Scribd

\

1

ALANA W. ROBINSON

2

Acting United States Attorney SABRINA

L

FEVE

3

Assistant U.S. Attorney

4

California Bar No.: 226590 Office

o

the U.S. Attorney

5

880 Front Street, Room 6293

6

San Diego, CA 92101 Tel: (619) 546-6786 7 Fax: (619) 546-0831

8

Email: Sabrina.Feve@usdoj.gov

FILE

UG

2 1

2 17

UHSEAl IJJER

OR ER OF

COURT

~\ Z--Z..

\

q

9 Attorneys for the United States

10 11 12

UNITED

STATES DISTRICT

COURT SOUTHERN

DISTRICT

OF CALIFORNIA

13

UNITED STATES OF AMERICA, Case No.:

17MJ2910

14 15 16 17 18 19

2

21

22

23

24 25

6

Plaintiff,

COMPLAINT

FOR

VIOLATION

OF:

v.

YU PINGAN, a.k.a. GoldSun Title

18

U.S.C., Section

371

-Conspiracy; Title 18, U.S.C., Section 1030(a)(5)(A)Computer Hacking; Title 18, U.S.C., Sections 982 and 1030(i) and Title 21, U.S.C., Section 853 -Forfeiture Defendant. The undersigned Complainant, being duly sworn, states:

Count 1 Conspiracy Computer Hacking)

Introductory Allegations At all times relevant to this Complaint:

1.

Company A was headquartered in San Diego, California, Company B was headquartered in Massachusetts, Company C was headquartered

in

Los Angeles,

27

California, and Company D was headquartered in Arizona.

28

1

omplaint

Case 3:17-mj-02970-BGS Document 1 Filed 08/21/17 PageID.1 Page 1 of 21

2

Defendant YU Pingan was a malware broker in the People's Republic

of

2

China ( PRC ).

3

3

An Internet Protocol ( IP ) address is a unique series

of

numbers that

4

identifies computing devices connected to the Internet. Computers use IP addresses

to

5

connect to each other on networks and the Internet. Because those numbers

c n

be hard

6

to recall, IP addresses are typically assigned a plain text domain name (like 7 amazon.com or uscourts.gov).

n

automated Internet database system called Domain

8

Name System ( DNS ) is used to translate domain names into the actual numerical

IP

9

address and to route an internet user to that domain's IP address.

1

4

The term dynamic DNS refers to a system that allows a domain name to update its IP address more frequently or, dynamically. Typically, dynamic DNS is

12

provided for a fee to paying customers.

13

5

The term zero-day exploit refers to a vulnerability

or

hole in a computer

14

or software's security that a hacker can exploit. One

of

the defining features

of

a zero-

15

day exploit is that nobody but the hacker(s) who use it know about the vulnerability and

16

the means for exploiting it.

17

6

The term remote access trojan or RAT refers to a software program that

18

allows an outside party (such as a hacker) to gain remote control over the computer on

19

which the RAT is installed. The remote access

is

often called a back door.

2

7

The term watering hole attack refers to a hacker's installation

of

21

malicious software ( malware ) on legitimate websites frequently visited by employees

22

of

entities the hackers are targeting. When users visit the legitimate website, malware

23

is installed on the users' computers. This is akin to a predator waiting to ambush prey

24

at the location the prey goes to drink water.

25

26

8

The Conspiracy Beginning in or about April 2011, and continuing up to and including on

27

or about January 17, 2014, within the Southern District

of

California and elsewhere,

28

2

omplaint


1

defendant YU Pinga did knowingly, intentionally, and willfully agree and conspire with 2 other persons known and unknown, including Uncharged Coconspirators ( UCC ) 1 3 and 2, to cause the transmission

of

a program, information, code, and command, and,

4

as

a result

of

such conduct, intentionally cause damage without authorization to a 5 protected computer, including a loss

of

at least $5,000, in violation

of

18

U.S.C. 6

§

1030(a)(5)(A) and (c)(4)(B)(i).

7 8

9

9.

Manner and Means The objects

of

the conspiracy were carried out in substance as follows:

a.

Defendant YU and co-conspirators in the PRC would acquire and

1

use malicious software tools, some

of

which were rare variants previously unidentified by the FBI and information security community, including a malicious software tool

12

known

as

Sakula.

13

b.

Defendant YU and co-conspirators in the PRC would establish an

14

infrastructure

of

domain names, IP addresses, accounts with Internet service providers,

15

and web sites to facilitate hacks

of

computer networks operated

by

companies in the

16

United States and elsewhere.

17

c.

Defendant YU and co-conspirators in the PRC would use elements

18

of

that infrastructure and a variety

of

techniques, including watering hole attacks, to

19

surreptitiously install or attempt to install files and programs on the computer networks

2

of

companies in the United States and elsewhere, including but not limited to Company

21

A

Company B, and Company

C.

22 Overt Acts 23

10.

In furtherance

of

the conspiracy and to accomplish the objects thereof, the

24

following overt acts, among others, were committed within the Southern District

of

5

California and elsewhere on or about the dates set forth below:

6

a.

On April

17

2011,

YU

told UCC

#

1 that he had an exploit for

7

Adobe's Flash software. 28

3

omplaint
