SEP 13 2017

IN THE UNITED STATES DISTRICT COURT

FOR THE WESTERN DISTRICT OF US. DISTRICT COURT
MST. 0131?. OF 

a/k/a ?Dong Shi Ye?
a/k/a ?Tianyu,?

XIA LEI
a/k/a ?Sui Feng Yan Mic?

UNDER SEAL

UNITED STATES OF AMERICA 
Criminal No. [7 7
v. 

18 U.S.C. 1030(a)(2)(C), 1030(a)(5)(A),
WU YIN GZHUO 1030(b)
a/k/a 18 U.S.C. 1832(a)(1), 1832(a)(2),
a/k/a ?Christ Wu? 1832(a)(5)
a/k/a ?wyz? 18 U.S.C. 1343
DONG HAO 18 U.S.C. 1028A
a/k/a ?Bu Yi? 





INDICTMENT

The grand jury charges:
1. At all times relevant to the indictment:
BOY USEC
a. The defendants vvere Owners, employees and associates of the Guangzhou
Bo Yu Information Technology Company Limited (hereinafter ??Boyusec?).
b. Boyusec purported to be a Chinese cybersecurity ?rm located at 1103 West
Tower, Huapu Plaza, Number 9, Huaming Road, Pearl River New City, Tianhe District,
Guangzhou, Guangdong Province, China.
0. According to its website, Boyusec provided
cybersecurity services for Chinese companies, including ?Information Security and Testing,?
?Software Development and Testing,? and ?Data Analysis,? in partnership with a large Chinese

telecommunications company and another cybersecurity center in Guangdong Province.

 

d. In or around November 2013, Boyusec was registered as a limited liability

company with the Tianhe Branch of the Guangzhou Administration for Industry and Commerce.
THE DEFENDAN TS

6. Defendant WU YINGZHUO was a resident of Guangzhou and
used the aliases ?Christ wu,? and ?wyz.? WU was a founding member and equity
shareholder of Boyusec.

f. Defendant DONG HAO was a resident of Guangzhou and used
the aliases ?Bu Yi,? ?Dong Shi Ye,? and ?Tianyu.? DONG was a founding member, equity
shareholder of Boyusec, and held the title of ?Executive Director and Manager?of Boyusec.

g. Defendant XIA LEI was a resident of Guangzhou and used the
alias ?Sui Feng Yan Mie.? XIA was an employee of Boyusec.

THE US. VICTIMS

h. Moody?s Analytics was an economic analysis. firm which provided
financial and economic services. Moody?s Analytics employs economists, modelers and
statisticians and primarily serves asset managers, banks, corporations, and insurers. Specifically,
Moody?s Analytics provided tools and information for measuring and managing risk through its
expertise in credit analysis, economic research, and ?nancial risk management. Moody?s
Analytics is headquartered in New York, New York.

i. Siemens AG (?Siemens?) is a multinational manufacturing and electronics
conglomerate, specializing in ?nancial services, building technologies, mobility operations,
healthcare, transportation, digitalization, power generation, power systems, and energy
management. Siemens employs over 375,000 employees located in over 200 countries.
Siemens is headquartered in Germany and had of?ces located in the Western District of



j. Trimble Inc, formerly known as Trimble Navigation Limited (?Trimble?),
is a manufacturer, developer, and provider of geospatial positioning technology, including Global
Positioning System (GPS) and Global Navigation Satellite Systems (GNSS) technology and
related software and services, which are used in a variety of commercial industries, including the
construction, land survey, and agricultural sectors. Trimble?s products are sold and used in over
150 countries around the world. Trimble?s innovations in positioning technology have resulted in
over 1,200 patents. Trimble is headquartered in Sunnyvale, California.

COUNT ONE
(Conspiracy to Commit Computer Fraud and Abuse)

2. Beginning no later than 2011, and continuing until at least May 2017, in the
Western District of and elsewhere, the defendants,

WU YIN GZHUO
a/k/a 
a/k/a ?Christ Wu?
a/k/a ?wyz?
DONG HAO
a/k/a ?Bu Yi?
a/k/a ?Dong Shi Ye?
a/k/a ?Tianyu,? and
XIA LEI
a/k/a ?Sui Feng Yan Mie?

did knowingly and willfully conspire and agree together, with each other, and with others known
and unknown to the grand jury, to commit computer fraud and abuse, namely:

a) to access computers without authorization and exceed authorized access to
computers, and to obtain thereby information from protected computers, for the purpose of
commercial advantage and private ?nancial gain, in furtherance of a criminal and tortious act in
violation of the laws of the Commonwealth of namely, the common law tort of

Invasion of Privacy, and where the value of the information did, and would if completed, exceed

$5,000, in violation of Title 18, United States Code, Sections 1030(a)(2)(C) and
and

b) to cause the transmission of programs, codes, and commands, and as a
result of such conduct, to cause damage without authorization to protected computers and where
the offense did cause and would, if completed, have caused, lo'ss aggregating $5,000 in value to at
least one person, during a one-year period from a related course of conduct affecting a protected
computer, and damage affecting at least 10 protected computers during a one-year period, in
Violation of Title 18, United States Code, Sections 1030(a)(5)(A) and 103 

MANNER AND MEANS OF THE CONSPIRACY

3. It was part of the conspiracy that defendants WU, DONG, XIA, and others known
and unknown to the grand jury (collectively, ?the cc?conspirators?), agreed to participate in
coordinated, and unauthorized targeted cyber-intrusions against businesses and entities, operating
in the United States and elsewhere, in order to steal con?dential business information and
intentionally cause damage to those Victims? computer systems.

4. The co-conspirators exploited vulnerabilities in computer systems or used
malware, or malicious code to obtain and maintain unauthorized access into computers in order to
steal hundreds of gigabytes of data, including con?dential business and commercial information,
work product, and sensitive victim employee information, such as usernames and passwords.

5. The co-conspirators attempted to hide their true identities and location by using
aliases and intermediary computer servers known as ?hop points.? The co?conspirators
compromised the hop points, which were private computer networks owned by third parties, and
used these networks without authorization. By using the hop points, the co-conspirators
misrepresented their true Internet Protocol addresses, location, and identities to the victims

and used the hop points for the purpose of identifying, collecting, packaging, and stealing data

from the victims. In order to thwart identi?cation, the co-conspirators also used aliases when
registering for online communications services.
SPEARPHISHIN EAMILS

6. The co-conspirators used spearphishing campaigns to gain unauthorized access to
the computer networks of US. and foreign businesses. The conspirators sent, and caused to be
sent, spearphishing emails to computers located in the Western District of and
around the world.

7. The spearphishing emails misrepresented the identity of the sender, the subject
matter of the email, and nature of any links or ?les contained within or attached to the email. In
fact, many of the emails contained fraudulent links to either computer ?les that contained
malware that provided unauthorized access to the recipient?s computer (known as a ?backdoor?),
thereby allowing the co?conspirators to bypass normal authentication procedures on the recipient?s
computer; or servers? software designed to scan for vulnerabilities on the computers that
connect to them.

WARE

8. The co?conspirators used different types of customized malware to gain and
maintain unauthorized access into the computer networks. In order to initially access the Victims?
networks, the co?conspirators typically used a backdoor designed to bypass the Victims? security
systems and ?rewalls. The co-conspirators also commonly used malware referred to as ?ups? and
?exeproxy? (collectively ?the UPS Backdoor Malware?) to remotely access and control infected
computers within the victims? networks. Speci?cally, the co-conspirators used multiple versions
of UPS Backdoor Malware to misrepresent their status as authorized users of the Victims?
computers in order to issue commands to search, identify, copy, package and steal data stored on

such computers.

CONCEALMENT

9. Beginning no later than 2013, and during their employment at Boyusec, defendants
WU, DONG, XIA and others, known and unknown to the grand jury, worked together to conduct
targeted cyberattacks against US. and foreign businesses which had never retained Boyusec for
any services or otherwise authorized access into their computer networks.

10. Defendants WU, DONG, and XIA shared access to common hop points in order to
conceal their identities, location, and af?liation with Boyusec during the course of their
cyberattacks.

11. Defendants WU and DONG used stolen network credentials to conceal their
unauthorized access to victim computer networks from the victims? security measures.

TARGETED ATTACKS OF US. BUSINESSES

Moody?s Analytics

 

12. In 2005, Moody?s Analytics purchased an economic analytics company that
employed an in?uential economist who had expertise in macroeconomics and the housing ?nance
sector (?Employee Employee A became a public ?gure in the industry and was viewed by
Moody?s Analytics as a branding asset. Employee A commonly appeared on national TV and in
newspapers with large circulations.

13. Beginning no later than 2011, the co?conspirators placed a forwarding rule on a
Moody?s Analytics email server directing all of Employee A?s incoming emails to forward to
co-conspirator-controlled web-based email accounts (?the Fraudulent Email Accounts?).

14. Between June 21, 2013 and January 31, 2014, defendant XIA accessed a
Fraudulent Email Account and its contents. These emails contained, among other things,
Employee A?s communications, which contained proprietary and con?dential economic analyses,

?ndings, and opinions.

Siemens

15. In 2014, Siemens was an international conglomerate servicing multiple industry-
sectors, including ?nancial services, building technologies, mobility operations, healthcare,
transportation, digitalization, power generation, power systems, and energy management.

16. In May and June 2014, the co-conspirators used hop points to target and gain
unauthorized access to Siemens? computer networks for the purpose of obtaining and using
Siemens employees? usernames and passwords and to steal proprietary commercial data.

17. In June 2014, defendant DONG accessed the Siemens? computer network, in the
Western District of and elsewhere, using UPS Backdoor Malware, and ex?ltrated
computer password information known as ?hashes.? I

18. From approximately June 2015 to August 2015, the conspirators removed
approximately 407GB of data from Siemens?s network. The data included ?les and data created by
Siemens? energy, technology, and transportation businesses.

rm

19. In 2015 and 2016, Trimble was engaged in the development of a new GNSS
product that combined software with a relatively low cost antenna to significantly improve the
positioning accuracy of mobile devices, including tablets and mobile telephones (?the Commercial
GNSS Project?). The Commercial GNSS Project allowed Trimble customers to receive and
process GNSS satellite signals, and data from Trimble?s subscription corrections services.
Using the data received from the GNSS satellites and Trimble?s proprietary corrections services,
1 users could obtain high precision position accuracy up to a few centimeters in a cost effective
manner. Trimble?s targeted customer markets for the Commercial GNSS Project were, among
others, the construction, land survey, and agricultural sectors. The Commercial GNSS Project

had no military applications.

20. This Commercial GNSS Project had been in development for approximately three
years and had represented an investment of millions of dollars by Trimble. As such, Trimble?s
computer networks contained documents and other data pertaining to both the Commercial GNSS
Project?s technical development and the business and marketing strategy. Access to certain
documents and data were restricted by Trimble based on a need to know. In addition, Trimble
required that its employees and contractors Sign Non-Disclosure Agreements to protect the
development of the Commercial GNSS Project.

21. Beginning no later than December 2015 and continuing through March 2016, the
co-conspirators targeted the servers within Trimble?s network, including those that hosted
documents and data relating to the Commercial GNSS Project.

Beginning no later than January 11, 2016, defendant WU accessed Trimble?s
network and copied, packaged, and stole computer ?les containing commercial business
documents and data relating to the Commercial GNSS Project. Speci?cally, on January 11, 2016,
WU prepared a zip archive ?le containing approximately 252 megabytes of compressed data from
Trimble?s network and removed the ?le from the network. This zip ?le contained hundreds of
?les of Trimble?s technical, design, and business marketing documents pertaining to the
Commercial GNSS Project.

9}

23. The stolen zip ?le contained ?les marked ?con?dentia or ?proprietary,? and
contained market research and strategy for the Commercial GNSS Project, which were a trade
secret and commercial in nature (?Trade Secret 1? and ?Trade Secret Trade Secret 1 and
Trade Secret 2 contained con?dential information regarding Trimble?s market share, costs of
production, and a timetable for the release and marketing of the Commercial GNSS Project.

24. The stolen zip ?le also contained a con?dential and proprietary schematic design

for the hardware receiver equipment component of the Commercial GNSS Project (?Trade Secret



25. On or about January 12, 2016, a co-conspirator accessed Trimble?s network and
stole an additional 23 megabytes of data, including testing data for Trimble?s proprietary
subscription services.

26. This stolen data included con?dential testing data of Trimble technology (?Trade
Secret 

27. On or about January 22, 2016, the co-conspirators accessed Trimble?s network and
executed commands to steal two directory lists. One of these directory lists included, listed ?les
containing the name of a Trimble engineer and related to the Commercial GNSS Project.

28. In total, conspirators stole at least 275 megabytes of data, including compressed
data, which included hundreds of ?les that would have assisted a Trimble competitor in
developing, providing, and marketing similar software and subscription services, without
incurring millions of dollars in research and development costs.

OVERT ACTS

29. In furtherance of the conspiracy, and to effect the objects of the conspiracy, the
defendants and others, both known and unknown to the grand jury, committed the following overt
acts: 1

a. On or about August 26, 2011, a co-conspirator created a Fraudulent Email
Account in the name of Employee A of Moody?s Analytics.

b. On or about August 26, 2011, the exact date being unknown, a
co-conspirator accessed the mail server within the Moody?s Analytics computer network and
placed a forwarding rule on the server directing all emails sent to Employee A to be forwarded to
the Fraudulent Email Account.

o. On or about June 21, 2013, defendant XIA accessed emails which had been

forwarded to Employee A?s fraudulent account.

d. On or about January 21, 2014, defendant XIA accessed a hop point and
logged into a Fraudulent Email Account and accessed emails which had been forwarded from
Employee A?s email account.

e. On or about June 6, 2014, defendant DONG accessed a Siemens computer
with hostname without authorization.

f. On or about June 6, 2014, defendant DONG transferred a ?le containing
Siemens password hashes among computers within the Siemens network and attempted to 

some of those hashes.

g. On or about June 6, 2014, defendant DONG connected to host 
a Siemens network computer located in the Western District of and attempted to log
in as a network administrator using stolen credentials.

h. On or about June 7, 2014, defendant DONG attempted to log on to Siemens
host computer using stolen credentials belonging to Siemens employee 

i. On or about June 7, 2014, defendant DONG attempted to log on to Siemens
host computer using stolen credentials belonging to Siemens employee 

j. On or about December 18, 2015, defendant WU accessed a hop point and
then further accessed a Trimble computer with hostname 

k. On or about December 26, 2015, a co?conspirator accessed a hop point and
accessed Internet web pages of Trimble.

1. On or about January 9, 2016, defendant WU possessed and used the stolen
credentials of Trimble employee in order to connect to a Trimble computer at IP address


m. On or about January 11, 2016, defendant WU entered a series of commands
resulting in the theft of approximately 773 ?les containing. trade secrets and other proprietary

information from Trimble?s computer network.

10

n. On or about January 11, 2016, defendant WU entered a command to delete
a log ?le named ?Lo g.zip? from a computer Within the Trimble network.

0. On or about January 12, 2016, a co-conspirator stole approximately four
?les containing proprietary information from the computer network of Trimble.

p. On or about January 14, 2016, defendant WU attempted to log into a
Trimble computer using stolen credentials belonging to Trimble employee 

q. On or about January 22, 2016, defendant WU used stolen credentials
belonging to Trimble employee to gain unauthorized access to Trimble?s computers.

In Violation of Title 18, United States Code, Section 1030(b).

ll

COUNT TWO
(Conspiracy to Commit Trade Secret Theft)

The grand jury further charges:
30. Paragraphs 1-29 of this indictment are incorporated herein as if set forth in full.
31. Beginning at least in or about 2011, and continuing until at least May 2017, in the
Western District of and elsewhere, the defendants,
WU YIN GZHUO
a/k/ a 
a/k/a ?Christ Wu?
a/k/a 
DONG HAO
a/k/a ?Bu Yi?
a/k/a ?Dong Shi Ye?
a/k/a ?Tianyu,? and

XIA LEI
a/k/a ?Sui Feng Yan Mie?

did knowingly conspire and agree together and with each other, and with other persons both
known and unknown to the grand jury, to copy, duplicate, download, upload, replicate, transmit,
deliver, send, mail, communicate, and convey trade secrets without authorization that were related
to products or services used in or intended for use in interstate and foreign commerce, with the
intent to convert the trade secrets to the economic bene?t of someone other than the owner of the
trade secrets and with the intent and knowledge that the offense would injure the owner of the trade
secrets, in violation of Title 18, United States Code, Section 1832(a)(1) and (2).
OVERT ACTS
32. In furtherance of the conspiracy, and to effect the objects of the conspiracy, the

defendants and their co?conspirators, committed the overt acts alleged in paragraph 29.

In violation of Title 18, United States Code, Section 1832(a)(5).

12

COUNT THREE
(Wire Fraud)

The grand jury further charges:

33. Paragraphs 1-29 of this indictment are incorporated herein as if set forth in full.

34. Beginning no later than 2011, and continuing until at least May 2017, in the
Western District of and elsewhere, the defendants,

WU YIN GZHUO
a/k/a 
a/k/a ?Christ Wu?
a/k/a ?wyz?
DONG HAO
a/k/a ?Bu Yi?
a/k/a ?Dong Shi Ye?
a/k/a ?Tianyu,? and
XIA LEI
a/k/a ?Sui Feng Yan Mie?

did devise, intend to devise, and participate in a scheme, with others known and unknown to the
grand jury, to defraud and to obtain money and property by means of materially false and.
fraudulent pretenses and representations, and by concealment of materials facts.

35. It was part of the scheme that defendants used hop points to misrepresent

their true IP address, location, and identities.

36. It was further part of the scheme that the defendants used the Fraudulent
Email Accounts in order to misrepresent to the Moody?s Analytics network that Employee A?s
emails were being forwarded to Employee A?s personal email account when, in fact, the emails

were forwarded to the Fraudulent Email Accounts.

37. It was further part of the scheme that the defendants used stolen credentials

to gain access to parts of the victims? networks.

38. It is further part of the scheme that the defendants sought and stole internal

and proprietary information belonging to commercial entities.

l3

39. On or about June 6, 2014, in the Western District of and
elsewhere, the defendants, for the purpose of executing the scheme to defraud, knowingly caused
to be transmitted by means of wire communication in interstate commerce certain writings, signs,
and signals, namely, an electronic signal containing credentials to a Siemens network computer.

In Violation of Title 18, United States Code, Section 1343.

14

COUNTS FOUR THROUGH EIGHT
(Aggravated Identity Theft)

The grand jury further charges:
40. Paragraphs 1?29 are incorporated herein as if set forth in full.
41. Beginning at least on or about June 6, 2014, and continuing until at least January
22, 2016, in the Western District of and elsewhere, the defendants,
WU YINGZHUO
a/k/ a 
a/k/a ?Christ Wu?
a/k/a 
DONG HAO
a/k/a ?Bu Yi?
a/k/a ?Dong Shi Ye?
a/k/a ?Tianyu,? and
XIA LEI .
a/k/a ?Sui Feng Yan Mie?
aided and abetted by others known and unknown to the grand jury, during and in relation to the
crime of conspiracy to commit computer fraud and abuse in violation of Title 18, United States
Code, Section 1030(b) and wire fraud, in violation of Title 18, United States Code, Section 1343,
as more fully set forth in Counts One and Three above, did knowingly transfer, possess, and use,
without lawful authority, a means of identification of another person.
42. On or about the dates identi?ed in Column of the chart set forth below, each date
constituting a separate count as set forth in Colunm A, defendants did knowingly transfer,

possess, and use, without lawful authority, a means of identi?cation of another person, listed by

initials in Column C, who was associated with a victim listed in Column D:

15

 

 

 

 

 

 

 

 

 

 

 

A 
Count Date (011 or About) Means of Victim
Identi?cation
Belonging to
4 June 6, 2014 RP. Siemens
5 June 7, 2014 BR. Siemens
6 January 9, 2016 KB. Trimble
7 January 14, 2016 RM. Trimble
8 January 22, 2016 BM. Trimble

 

In Violation of Title 18, United States Code, Sections 1028A(a)(1), 1028A(b), 1028(c)(4),

and 2.

A true bill,

 

a Mame,
m? a, 
?Mr? f" V'epf-SONG
Acting United States Attorney
DC ID No. 457268

 

l6