ABOVE: Stephen Su
Well, we all know, or should know, that hacking is a criminal violation of the Computer Fraud and Abuse Act, at least when it entails unauthorized access to another party’s computer. What you may not know is that if you’re a foreign national and if the data accessed is technical data controlled by the International Traffic in Arms Regulations, hacking can also be a violation of the Arms Export Control Act.
Back in June, Canadian authorities arrested, at the request of the FBI, a Chinese citizen and Canadian permanent resident named, variously, Su Bin, Stephen Su and Stephen Subin, who we’ll refer to simply as Su for convenience. Su , the owner of Lode-Tech, a Chinese company with an office in Canada, was accused of conspiring with several Chinese nationals to hack into U.S. defense contractors’ computer systems and to exfiltrate data about military aircraft back to China. Last Friday, Su was indicted by a federal grand jury in California.
One of the charges in the indictment is a violation of the Arms Export Control Act. The theory behind this charge is that Su, with his PRC-based co-conspirators, conspired to break in the U.S. computer systems and to disclose ITAR-controlled technical data to foreign nationals among whom were, of course, themselves.
The criminal complaint filed back in June, which served as the basis for Su’s arrest, contains some fascinating details. First, it appears that access was gained to the defense contractors’ systems by sending emails to employees of the contractors containing infected attachments or links to infected websites that installed malware on the systems which allowed the hackers to control the systems, to view files on the system, and to send the files back to themselves. Interestingly, the files were then transferred to hop points or servers in Hong Kong and Macao and from there were physically carried back into the PRC. Interestingly, it appears that as the Internet becomes easier for security agencies to surveil, modern spies have started to revert back to older methods of spycraft such as smuggling documents, document drops, and, conceivably, even encrypted Morse code shortwave radio transmissions. One wonders if the NSA is training folks in Morse Code and invisible ink. What’s next? Microdots?