Malware broker behind US hacks now teaching computer skills in China


LONDON/SHANGHAI: A Chinese malware broker who was sentenced in the United States this year for dealing in malicious software linked to major hacks is back at his old workplace: teaching high-school computer courses, including one on internet security.

Yu Pingan, who spent 18 months in a San Diego federal detention centre, had pleaded guilty to conspiracy to commit computer hacking. A high school instructor, he had been arrested at Los Angeles International Airport in August 2017 upon arriving with a group of teachers to observe a US university. A Reuters reporter found him teaching at his old school here last month.

Yu was sentenced by a federal judge in February to time served and allowed to return to China. The victims of the hacking conspiracy included microchip supplier Qualcomm Inc, aerospace and defence firm Pacific Scientific Energetic Materials Co, and gaming company Riot Games, according to the judgment. Exactly what was stolen in the computer breaches wasn’t disclosed in public court filings.

Qualcomm declined to comment. A Riot Games spokesman said the company lost no data. Pacific Scientific didn’t respond to requests for comment.

Yu specializes in computer network security and programming, according to court records. The malware he provided in the conspiracy included a rare software tool called Sakula that granted hackers remote control over computers. It’s unclear who authored the malware or how Yu obtained it.

Sakula has been linked to some of the most notorious cyberattacks of the decade. In addition to the intrusions detailed in the case against Yu, these include hacks of US health insurer Anthem Inc, where millions of patient records were exposed, and the US Office of Personnel Management, in which the personal information of millions of current and former US government employees and contractors was compromised. Yu wasn’t accused of involvement in those two breaches.

His prosecution was one of a series of criminal cases against Chinese nationals Washington has brought in recent years, in response to what the Americans say is a concerted campaign by China’s military and security ministry to steal technology from Western companies.

In another case involving Sakula malware, the US last year alleged that two Chinese intelligence officers and a team of recruited hackers repeatedly intruded into Western companies’ computer systems for more than five years.

Many of the Chinese defendants in the series of hacking cases haven’t been apprehended. Yu is one of the few alleged Chinese hackers to have been arrested and convicted in the US crackdown.

In addition to jail time, Yu was ordered to pay nearly $1.1 million in restitution to five companies that were victims of the hacking. The fine was to be paid in instalments of $100 a month, with no interest, according to the judgment. The payment schedule would take more than 900 years to complete.

Jeremy Warren, a San Diego criminal defence attorney who represented Yu, said, “With a Chinese national, a schoolteacher, there’s no real expectation of payment.”

Yu’s 18 months in federal prison, he said, was no “walk in the park.”

China’s Ministry of Foreign Affairs said it had “no understanding” of the Yu case. “We resolutely oppose any type of cyberattack, and we investigate and crackdown on any cyberattack occurring inside China or making use of Chinese internet infrastructure,” the ministry spokesperson’s office said.

The ministry added that it had no knowledge of other cases alleging Chinese hacking of U.S. companies, and it accused Washington of displaying a “cold war mentality” in its tech-related prosecutions.

Yu, according to court filings by US prosecutors, went by the nickname “Goldsun.” He was accused of conspiring with other Chinese individuals to use malware to hack into the computer networks of companies in the US and elsewhere.

An affidavit from the Federal Bureau of Investigation Special Agent Adam James alleged that Yu provided Sakula and other malware used in the case. Citing seized communications between Yu and two unindicted co-conspirators, James alleged that Yu had installed “an unauthorized backdoor” on an unidentified company’s computer network to gain remote access.

The conspirators’ cyber intrusions included so-called “watering hole attacks,” in which malicious software infects the computers of visitors to compromised websites. “This is akin to a predator waiting to ambush prey at the location the prey goes to drink water,” a court document stated.


Please enter your comment!
Please enter your name here