OPY i - iI i_L_U i i- r i I8 OCT 25 plt S: 09 1 :>. tr5 0'lJ ; i ;L ,p:-i.;.1'1.lj ihliH 2 5L'v 3 8Y: tA 5 I e :Ci C0Ut T f ui Cf r.,iClfiit g0n OIPUIY SEALED 6 7 UNITED STATES DISTRICT B SOUTHERN 9 \ + $ / DISTRICT OF CALIFORNIA June 201,1 Grand Jury 10 11 UNITED STATES OF AMER]CA, Plaintiff, L2 Case No. 13CR3132-H ITq].gIUENT Superse&rg) ( 13 74 V ZHANG ZHANG_GU] Title 18, U.S.C., Secs. 31L 1030 (a) (5) (e) and 1030 (c) (4) (B) (r)Conspiracy to Damage Protected Computers; Title 18, U.S.C., Secs . 371, 1,030 (a) (2 ) (C) , 1030 (c) (2) (B) (i) and (iii) Conspiracy to Obtain fnformation; Title 18, U. S . C. , Secs. 1030 (a) (5) (A) , 1030 (c) (a) (B) (i) Damaging Protected Computers; Title LB , U. S. C. , Sec. 982 (a) (1) and (b) (1) Criminal Forfeiture (1), aka "leanov, " aka "1eaon, " \< t6 zHA RONG (2), cHAr MENG (3), aka "Cobain," L7 \}L]U CHUNLIANG (4), 18 aka "sxpdi-cl-," aka "Fangshour " 19 GAO HONG KUN (5), aka "mer4en7y, " 20 ZHUANG XTAOWET (6), -.aka "jpxxavr " -21, MA ZHrQr (1) , aka "Le Mar " 22 Lr xrAo (B), ,dJ 23 aka "zhuan86 " E COURT 15 -$ $ R 't: \).- 24 GU GEN (9) , aka "Sam Gur" =J 25 TrAN Xr (10), Defendants. 26 The qrand jury charges: 27 Zd JNP: nlv: (1 ) San Diego :I0 /25 /78 b At various times relevant to this indictment: 1 INTRODUCTION 2 3 4 1. The Jiangsu Province Ministry of State Security ('JSSD") was a provincial foreign intelligence arm of the People's Republic of China's 6 Ministry of State Securlty ("MSS"), headquartered in Nanjing, China. The MSS, and by extension the JSSD, was primarily responsible for domestic 1 counter-intelligence, B political 9 employees, along with individuals working at the directlon of the 5 non-military foreign intelligence, and domestic security. and aspects of From January 2010 to May 20L5, JSSD JSSD, 10 conspired to steal sensitive commercial technologlcal, aviation, 11 aerospace data by hacking into computers in the United States and abroad. t2 2. Supervising and managinq officers at and .fSSD/ includlng 14 defendants ZHA RONG, CHAI MENG, aka "Cobain, " and ot.hers, direct.ed hackers, includi-ng ZHANG ZHANG-GUI, aka "leanov, " aka "Ieaonr " LIIJ 15 CHUNLIANG, 16 ZHUANG 13 aka "sxpdIcl, " "Eangshour " GAO HONG KUN, aka "mer4en7y, " XIAOWEI, aka "jpxxavr" and MA ZHIQI, aka "Le Ma," as weII as I1 victim company inslders, to to hack into or facilitate including GU GEN, aka "Sam G:u," and TIAN Xf, intrusions into computers of companies based \9 in the United States and abroad for ,o maintaining unauthorized access to the purpose of gainlng those 2L information, and using the computers to facilltate 22 intrusions. ZJ 3. Members of and computers, stealing additional computer the conspJ-racy targeted, among other things, 24 companies in the aerospace and other high-technology industries, 25 attempted to steal i-ntellectual 26 information, including information that was commercial in nature. 21 2B 2 and property and confj-dential business 4. 3 of the conspiracy included, but were not limited to: zHA RONG (E* STC1 2686/2837), a Division Director in the JSSD who supervised and directed human intelligence 4 and other activities 5 intellectual 1 Members a. Z property directed towards the theft and confidential of business information conducted by one or more members of the conspiracy. Among other things, ZHA RONG oversaw the 6 '7 intrusion into B Company I and received updates from one or more members of the conspiracy on the day of the intruslon. 9 .LU b. 11 cHAr MENG, aka ..Cobain, " (*fr L2 Section Chief 13 intelligence STC 2693/5492) , a who supervised and directed and other activities JSSD human directed towards the 15 theft of intel-lectua1 property and confidential business information conducted by one or more members of the T6 conspiracy. 1,4 Among other thlngs, CHAI MENG served as a point of contact to coordj-nate the activities of hacker LIU CHUNLIANG, as well as the activities of victim company insiders, during the intrusion into Company I. 1,7 1B 19 c. 22 aka "Ieanovr " aka "Ieaonr" (EKKfr STC 1728/7022/ 6311), a computer hacker who operated at the direction of the JSSD. Among other things, ZHANG ZHANG- 23 GUI tested spear phishing messages and established and 24 maintained infrastructure used in multiple intrusions. In additlon, as described in detail hereln, infra, ZHANG ZU 27 25 ZHANG ZHANG-GUI, Z6 2'7 1 STC is the Standard Telegraphic Code for Chinese, Japanese, 28l and Korean characters. i J ] I I 1 coordinated hacking activities 2 with fel1ow hacker LIU. 3 d. LIU CHUNLIANG, and shared infrastructure aka "sxpdlc1r,, ..Eangshou,,, (iljEE STC 0497/2504/0087), a computer hacker who operated at the 4 6 direction of the JSSD, and coordinated the activities of other computer hackers and malware developers, including 1 GAO HONG KUN, aka "mer4en7y, " B "jpxxav," 9 unindicted co-conspirator 5 ZHUANG XIAOWEI, aka MA ZHIQI, aka "Le Ma," and an identified ('UCC-1"). Among other 10 things/ 11 infrastructure L2 malware, and engaged in domain hijacking in connection with the intrusion of Company H. cAo HONG KUN, aka ..mer4en7y," (H;*4 src 7559/3763/OgB1), 13 t4 e. LIU established, maintained and paid used in multiple intrusions, for deployed L1 a comput.er hacker who operated at the direction of LIU and was an associate of ZHANG. Among other things, GAO was j-nvolved in the computer intrus j_ons into Capstone 1B Turblne and Company F. 15 76 t9 f. ZHUANG XTAOWEI, aka .. jpxxav, " (EF{fi stc 8369/2743/0257) a computer hacker and malware developer, who operated at the direction of LIU. Among other things, ZHUANG manag,ed 20 21" malware on Company G, s systems and stole Company G, s data ZJ from no earlier than September 26, 20L4, through May l, 24 201,5. 25 26 , q. MA ZHLQI, aka "Le NIa," (-=fiIH STC j456/:-BO't /3825,)t d computer hac'ker who operated at the direction of Lru and 21 was a personal acquaintance of LIU and UCC-1. Among 2B other thingsr oo February 79, 2073, one or more members 4 I 1 of the conspiracy hacked into 2 affiliated 3 to h. 4 5 MA a Company E server with LIU, using credentials LIU had provided on December L4, 20L2. aka "Sam G:u," (mffiK STC 7351 /2704) , a Chinese employee of Company I I a French aerospace manufacturer GU GEN, with an office in Suzhou, Jianqsu province, China. GU was Company I's Information TechnoJ_ogy ('IT") lnfrastructure 6 1 and Security Manager in Suzhou. Among other things, while under the direction of an identified JSSD intelligence officer (*JSSD lntelligence Officer A"), GU B 9 10 provlded information to JSSD concerning Company I, s internal investigation into the computer intruslons 11 t2 15 carried out by members of the conspiracy. T]AN xr (Effi STC 3944/2569), a Chinese employee at Company It who worked in its Suzhou office as a product 76 Manager. 13 1. 74 77 other things, TfAN unlawfully installed Sakula malware on a Company I computer at the behest of 1B JSSD L9 20 21 ZZ 23 .A ZA 25 26 )'7 5. Amonq Intelligence Officer A. Members of the conspiracy hacked into protected computers- that is, computers used in and affecting interstate and forei-gn commerce and communications- operated by the following companies, among others, to steal- information, including intellectual property and confidential business data, and to use these companies' computers to facilitate further computer intrusions into other companies: a. Company A, a Massachusetts-based aerospace b. company, company B, an aerospace company based in the united Kingdom, with offices in Pennsylvani_a, 28l 5 1 c. C, an aerospace company based in the United Kingdom, with offices in New York, d. Company 2 3 Company D, a multinational conglomerate that produces commercial and consumer products and aerospace systems, 4 5 e. Company E, a Erench aerospace 6 f. Company F, an Arizona-based aerospace 7 q. B h. G, an Oregon-based aerospace supplier, Company H, a San Diego-based technology company, 9 i. Company j. Company 10 11 company, company, Company I, a French aerospace manufacturer with an office in Suzhou, Jiangsu provlnce, China, J I a critical_ infrastructure company operating in San Dlego and elsewhere, 12 13 k. Company 74 1. Company 15 m. K, a Wlsconsln-based aerospace company, L, an Australian domain registrar, and capstone Turbines, a Los Angeles-based gas turbine manufacturer. L6 6, of the conspiracy targeted, among other thlngs, oatu] 1B and information related to a turbofan engine used in commercial t9 jetliners. At the time of the intrusions, a Chinese state-owned aerospace 77 Members working to develop a comparable engine for use in commercial alrcraft manufactured in China and elsewhere. The turbofan engine targeted by members of the conspiracy was being developed through a company was 20 2T aa LL partnership between Company I and an aerospace company based in the U.S. As described herein, members of the conspiracy hacked Company I and 23 24 other companies that manufactured. parts for the turbofan engine, including Companies A, F, and G, to steal sensltive data from these companies that could be used by Chinese entities to build the same or 25 26 )'7 -l I 28l 6 1 similar engine without incurring substantial research and development 2 expenses Count 3 4 5 5 7 B 9 1 1. Paragraphs 1 to 6 are re-a1leged and incorporated as if forth in fu11 herein. B. set a date unknown, but. no rater than January B, 2olo, up to and includlng May 7, 2075, within the Southern District of California, and elsewhere, defendants ZHANG ZHANG-GUr, aka .. leanovr,, aka .'leaonr,, zHA RONG, cHAr MENG, aka "cobainr " Lru CHUNLTANG, aka ..sxpdrcrr,, From 11 "Fangshour" GAo HONG KUN, aka "mer4enly,- ZHUANG xrAowEr, aka.'jpxxavr,, MA zHrQr, aka "Le Mar" GU GEN, aka "sam Gt),,, and TrAN Xr did knowingly 1a LL and intentionally 10 13 conspire with each other and other persons known and unknown to the grand jury to commit an offense against the United States, l4 that is, to: 76 cause t.he transmission of a program, information, code, and command, and, as a result of such conduct, 17 intentionally 1tr J-J a cause damage without authorization to a protected computer, including loss to at least one person 18 20 during a one-year period aggregating at least $5,000 in varue, in violation of Title 18, united States code, 2t Sections 31L, T9 22 23 24 25 Zt) 21 b intentionally 1030 (a) (5) (A) and 1030 (c) (4) (B) (i); and access computers without authorization, and thereby obtain information from at least one protected computer, such conduct havingi involved an interstate and foreign communication, and the offense was committed for purposes of commercial advantage and. private financial gain and information valued at greater than $5,000, in 2B 7 1 violation of 18, United States Code, Sections 2 1030(a) (2) (C) and 1030(c) (2) (B) (i) and (iii). MANNER AND MEANS 3 4 5 6 37L, 9. of the conspiracy used the following manner and means, among others, to accomplish the objects of the conspiracy: Members a. 7 B 9 certain defendants used email accounts hosted by webmail providers worrdwide, including in the united states and china. The accounts often used false subscriber information. Defendants communicated using these emair accounts and often encrypted their communications. 10 12 certain defendants, directly and through intermediaries, attempted to hide the nature and origin of their rnternet 13 traffic L4 15 servers or server space worldwide, including in the united states. Members of the conspiracy forwarded t6 rnternet traffic 11 b 1B 20 21, )) through multiple such servers using software to hide the true source and destination of the traffic. 77 19 and reduce the likerlhood of detection by leaslng c. Members of the conspiracy used a variety of computer intrusion tactics, alone or in combination, includlng but not limited to: i. ZJ Spear phishing, the use of fictitious emails embedded with malicious cod.e (malware) that 24 facilitated 25 computer and connected network, 26 21 ii. access to the email recipient, s Malware, including but not limited to certain malware, such as Sakula and IsSpace, that was 2B 8 unlquely used by members of the conspiracy during the period of the conspiracy, 1 2 3 r_1t_. Doppelganger Domain Names, the creation and use 4 of domain names that closely resemble legitimate 5 domain names to trick 6 spear phishing emails, 1 ]-V. unwitting' recipients of Dynamic Domain Name Service (DNS) Accounts, a 9 service of DNS providers that al1ows users, including members of the conspiracy, to register 10 one or more domain names under a single account 11 and frequently change the fnternet protocol (Ip) 72 address assigned to a registered domain U 13 V. Domain Hijacking, the compromise of name. domain 15 registrars in whj-ch one or more members of the conspiracy redi-rected a victlm company, s domain 16 name at a domain registrar t1 address in 1B intrusions, L4 79 vi. order to Watering Hole Attacks, ZU malware on legitimate 21 companies to facilitate the installation of web pages of victim intrusions of computers that visited those pages, and 22 )< to a malicious Ip facilitate computer vii. Co-Opting Victim Company Employees, the use of Zq insiders 25 computer intrusions or monitor investigations of 26 computer j-ntrusion activlty. at victim 21 9 companies to facilitate I OVERT ACTS 4 10. fn furtherance of the conspiracy and to effect the objects thereof, the followj-ng overt acts, among others, were committed within the Southern District of California and elsewhere, on or about the dates 5 below: 2 3 6 Establishment of a 1 On April Accounts and Ma1ici ous Domain 26, 201,I, LIU registered Names DNS ACCOUNT-3 and aL a DNS provider to faciritate computer intrusions. LIU paid for DNS ACCOUNT-3 and DNS 9 ACCOUNT-4. 10 b 12 On April 26, 2017, LfU reqistered domain names, some of which were doppelganger domain names of hacked or T4 targeted companies, to be used to facilitate intrusions. 15 On May 25, 2012, LIU registered DNS ACCOUNT-2 at a 1,6 provider to facilitate L1 DNS ACCOUNT_2. 13 1B d on June 20, 2072, provider to facilitate 20 DNS ACCOUNT-1. e computer intrusions. ZHANG 79 21 DNS ACCOUNT-4 B 11 DNS registered DNS Lru paid for DNS ACCOUNT-1 computer intrusions. computer at a DNS Lru paid for On June 25, 20L2, LfU registered domain names, some of 23 which were doppelganger domain names of hacked or targeted companies, to be used to facilitate computer 24 intrusions. 22 25 f 26 21 ,a g on November 20, 2074, modified domain name records to facilitate computer intrusions. on February 2J, 2015, Lru modified domain name records to facifltate computer intrusions. l0 ZHANG 7 h Each of the intrusions of the victim companies described 3 herein, infra, at Paraqrraph 10, involved malware that was configured to beacon or otherwise linked to one or more 4 of these 2 5 6 DNS ACCOUNTS between Intrusion Into Capstone Turbine i. January 201,0 and May 2O!5. Computers on January B, 20L0, members of the conspiracy infiltrated the capstone Turbine computer network, created. an email account in the capstone Turbine email server, and tested 1 B a potentiar spear phishing emair by sending an email from 9 the newly-created capstone Turbine email account to ZHANG's personal email_ account. 10 11 j. 72 On May 24, 2012, a member of the conspiracy install_ed 13 marware on capstone Turbine's web server to facilitate 14 watering hole attack. k. 15 I6 7'7 1B a on or before May 24,20L2t a member of the conspiracy installed winnti malware in capstone Turbine, s computer systems, and the malwarer ds programmed, sent .'beacons,, to domain names hosted by DNS ACCOUNT-1, as well as to a blog controlled by "mer4en7y,,, which is an al-ias used by GAO. Malware is designed to "beacon,, in order to, among 19 20 21_ ZZ 1. ZJ 24 25 m. 26 21 l 28l other things, notify members of the conspiracy that the malware has been successfully installed. on or about May 30 , 2072, a server assoclated with ZHANG, which was located 1n Nanj ing, Chi_na, was used to gain unauthorized access to capstone Turblne, s web server. on May 31, 2012, a member of the conspiracy used the rp address of a server associated with ZHANG to connect to the capstone Turbine web server using a capstone Turbine l1 1 administrative 2 privlleges 3 most areas of the Capstone Turbine network). A On August 23, 20L2, ZHANG tested a potential spear phishing email that used the doppelganger domai-n name capstonetrubine.com (emphasis added). At that time, the 9 11 15 76 1-1 On June doppelganger domain name capstonetrubine. com registered to DNS ACCOUNT-2. 10 t4 (which meant the account user had access to o o 13 system administrator 1, 20\2, a member of the conspiracy used the same administrative account to upload malware to capstone Turbine's web server for use in a watering hole attack. 6 t2 with n 5 7 account or before was 29, 201,2, members of the conspiracy caused sakula malware on capstone Turbine, s server to send a beacon to an account under the control of one or more members of the conspiracy. Intrusion Into C ompany F's uters p q On December on May 30, 20L2, a member of the conspi-racy caused malware 79 to be installed on company F's computer network through a spear phishing attack, which contalned a link to a 20 domain on DNS ACCOUNT-2. company F manufactured parts 27 24 for the turbofan engine developed by company r and an aerospace company based in the U.S. on June B, 201-2, a member of the conspiracy first accessed a specific company F server (the "compromised company F 25 Server"). 1B 22 23 T 27 on December 14, 20L2, Lru gave MA directions on how to hack into the compromised company F server. Lru provided 2B MA with Lru's 26 S credentlars to access the server t2 and ] provided guidance as to how MA coul_d package and steal data from the server to minimize detection. 1 2 t 3 on February 19, 2013, a member of the conspiracy accessed the compromised company F server, created. a compressed file of Company F, s confidential data, and saved it on 4 5 6 Company F's server, using the Ip address, username, 1 password and methodology, which Lru had provided to on December 74, 2012. o U 9 u 10 t2 13 t4 15 76 77 1B on March LB, 2013/ Lru gave GAo the rp address assigned to a domain name under the contror of one or more members of the conspiracy, so GAo courd access the installed within Company E, s computer network. 11 v marware Between June B, 2012 and May 9, 2013, LIu, GAO, MA, and other members of the conspiracy accessed company F, s server for the purpose of stealing data related to Company F/ s products. Intrusion Into Company H, s Computers w No later than August 7, 20L2, a member of the conspiracy 19 caused malware to be installed 20 network. 2t MA x on company H, s computer on or before August 23, 20L2, a member of the conspiracy 22 caused PlugX malware named "capstone.exe" to be install_ed ZJ in company H's computer systems to send. beacons to four domain names registered to DNS ACCOUNT-1, including 24 25 26 21 v doppelganger domain name "capstoneturbine. cechire. com.,, on August 28, 2073, Lru sent MA a link to a news articre that explained how the Syrian Electroni-c Army (sEA) 2B l3 had 1 hacked into the computer systems of Company L, a domain 2 registrar, 3 Z intrusions. On December 3, 201-3, members of the conspiracy used the as the sEA to hack into the computer systems of Company L and hijack domain names of Company H, which were hosted by Company L. same method 4 tr J 6 7 in order to facilitate aa. on December 3, 2073, a member of the conspiracy installed 9 sakula malware on company H's computer network and caused the malware to send a beacon to a doppelganger domain 10 name under the contror of one or more members of the 11 conspiraoy. 72 designed to resemble the rear domain of company A, which had previousry been hacked by members of the conspiracy. B 13 74 bb domai_n name was Between December 3, 20L3, and January 15, 20L4, members of the conspiracy accessed approximately 40 computer systems operated by company H and instalred a variety of malware, including Sakula, V[innti, qrfu !frr1L!' and plugX, fru,A' to LU steal 15 L6 71 "t=ot] company 1B 79 Notably, the doppelganger fntrusi-on Into Hrs data Company I/s C omputers fn mid-November 2013, JSSD rnteltigence officer A met TIAN/ an employee of company r, at a restaurant in Suzhou, Jiangsu province, china. The turbofan engine targeted 20 27 ZZ 24 by members of the conspiracy was being developed through a partnership between company r and an aerospace company 25 based in the U.S. 23 26 21 2B ,.l,.] On November 2J, 201,3, JSSD Intelligence Officer A communicated to TIAN, in substance and in part, *I, l-l bring the horse Ii.e., Trojan horse malware] to you l4 tonight. Can you take the Frenchmen out to dinner tonight? f'1I pretend I bump into you at the restaurant to say hello. Thls way we don, t need to meet in Shanghai.,, 1 2 3 OA 4 On November 27 , 20L3, TIAN met JSSD Intelllgence Officer A at a restaurant. 5 fF 6 1 rn December 2073, rnterligence officer A contacted TIAN three times and asked, in substance and in part, Lf JSSD TIAN had "plantIed] the horse." B qq. On January 11 , 20L4, JSSD Intelligence Officer A met GU, the IT Infrastructure and Security Manager for Company I, at the same restaurant where he had previously met 72 TIAN. 9 10 13 hh. JSSD rntelligence officer A and cHAr coordj-nated with each other and provided same-day updates to their corleagues and superiors, including zHA, on the targeti-ng of and intrusion into Company I. 1,4 15 L6 71 17 ii. 1B on January 77, 201,4, JSSD rntelligence officer A informed cHAr, in substance and in part, "r just met with Xiao GU. said that [company r] was warning people about a fake email from company top management. Did you guys write the L9 GU 20 22 email?" CHAI responded, in substance and in part, ..We sent a fake emair pretending to be from network 23 management. 2t 24 )J. ti on January L1, 201,4, JSSD rntelrigence officer A informed cHAr that he t.old GU that cHAil s group had sent the email_. kk. On January 25, 2074, a Company I laptop computer was infected with sakula marware through a usB drive instarled by TrAN, which beaconed. to a doppelganger 25 26 21 28) " l5 domain name under the contror of one or more members of 1 4 the conspiracy during that period. Notably, thi-s was the same doppelganger domain designed to resembre the rear domain of company A, which members of the conspiracy had 5 used when hacking into Company H. 2 3 6 11. on January 25,20L4, TrAN texted JSSD rnter-ligence officer A, "The horse was planted this morning." shortly thereafter, JSSD rnterligence officer A texted cHAr with a message that read, in part: ..I briefed ZHA about the 1 B 9 incident in 10 Suzhou. " t2 on February 19, 201,4, a company T computer beaconed to domai-n ns24.dnsdojo.com, which was then managed by DNS 13 ACCOUNT-3. Shortly thereafter, 74 authorities 15 activlty. 11 t6 mm nn 71 79 oo. 2t 22 23 24 25 ZO of the beacon on February 26, 2074, JSSD rntelligence officer A texted CHAI, "The French are asking Little GU [Company f, s IT Does severar hours after that text exchange, a member of the conspiracy logged into DNS ACCOUNT-3, an account control-led by Lru, and dereted the ullE domain tt""t= uvrllqarl name ns24. dnsdo j o. com Intrusion fnto pp Company G, On September ] s C omputers 25, 2074, ZHUANG created a Google AppEngine account named "apple-qts.,, 26 ZI Erench officiars managerl to i-nspect the record : ns24 . dnsdo j o. com. it concern you quys?" CHAf responded., *Ir 1I ask.,, 1B 20 notified u.s. law enforcement qq. on september 26, 2014, members of the conspiracy caused mal-ware to be installed on at least one company G computer t6 3 through a watering hole attack hosted on a Company I domain. company G manufactured parts for the turbofan engine developed by Company f and an aerospace company 4 based in the U.S. 1 2 q rr. on March 28, 2015, members of the conspiracy caused. a computer belonging to company G to beacon to a domain registered to DNS ACCOUNT-4. ss. ZHUANG 6 1 d 9 10 11 72 13 74 15 manage used his apple-qts Google AppEngine account to malware, lncluding fsSpace, on Company G, s systems and steal commercial data from company G from no earlier than September 26, 2014, through May 7, 2015, A11 in vi-olation of Title 18, United States Code, Sections 31L, 1030 (a) (s) (A) , 1030 (c) (4) (B) (i) , 1030 (a) (2) (c) and 1030 ( c) (z) (B) (i) and (iii). Count 2 11. Paragraphs 1 to 10 are re-alleqed and i-ncorporated as if set t1 forth in fuIl herein. 1_5 1B 79 20 21 ')a 23 .A z.t 25 26 2l 2B 12. Erom a date unknown, but no.l-ater than September 3, 20L2, up to and including February LL, 20L4, within the Southern District of California, and elsewhere, defendants ZHANG ZHANG-GUI, aka ..1eanov,,, aka "leaon," and Lr XIAO/ aka "zhuan86,' d.id, knowingly and intentionally conspire with each other and other persons known and unknown to the grand jury to commit an offense against the United States, that is, to: a. cause the transmission of a program, information, code, and command, and, as a result of such conduct, intentionalry cause damage without authorization to a protected computer, including loss to at l_east one person during a one-year period aggregating at reast $5,000 in t7 value, 1n vioration of Title 18, united states code, Sections 3'7L, 1030 (a) (5) (A) and 1030 (c) (4) (B) (i); and 1 2 b. 3 4 tr intentionally access one and more computers without authorizatj-on, and thereby obtain informatlon from at l-east one protected computer, such conduct having involved an interstate and foreign communication, and the offense was committed for purposes of commercial 6 1 advantaqe and private B 9 10 11 13. Lr 72 hacker and a personal 1"4 aka "leaon" - 16 gain and informatlon varued greater than $5,000, in vioration of 18, united States Code, Sections 3tl, 1030 (a) (2) (C) and 1030(c)(2) (e) 1iy and (iii). xrAo, aka ..zhuan86," (+)ffi src 2627/3469), is a computer 13 15 financial f rlend of ZHANG ZHANG-GUI, aka ,.Ieanov, ,, supplied LI with variants of the malware that had been developed and deployed by members of the separate JSSD-related conspiracy charged in Count 1, as described herein, supra, at paragraphs ZHANG l7 7 through 10. 20 LI subsequently used malware that had been supplied by ZHANG, as well as other malware, in his attempts to hack into Company H's computers, which ZHANG and others had also targeted 1n the separate conspiracy charged in Count 1,. 21, OVERT ACTS ,) 25 Intrusion lnto Company H's Computers L4. In furtherance of the conspiracy and to effect the objects thereof, the following overt acts, among others, were committed within the Southern District of Catifornia and. elsewhere, on or about the dates 26 below: 1B 79 23 24 2l 1A 18 a. 1 on september 3, 2072, files, ) J 4 5 7 on ds b. On or about October 2J, 2072, LI created a Google AppEngine apprication to facilitate computer i-ntrusions. c. on september 11, 2073, a web shell or scrlpt was instarl_ed 6 on a web server operated by company H, which ai-lowed a user to gain remote adminlstrative control of cornpany H, s B 9 car\7ar 10 11 d. on or before september 29, 201-3, a second web shell was instalred on the same web server to facilitate computer intrusion activities on Company Hrs server. e. on or about September 29, 201,3, Lr used the Googre AppEngine application to access the second shel1 on company H's server. Lr did so in order to reverage the hack of company H's server into intrusions of other L2 13 14 15 76 L1 victims. 1B 79 f. on or about october 10, 2013, Lr attempted to use one of the shells to gain access to a third-party website. q. on or about February 17, 2014, Lr install_ed malicious code on a company H server to exproit an rnternet Explorer vu.l-nerability, which had previousry been used by ZHANG and other members of the conspiracy described herein, supra, at paragraphs 7 through 10. 20 21 22 23 .A 25 A11 i-n violation 1030 (a) (s) (A) 2B emailed Lr a set of maricious that was a subset of the mal-ware instalred Capstone Turbine's web server on June l, 201,2, described herein, supra, at paraqraph 10 (n) . 2 26 ZHANG , of Titre 18, United States code, sections 371, 1030 (c) (4) (B) (i), 1o3O (a) (2) (c) and 1030 (c) (2) (B) (i) and (iii). t9 Count 1 2 3 4 5 6 1 B 9 10 11 1,2 15. Erom no later than August -1, 2012, up to and including January 74, 2074, within the Southern District of California and elsewhere, defendant ZHANG ZHANG-GUr, aka "1eanov,,, aka .. 1eaonr,, knowingly caused the transmission of a program, information, code, and command, and, as a result of such conduct, intentionally caused damage without authorizatlon to a protected computer, and the l-oss caused by such behavior was at least $5,000, to wit, ZHANG accessed without authorization computer servers in the Southern District of California belonging to company H and thereby caused loss of at l_east $5,000; in viol-ation of Title and (c) (4) (B) (i) . 15 76 71 1B 79 20 22 \6. defendants shall forfeit to the United States of America, pursuant to Tltle 18, united states code, sectj-on 982(a) (1), any property, rear and personal, involved in such offenses, and any property traceable to such property. ' In the event that any of the property described abover ds result of any act or omission of the defendants: a. cannot be located upon the exercise of due diligence; b. has been transferred or sold to, or deposlted with, 77 )1 a a third party; c. d. 26 1030 (a) (5) (A) Upon conviction of the offenses alleged in this indictment, ZJ 24 18, united states code, sections Criminal Eorfeiture 13 74 3 e has been placed beyond the jurisdiction of the courti has been substantially diminished in val-ue; or has been commingled with other property which cannot divided without difficulty, 2B 20 be 4 the United States of America sha1l be entitled to forfeit substltute property pursuant to Title 27, united States code, sectj_on 853 (p), as incorporated by Title 78, united States code, section 982(b) (1). Al1 in violation of Title 18, United States Code, Sections 982(a)(L) 5 and (b) (1) . L 2 3 DATED: October 6 25, 2018. 7 A BILL: B 9 10 11 Eo reperson L. BRAVERMAN United States Attorney ADAM 72 13 74 By: Assistant U.S. Attorney 15 76 71 1B 79 20 27 )) 23 24 25 Zb 21 2B 2t