c8a9715967d4", "created_at": "2023-01-06T13:46:38.269054Z", "updated_at": "2026-04-10T02:00:02.90356Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "GOTHIC PANDA", "TG-0110", "Buckeye", "Group 6", "Boyusec", "BORON", "BRONZE MAYFAIR", "Red Sylvan", "Brocade Typhoon" ], "source_name": "MISPGALAXY:APT3", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cf826655-5fcb-4331-bdc5-5ef267db9d3c", "created_at": "2025-08-07T02:03:24.631402Z", "updated_at": "2026-04-10T02:00:03.608938Z", "deleted_at": null, "main_name": "BRONZE MAYFAIR", "aliases": [ "APT3 ", "Gothic Panda ", "Pirpi", "TG-0110 ", "UPSTeam" ], "source_name": "Secureworks:BRONZE MAYFAIR", "tools": [ "Cookiecutter", "HUC Proxy Malware (Htran)", "Pirpi", "PlugX", "SplitVPN", "UPS", "ctt", "ctx" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775446607, "ts_updated_at": 1775791944, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a9c4aaea6088e7a3cf8056dfe60131ee38c0a08c.pdf", "text": "https://archive.orkl.eu/a9c4aaea6088e7a3cf8056dfe60131ee38c0a08c.txt", "img": "https://archive.orkl.eu/a9c4aaea6088e7a3cf8056dfe60131ee38c0a08c.jpg" } }