Chinese hacker used USB sticks to steal data from hotel guests and then sold it on a popular freelancing site
A former hacker from China’s People’s Liberation Army was inspired by Russians to steal business plans and selling them, according to Kate Fazzini’s new book, “Kingdom of Lies.”
Bo Chou got a job at a hotel in Shanghai and was tricked guests into picking up “Free USB Storage” devices.
Once the simple malware loaded onto the USB drives is installed onto their computers, Bo had access to business spreadsheets and proprietary client lists.
Bo Chou, now working somewhere else in Asia, says he feels like his past life was boring. He’s had no interest, he says, in regaling people with tales of his time as a hacker for China’s People’s Liberation Army. (Some names, locations and personal details have been changed to protect confidential sources.)
The rare few people who actually do know this about him press him for information, but he doesn’t budge.
It’s not just because it’s supposed to be secretive. It is. It’s because it was boring, utilitarian, cog-in-a-wheel stuff. Now the Russians, that’s what Bo wants to talk about. He was always more interested in the Russians, he says, because they are flashier. After his work in the Army, it was Russian hackers he looked to for inspiration. Bad boys.
Bo loves data. He’s good at data. He likes combing through it, making sense of it. The visitors to the hotel are perfect targets, with perfect data.
He uses a commonly available type of malware that can help him get as much information on a company as quickly as possible. He delivers it through USB devices that he scatters around the convention center, making it easy for unwitting professionals to pick up and stick right into their computers, computers with all those spreadsheets and proprietary client lists. He endeavors not to do this in his own hotel. That would be too close to home, and frankly, rude, he says.
Bo finds a great, cheap supplier from down south who sells him thousands of USB storage devices for around $100. Then he goes down to the area that sells lots of mass-produced tchotchkes and buys a few beautiful, polished, modern-looking silver bowls.
Then Bo loads malware on each device. He creates a very professional looking sign, one that mimics whoever is sponsoring the convention in color and font, and puts the USB devices in the beautiful silver bowl. “Free USB Storage. Welcome guests!” He leaves them, surreptitiously, in the lobbies of the hotels or the convention center cafeteria or, if he can slip in, its press room, where all the media outlets take their breaks and meetings.
In the early days of this scheme, convention-goers pick up the devices and use them much more frequently than they do when he tries it months and years later. Many people have learned such freebies might be risky, and Bo is fine with that. Because the ones who pick them up are enough. He isn’t greedy.
Once the simple malware loaded onto the USB drives is installed onto their computers, Bo grabs as many spreadsheets — just spreadsheets — as he can from their machines. The malware will probably be caught in a routine scan by some corporate technology team when the travelers get back to New York or San Francisco or London or Brisbane, but by then it will be too late.
Bo will have everything he needs, including all of the emails and personal details of the individual’s business contacts. He particularly likes getting business plans, budgets, future merger ideas. Then, after all this excitement, the denouement.
Big data, little marketplace
What does Bo do with this valuable information? He has an account on a legitimate, U.S.-based website for freelancers, and he sells this business intelligence to other companies. Companies that love the breadth and depth of his data but have no idea where it came from and know better than to ask.
The freelancer platform is fairly simple. The baseline price for one “gig” is $5, which is where anyone using it to sell goods starts. Bo picks a simple interface, lists his location as Japan, uses a special program and a virtual private network — a program that masks his movements from the Chinese government. To an outside observer, it would look like Bo’s computer is pinging from a Tokyo apartment complex.
From there, he offers “curated” lists made up of “publicly available” corporate information on big players in all the industries that have trade shows in Shanghai. Building materials. Finance. Risk and compliance. Even money laundering.
He starts with a $5 price tag for a basic report. Of course, his intel is good so the business quickly grows. And he is so good at curating it, business contacts recommend him to others in their industry. He becomes especially popular with salesmen looking for detailed prospect lists. He becomes a master at PowerPoint, making the data even more digestible to his less-than-tech-savvy customers.
The platform helps him get paid in all kinds of currencies — U.S. dollars, euros, cryptos — all of which are far more valuable than his local currency. The problem is the scheme is so lucrative and so easy he finds himself at the point where he can’t afford to give it up. And he’s looking over his shoulder everyday, afraid he’s going to be spirited away in an airplane like his former hero Romanov.