The Latest Chinese Hacking Story: Bots within Bots

Because the press tends to report what the government wants it to on indictments of Chinese hackers, rather than what they’ve really indicted, I wanted to look closely at the case against three Chinese nationals accused — per the news reports — of engaging in insider trading. Here’s how Reuters describes the case against Iat Hong, Bo Zheng, and Chin Hung.

Three Chinese citizens have been criminally charged in the United States with trading on confidential corporate information obtained by hacking into networks and servers of law firms working on mergers, U.S. prosecutors said on Tuesday.

Iat Hong of Macau, Bo Zheng of Changsha, China, and Chin Hung of Macau were charged in an indictment filed in Manhattan federal court with conspiracy, insider trading, wire fraud and computer intrusion.

Prosecutors said the men made more than $4 million by placing trades in at least five company stocks based on inside information from unnamed law firms, including about deals involving Intel Corp and Pitney Bowes Inc.

The indictment does, indeed, accuse the three men of hacking (probably by phishing) into a number of law firms — definitely Cravath Swain & Moore and probably Weil Gotshal to steal information on upcoming mergers and acquisitions. The indictment focuses on the contemplated acquisition of Intermune, by Intel of Altera, and by Pitney Bowes of Borderfree.

Note the indictment never says who was trying to buy Intermune (that is, who the M&A customer of the law firm was). Indeed, in actuality that customer never bought Intermune; Roche did.

That is, for this one transaction, the insider information didn’t necessarily help, because the best information would have involved hacking Roche’s firm.

Other potential buyers of Intermune listed in what may be an article cited in the indictment were Sanofi, Actelion, and GlaxoSmithKline.

That’s not all that big a deal. The indictment at least alleges insider trading accomplished after hacking the lawyers advising on the deals.

Though note that M&A information may not be the only thing to find at the target firms. Christine Varney is the Cravath partner overseeing AT&T’s purchase of Time Warner. That deal was first announced on October 22. This indictment was actually dated October 13 and the first item in the docket dates to June. There would be far more interesting information to some entities, including the Chinese state, about merger involving AT&T that would reside on Cravath’s servers than offering prices, especially given Varney’s close ties to government. That merger necessarily deals with communications policy, up to and including certain surveillance agreements. One would assume the FBI wouldn’t let Cravath to continue to be hacked after the first discovery of this (though John Podesta would argue differently); but if someone like Varney were targeted, there would be far more interesting information than just deal terms.

That said, the detail I found particularly interesting is the way the indictment alleges intellectual property theft. On top of being traders hacking for insider trading information, the indictment claims, the defendants also ran a robotics start-up.

And in addition to stealing information from M&E law firms, the indictment claims the defendants also stole information from a US and a Taiwanese firm involved in robotics.

Indeed, the indictment claims that the defendants were stealing key intellectual property from competitors, from the very beginning of the charged period.

This is interesting to me for several reasons. First, as I have noted, the government likes to claim a Pittsburgh indictment involves IP theft, but in reality, the indictment mostly charges the theft of information pertaining to negotiations, something the US does as well. The sole exception is the theft of nuclear reactor information between companies that already had an information sharing deal.

But also note the timing laid out in the indictment gets awfully vague when it describes the end of the theft of IP. “Late 2015” might or might not be sometime after Obama got Xi Jinpeng to agree to cut down on the hacking of the US in September 2015.

The US has generally played up any possible instance of IP theft involving Chinese nationals. That’s not what happened here. Instead, this is a story about insider trading theft.

Which brings me to one other interesting passage from the indictment, which explains how the defendants tried to hack a bunch of other law firms.

Here, the indictment does list an end date: September 2015, the same month Obama and Xi reached their agreement.

What follows that accusation is a list of five more victim law firms the defendants allegedly tried to hack. All the attempted hacks listed took place on either March 31, or April 3, or April 6, 2015 (so nowhere close to September). Because the information is attempt focused, it might not derive from the targeted law firms (though it could come from a contractor who worked with multiple law firms), but from an attack point.

In any case, thus far this indictment has been spun as another of Preet Bharara’s insider trading indictments. But there may be more here.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

5 replies
  1. JM says:

    “That is, for this one transaction, the insider information [concerning Intermune] didn’t necessarily help, because the best information would have involved hacking Roche’s firm.”
    True, but it seems the information did in fact help, by alerting the hackers to the fact Intermune was a M&A target. So a relatively small point: why do you conclude “didn’t necessarily help” when definitely helped seems more correct?
    Plus the bet the hackers took in the case of Intermune doesn’t seem all that big relatively to the financial resources they appear to have: Approx. $1.2 million spent to acquire 18,000 shares before the $19/share gain. So it seems hacked M&A target info, timing & a relatively small investment (hence little risk) probably convinced (helped) the hackers to go for it.

  2. Hieronymus Howard says:

    > What do you think are the implications of that? If any?

    The reply thing up there doesn’t work.

    There aren’t any implications beyond that a typo gets fixed (or doesn’t). Don’t know if you’re making an objection to my comment or lampooning me or what. Whateva.

Comments are closed.