The U.S. Department of Justice (DoJ) announced the indictment of a 38-year-old Chinese national and a California resident of allegedly stealing proprietary information from Google while covertly working for two China-based tech companies.

Linwei Ding (aka Leon Ding), a former Google engineer who was arrested on March 6, 2024, “transferred sensitive Google trade secrets and other confidential information from Google’s network to his personal account while secretly affiliating himself with PRC-based companies in the AI industry,” the DoJ said.

The defendant is said to have pilfered from Google over 500 confidential files containing artificial intelligence (AI) trade secrets with the goal of passing them on to two unnamed Chinese companies looking to gain an edge in the ongoing AI race.

“While Linwei Ding was employed as a software engineer at Google, he was secretly working to enrich himself and two companies based in the People’s Republic of China,” said U.S. Attorney Ismail Ramsey.

“By stealing Google’s trade secrets about its artificial intelligence supercomputing systems, Ding gave himself and the companies that he affiliated with in the PRC an unfair competitive advantage.”

Ding, who joined Google as a software engineer in 2019, has been accused of siphoning proprietary information related to the company’s supercomputing data center infrastructure used for running AI models, the Cluster Management System (CMS) software for managing the data centers, and the AI models and applications they supported.

The theft happened from May 21, 2022, until May 2, 2023, to a personal Google Cloud account, the indictment alleged, adding Ding secretly affiliated himself with two tech companies based in China.

This included one firm in which he was offered the position of chief technology officer sometime around June 2022 and another company founded by Ding himself by no later than May 30, 2023, acting as its chief executive officer.

“Ding’s company touted the development of a software platform designed to accelerate machine learning workloads, including training large AI models,” the DoJ said.

“A document related to Ding’s startup company stated, ‘we have experience with Google’s ten-thousand-card computational power platform; we just need to replicate and upgrade it – and then further develop a computational power platform suited to China’s national conditions.'”

But in an interesting twist, Ding took steps to conceal the theft of trade secrets by purportedly copying the data from Google source files into the Apple Notes application on his company-provided MacBook and then converting the notes to PDF files before uploading them to their Google account.

Furthermore, Ding allegedly allowed another Google employee in December 2023 to use his Google-issued access badge to scan into the entrance of a Google building, giving the impression that he was working from his U.S. Google office when, in fact, he was in China. He resigned from Google on December 26, 2023.

Ding has been charged with four counts of theft of trade secrets. If convicted, he faces a maximum penalty of 10 years in prison and up to a $250,000 fine for each count.

The development comes days after the DoJ arrested and indicted David Franklin Slater, a civilian employee of the U.S. Air Force assigned to the U.S. Strategic Command (USSTRATCOM), of transmitting classified information on a foreign online dating platform between February and April 2022.

The information included National Defense Information (NDI) pertaining to military targets and Russian military capabilities relating to Russia’s invasion of Ukraine. It’s said to have been sent to a co-conspirator, who claimed to be a female living in Ukraine, via the dating website’s messaging feature.

“Slater willfully, improperly, and unlawfully transmitted NDI classified as ‘SECRET,’ which he had reason to believe could be used to the injury of the United States or to the advantage of a foreign nation, on a foreign online dating platform to a person not authorized to receive such information,” the DoJ said.

Slater, 63, faces up to 10 years in prison, three years of supervised release, and a maximum monetary penalty of $250,000 for each count of conspiracy to transmit and the transmission of NDI. No details are known about the motives or the real identity of the individual posing as a Ukrainian woman.

Mar 05, 2024NewsroomEmail Security / Network Security

The threat actor known as TA577 has been observed using ZIP archive attachments in phishing emails with an aim to steal NT LAN Manager (NTLM) hashes.

The new attack chain “can be used for sensitive information gathering purposes and to enable follow-on activity,” enterprise security firm Proofpoint said in a Monday report.

At least two campaigns taking advantage of this approach were observed on February 26 and 27, 2024, the company added. The phishing waves disseminated thousands of messages and targeted hundreds of organizations across the world.

The messages themselves appeared as responses to previous emails, a known technique called thread hijacking, in a bid to increase the likelihood of the attacks’ success.

The ZIP attachments come with an HTML file that’s designed to contact an actor-controlled Server Message Block (SMB) server.

“TA577’s objective is to capture NTLMv2 Challenge/Response pairs from the SMB server to steal NTLM hashes based on characteristics of the attack chain and tools used,” the company said, which could then be used for pass-the-hash (PtH) type attacks.

This means that adversaries who are in possession of a password hash do not need the underlying password to authenticate a session, ultimately enabling them to move through a network and gain unauthorized access to valuable data.

TA577, which overlaps with an activity cluster tracked by Trend Micro as Water Curupira, is one of the most sophisticated cybercrime groups. It has been linked to the distribution of malware families like QakBot and PikaBot in the past.

“The rate at which TA577 adopts and distributes new tactics, techniques, and procedures (TTPs) suggests the threat actor likely has the time, resources, and experience to rapidly iterate and test new delivery methods,” Proofpoint said.

It also described the threat actor as acutely aware of the shifts in the cyber threat landscape, quickly adapting and refining its tradecraft and delivery methods to bypass detection and drop a variety of payloads. Organizations are highly recommended to block outbound SMB to prevent exploitation.