Malware Broker Behind U.S. Hacks is Now Teaching Computer Skills in China

December 27, 2019 by

LONDON/SHANGHAI — A Chinese malware broker who was sentenced in the United States this year for dealing in malicious software linked to major hacks is back at his old workplace: teaching high-school computer courses, including one on internet security.

Yu Pingan, who spent 18 months in a San Diego federal detention center, had pleaded guilty to conspiracy to commit computer hacking. A high school instructor, he had been arrested at Los Angeles International Airport in August 2017 upon arriving with a group of teachers to observe a U.S. university. A Reuters reporter found him teaching at his old school here last month.

Yu was sentenced by a federal judge in February to time served and allowed to return to China. The victims of the hacking conspiracy included microchip supplier Qualcomm Inc, aerospace and defense firm Pacific Scientific Energetic Materials Co, and gaming company Riot Games, according to the judgment. Exactly what was stolen in the computer breaches wasn’t disclosed in public court filings.

Qualcomm declined to comment. A Riot Games spokesman said the company lost no data. Pacific Scientific didn’t respond to requests for comment.

Yu specializes in computer network security and programming, according to court records. The malware he provided in the conspiracy included a rare software tool called Sakula that granted hackers remote control over computers. It’s unclear who authored the malware or how Yu obtained it.

Sakula has been linked to some of the most notorious cyber attacks of the decade. In addition to the intrusions detailed in the case against Yu, these include hacks of U.S. health insurer Anthem Inc, where millions of patient records were exposed, and the U.S. Office of Personnel Management, in which the personal information of millions of current and former U.S. government employees and contractors was compromised. Yu wasn’t accused of involvement in those two breaches.

His prosecution was one of a series of criminal cases against Chinese nationals Washington has brought in recent years, in response to what the Americans say is a concerted campaign by China’s military and security ministry to steal technology from Western companies.

In another case involving Sakula malware, the U.S. last year alleged that two Chinese intelligence officers and a team of recruited hackers repeatedly intruded into Western companies’ computer systems for more than five years.

Many of the Chinese defendants in the series of hacking cases haven’t been apprehended. Yu is one of the few alleged Chinese hackers to have been arrested and convicted in the U.S. crackdown.

In addition to jail time, Yu was ordered to pay nearly $1.1 million in restitution to five companies that were victims of the hacking. The fine was to be paid in installments of $100 a month, with no interest, according to the judgment. The payment schedule would take more than 900 years to complete.

Jeremy Warren, a San Diego criminal defense attorney who represented Yu, said: “With a Chinese national, a school teacher, there’s no real expectation of payment.”

Yu’s 18 months in federal prison, he said, was no “walk in the park.”

China’s Ministry of Foreign Affairs said it had “no understanding” of the Yu case. “We resolutely oppose any type of cyber attack, and we investigate and crack down on any cyberattack occurring inside China or making use of Chinese internet infrastructure,” the ministry spokesperson’s office said.

The ministry added that it had no knowledge of other cases alleging Chinese hacking of U.S. companies, and it accused Washington of displaying a “cold war mentality” in its tech-related prosecutions.

Yu, according to court filings by U.S. prosecutors, went by the nickname “Goldsun.” He was accused of conspiring with other Chinese individuals to use malware to hack into the computer networks of companies in the U.S. and elsewhere.

An affidavit from Federal Bureau of Investigation Special Agent Adam James alleged that Yu provided Sakula and other malware used in the case. Citing seized communications between Yu and two unindicted co-conspirators, James alleged that Yu had installed “an unauthorized backdoor” on an unidentified company’s computer network to gain remote access.

The conspirators’ cyber intrusions included so-called “watering hole attacks,” in which malicious software infects the computers of visitors to compromised websites. “This is akin to a predator waiting to ambush prey at the location the prey goes to drink water,” a court document stated.

Last month, Reuters found Yu, who is 39, teaching at Shanghai Commercial School, a state-run vocational technical high school in central Shanghai. U.S. officials told Reuters that Yu had been teaching there prior to his arrest.

Digital signs outside classrooms indicated Yu was teaching at least two basic computer courses, including one called “Basic English for Internet Security.” One of his former students, a computer science major who is now in China’s military, said he couldn’t answer questions about Yu because of “political reasons” and that the school had instructed him not to discuss the matter.

On Nov. 1, a Reuters reporter saw Yu at an office on the school’s campus. Dressed in a red and blue plaid Oxford shirt, he declined to answer questions. Yu called a school official, who arrived with a security guard and escorted the reporter off the campus. The school official called Yu’s situation a private matter.

“It’s his own experience, and it has nothing to do with the school,” she said.