Indicted Chinese hacker UglyGorilla Wang Dong leaves telltale signs of himself throughout the internet
US prosecutors were surprised Wang Dong - one of five alleged Chinese military hackers indicted last week - left tracks all over the internet
Prosecutors building a case against Wang Dong, one of five Chinese military hackers indicted for economic espionage, were helped by Wang's apparent willingness to break a cardinal rule of spying: Leave no tracks.
Known as UglyGorilla, Wang is a pun-making hacker who left a string of clues dating back years, according to several security professionals who have pursued him. He became famous in counterintelligence circles as China's most flamboyant hacker, as he seeded malicious code with his handle and left the initials "UG" in the logs of thousands of compromised computers.
Last week, the US Justice Department unveiled the indictment of the People's Liberation Army officers it says broke into computers at five US companies, including Westinghouse and United States Steel, to steal trade secrets and other information.
Among those indicted was a hacker the prosecutors identified as Wang, also known as UglyGorilla - the first time the government had linked the two names. The indictment cast a public spotlight on a hacker who for years had left a trail that was obvious to those more accustomed to scrutinising wisps of digital information for clues.
"When the indictment came out, my wife asked me if I knew this UglyGorilla guy," said Adam Meyers, who first encountered China's cyberspies as a security specialist at the US State Department. "I told her, 'I've known him longer than I've known you,'" said Meyers, who celebrates his three-year wedding anniversary next week.
The US indictment focuses on a narrow set of cases, including the theft of plans for a nextgeneration nuclear power plant from Westinghouse. Wang gained unauthorised access to at least one US Steel computer in February 2010, and from there stole a virtual map - host names and descriptions - of more than 1,700 of the company's computers, prosecutors allege.
UglyGorilla's activities are likely much broader, according to cybersecurity experts, who link him to hundreds of intrusions. Those include missions to steal technical details of valuable American technology, obtain data on deals US companies were doing with Chinese counterparts, and, in 2011, wage a campaign to breach the security of US nuclear power plants, according to commercial forensics reports and investigators who examined those attacks.
China's Foreign Ministry said the May 19 indictment was based on "intentionally fabricated facts".
The indictment contains what appear to be the first photographs of the five People's Liberation Army hackers published in the US. The images include a shot of an unsmiling Wang wearing rimless glasses that could be an ID photo or cropped from an official group portrait.
Based on posts from Chinese online bulletin boards and social media accounts, Wang is 37 years old and may have attended Shanghai's elite Jiaotong University, which has a strong computer science department, investigators said in interviews.
Several cybersecurity experts say their knowledge of UglyGorilla goes back at least a decade. While hackers routinely change online personas in an effort to obscure their identity, Wang's has been remarkably consistent, they said.
In 2004, a user under the name of Jack Wang, with an e-mail address of uglygorilla163.com posted a question about digital warfare on a forum hosted by China Military Online.
That same e-mail account was used over and over, including to register websites used in attacks on hundreds of US entities, the security experts said.
US investigators say Wang may have taken the typical hacker penchant for showing off to an extreme.
"You can leave little pieces of yourself in your work," Meyers said. "It's one of the perks of the job."
In 2006, UglyGorilla created an account on a Chinese developer site as Wang Dong - his real name, the US would say eight years later. This was according to a report by Mandiant Corporation, a data-security division of FireEye. The report, published last year, also linked Wang and the gorilla handle to the PLA.
"We were baffled. Why is he putting his name in everything? It was like he was making it too easy," said Kevin Albano, an intelligence analyst for Mandiant. "Maybe it's just ego, but he also did seem to be proud of what he was doing."
He also appeared to feel safe, said Jaime Blasco, a malware researcher and director of AlienVault Labs. UglyGorilla and the rest of a crew of Chinese hackers known to cybersecurity researchers as the Comment group - known for their trademark of infiltrating computers using hidden code on web pages known as comments - appeared to feel protected from any consequences of hacking overseas companies, he said.
"They didn't care about being caught," Blasco said. "They are in China."
In many of the breaches described in the private forensic reports, the PLA hackers would relay commands and send stolen data through US-based servers that they hijacked or rented. Wang registered some of those servers under the domain name hugesoft.org a pun combining adjectives that describe a gorilla, according to Mandiant and other security companies. Subdomains often included the initials UG.
He also included the initials in commands to victims' computers, security experts said, like a calling card that forensic investigators would discover later.
"We found his name all over the place in dealing with intrusions over the last few years," Blasco said. "You can link this guy to hundreds of attacks."
One of the hugesoft.org domains, happy.hugesoft.org was involved in an attack on Telvent Canada, a maker of industrial control systems to monitor oil and gas pipelines and electrical grids, according to security blogger Brian Krebs. Krebs posted what he said was an alert letter Telvent sent online to customers in September 2012, in which Telvent flagged the hugesoft site.
Malware that helped China break into the computers of Coca-Cola in 2009 was programmed to communicate with the website ug-co.hugesoft.org The PLA hackers broke into the company's computer systems and were pilfering sensitive files about its attempted US$2.4 billion acquisition of China Huiyuan Juice Group, according to an internal company document detailing the intrusion.
The Huiyuan deal, which was blocked by Chinese regulators over concerns about competition, would have been the largest foreign takeover of a Chinese company at the time. It's not known if the stolen information contributed to China's decision.
Wang may also have been involved in an intrusion at a California nuclear plant operated by Pacific Gas and Electric in 2011, according to an internal report on the intrusion.
The report said that the computer of one of the plant's managers had been hacked by UglyGorilla's unit, and also linked UglyGorilla to a broader effort to steal secrets from the American nuclear energy sector. The company declined to comment at the time.
As Wang's notoriety grew, at least within the community of US counterintelligence officials and data security experts, investigators sought to fill in more pieces of the puzzle.
They found a 2004 post on a popular Chinese car forum in which someone identifying himself as UglyGorilla was seeking advice on buying a car for his wife to use.
Wang may have been a legend, but he also had everyday problems, Albano said.
"Underneath it all, he's serving his military, doing his time - just a regular guy," he said.