Score:   1
Docket Number:   SD-IN  1:19-cr-00152
Case Name:   USA v. WANG
  Press Releases:
WASHINGTON – A federal grand jury returned an indictment unsealed today in Indianapolis, Indiana, charging a Chinese national as part of an extremely sophisticated hacking group operating in China and targeting large businesses in the United States, including a computer intrusion and data breach of Indianapolis-based health insurer Anthem Inc. (Anthem).

Assistant Attorney General Brian A. Benczkowski of the Justice Department’s Criminal Division, U.S. Attorney Josh Minkler for the Southern District of Indiana, Assistant Director Matt Gorham of the FBI’s Cyber Division and Special Agent in Charge Grant Mendenhall of the FBI’s Indianapolis Field office made the announcement.

The four-count indictment alleges that Fujie Wang (王 福 杰 in Chinese Hanzi), 32, and other members of the hacking group, including another individual charged as John Doe, conducted a campaign of intrusions into U.S.-based computer systems.  The indictment alleges that the defendants gained entry to the computer systems of Anthem and three other U.S. businesses, identified in the indictment as Victim Business 1, Victim Business 2 and Victim Business 3.  As part of this international computer hacking scheme, the indictment alleges that beginning in February 2014, the defendants used sophisticated techniques to hack into the computer networks of the victim businesses without authorization, according to the indictment.  They then installed malware and tools on the compromised computer systems to further compromise the computer networks of the victim businesses, after which they identified data of interest on the compromised computers, including personally identifiable information (PII) and confidential business information, the indictment alleges.

“The allegations in the indictment unsealed today outline the activities of a brazen China-based computer hacking group that committed one of the worst data breaches in history,” said Assistant Attorney General Benczkowski.  “These defendants allegedly attacked U.S. businesses operating in four distinct industry sectors, and violated the privacy of over 78 million people by stealing their PII.  The Department of Justice and our law enforcement partners are committed to protecting PII, and will aggressively prosecute perpetrators of hacking schemes like this, wherever they occur.”

“The cyber attack of Anthem not only caused harm to Anthem, but also impacted tens of millions of Americans,” said U.S. Attorney Minkler.  “This wanton violation of privacy will not stand, and we are committed to bringing those responsible to justice.  I would also like to thank Anthem for its timely and substantial cooperation with our investigation.”

“This case is significant not only because it showcases the FBI’s cyber investigative capabilities, but also because it highlights the importance of FBI and private industry relationships,” said Assistant Director Matt Gorham.  “Because the victim companies promptly notified the FBI of malicious cyber activity, we were able to successfully investigate and identify the perpetrators of this large-scale, highly sophisticated scheme. The FBI is committed to investigating cyber-attacks that compromise American industry and the American people. As we did in this case, we will work side by side with victim companies to ensure justice is served.”

"Anthem's cooperation and openness in working with the FBI on the investigation of this sophisticated cyber-attack was imperative in allowing for the identification of these individuals. This also speaks to the strong partnerships the FBI has with the private sector, as well as the tenacity and global reach of the Bureau," said Special Agent in Charge Grant Mendenhall.  "It should also be noted that the speed with which Anthem initially notified the FBI of the intrusion on their networks was also a key factor in being able to determine who was responsible for the breach and should serve as an example to other organizations that might find themselves in a similar situation."

The indictment further alleges that the defendants then collected files and other information from the compromised computers and then stole this data.  As part of the computer intrusion and data breach of Anthem, the defendants identified and ultimately stole data concerning approximately 78.8 million persons from Anthem’s computer network, including names, health identification numbers, dates of birth, Social Security numbers, addresses, telephone numbers, email addresses, employment information and income data, according to the indictment. 

Wang and Doe are charged with one count of conspiracy to commit fraud and related activity in relation to computers and identity theft, one count of conspiracy to commit wire fraud, and two substantive counts of intentional damage to a protected computer.

According to the indictment, the defendants used extremely sophisticated techniques to hack into the computer networks of the victim businesses.  These techniques included the sending of specially-tailored “spearfishing” emails with embedded hyperlinks to employees of the victim businesses.  After a user accessed the hyperlink, a file was downloaded which, when executed, deployed malware that would compromise the user’s computer system by, in pertinent part, installing a tool known as a backdoor that would provide remote access to that computer system through a server controlled by the defendants.

The defendants sometimes patiently waited months before taking further action, eventually engaging in reconnaissance by searching the network for data of interest, according to the indictment.  This data included PII and confidential business information.  The indictment alleges that the defendants accessed the computer network of Anthem without authorization for the purpose of conducting reconnaissance on Anthem’s enterprise data warehouse, a system that stores a large amount of PII, on multiple occasions in October and November 2014.

The indictment further alleges that once the data of interest had been identified and located, the defendants then collected the relevant files and other information from the compromised computers using software tools.  The defendants then allegedly stole the data of interest by placing it into encrypted archive files and then sending it through multiple computers to destinations in China.  The indictment alleges that on multiple occasions in January 2015, the defendants accessed the computer network of Anthem, accessed Anthem’s enterprise data warehouse, and transferred encrypted archive files containing PII from Anthem’s enterprise data warehouse from the United States to China.

Finally, the defendants allegedly then deleted the encrypted archive files from the computer networks of the victim businesses, in an attempt to avoid detection.  In late January 2015, the defendants deleted certain archive files containing PII that they had previously transferred from Anthem’s enterprise data warehouse.

Defendant Wang is specifically alleged to have controlled two domain names connected to the criminal activity.  According to the indictment, one of these domain names was associated with a backdoor used in the intrusion victimizing Victim Business 1, and the other was associated by Wang with a server used to create an email account used to conduct spearfishing attacks against employees of Victim Business 3. 

This case was investigated by the FBI’s Indianapolis Field Office.  Senior Counsel William A. Hall, Jr. of the Criminal Division’s Computer Crime and Intellectual Property Section and Assistant U.S. Attorney and Deputy Chief of the General Crimes Unit Steven D. DeBrota of the Southern District of Indiana are prosecuting the case.  Significant assistance was provided by the Justice Department’s National Security Division and the Criminal Division’s Office of International Affairs.

Charges contained in an indictment are merely allegations, and the defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

Docket (0 Docs):   https://docs.google.com/spreadsheets/d/1t1iqO-5B_7Mxmm5c1RWhYa9Ja0A6R5KII4DJlLyMeTc
  Last Updated: 2023-10-12 09:48:03 UTC
Description: The fiscal year of the data file obtained from the AOUSC
Format: YYYY

Description: The code of the federal judicial circuit where the case was located
Format: A2

Description: The code of the federal judicial district where the case was located
Format: A2

Description: The code of the district office where the case was located
Format: A2

Description: Docket number assigned by the district to the case
Format: A7

Description: A unique number assigned to each defendant in a case which cannot be modified by the court
Format: A3

Description: A unique number assigned to each defendant in a case which can be modified by the court
Format: A3

Description: A sequential number indicating whether a case is an original proceeding or a reopen
Format: N5

Description: Case type associated with the current defendant record
Format: A2

Description: Case type associated with a magistrate case if the current case was merged from a magistrate case
Format: A2

Description: A concatenation of district, office, docket number, case type, defendant number, and reopen sequence number
Format: A18

Description: A concatenation of district, office, docket number, case type, and reopen sequence number
Format: A15

Description: The docket number originally given to a case assigned to a magistrate judge and subsequently merged into a criminal case
Format: A7

Description: A unique number assigned to each defendant in a magistrate case
Format: A3

Description: The status of the defendant as assigned by the AOUSC
Format: A2

Description: A code indicating the fugitive status of a defendant
Format: A1

Description: The date upon which a defendant became a fugitive
Format: YYYYMMDD

Description: The date upon which a fugitive defendant was taken into custody
Format: YYYYMMDD

Description: The date when a case was first docketed in the district court
Format: YYYYMMDD

Description: The date upon which proceedings in a case commenced on charges pending in the district court where the defendant appeared, or the date of the defendant’s felony-waiver of indictment
Format: YYYYMMDD

Description: A code used to identify the nature of the proceeding
Format: N2

Description: The date when a defendant first appeared before a judicial officer in the district court where a charge was pending
Format: YYYYMMDD

Description: A code indicating the event by which a defendant appeared before a judicial officer in the district court where a charge was pending
Format: A2

Description: A code indicating the type of legal counsel assigned to a defendant
Format: N2

Description: The title and section of the U.S. Code applicable to the offense committed which carried the highest severity
Format: A20

Description: A code indicating the level of offense associated with FTITLE1
Format: N2

Description: The four digit AO offense code associated with FTITLE1
Format: A4

Description: The four digit D2 offense code associated with FTITLE1
Format: A4

Description: A code indicating the severity associated with FTITLE1
Format: A3

Description: The title and section of the U.S. Code applicable to the offense committed which carried the second highest severity
Format: A20

Description: A code indicating the level of offense associated with FTITLE2
Format: N2

Description: The four digit AO offense code associated with FTITLE2
Format: A4

Description: The four digit D2 offense code associated with FTITLE2
Format: A4

Description: A code indicating the severity associated with FTITLE2
Format: A3

Description: The title and section of the U.S. Code applicable to the offense committed which carried the third highest severity
Format: A20

Description: A code indicating the level of offense associated with FTITLE3
Format: N2

Description: The four digit AO offense code associated with FTITLE3
Format: A4

Description: The four digit D2 offense code associated with FTITLE3
Format: A4

Description: A code indicating the severity associated with FTITLE3
Format: A3

Description: The title and section of the U.S. Code applicable to the offense committed which carried the fourth highest severity
Format: A20

Description: A code indicating the level of offense associated with FTITLE4
Format: N2

Description: The four digit AO offense code associated with FTITLE4
Format: A4

Description: The four digit D2 offense code associated with FTITLE4
Format: A4

Description: A code indicating the severity associated with FTITLE4
Format: A3

Description: The title and section of the U.S. Code applicable to the offense committed which carried the fifth highest severity
Format: A20

Description: A code indicating the level of offense associated with FTITLE5
Format: N2

Description: The four digit AO offense code associated with FTITLE5
Format: A4

Description: The four digit D2 offense code associated with FTITLE5
Format: A4

Description: A code indicating the severity associated with FTITLE5
Format: A3

Description: The FIPS code used to indicate the county or parish where an offense was committed
Format: A5

Description: The date of the last action taken on the record
Format: YYYYMMDD

Description: The date upon which judicial proceedings before the court concluded
Format: YYYYMMDD

Description: The date upon which the final sentence is recorded on the docket
Format: YYYYMMDD

Description: The date upon which the case was closed
Format: YYYYMMDD

Description: The total fine imposed at sentencing for all offenses of which the defendant was convicted and a fine was imposed
Format: N8

Description: A count of defendants filed including inter-district transfers
Format: N1

Description: A count of defendants filed excluding inter-district transfers
Format: N1

Description: A count of original proceedings commenced
Format: N1

Description: A count of defendants filed whose proceedings commenced by reopen, remand, appeal, or retrial
Format: N1

Description: A count of defendants terminated including interdistrict transfers
Format: N1

Description: A count of defendants terminated excluding interdistrict transfers
Format: N1

Description: A count of original proceedings terminated
Format: N1

Description: A count of defendants terminated whose proceedings commenced by reopen, remand, appeal, or retrial
Format: N1

Description: A count of defendants pending as of the last day of the period including long term fugitives
Format: N1

Description: A count of defendants pending as of the last day of the period excluding long term fugitives
Format: N1

Description: The source from which the data were loaded into the AOUSC’s NewSTATS database
Format: A10

Description: A sequential number indicating the iteration of the defendant record
Format: N2

Description: The date the record was loaded into the AOUSC’s NewSTATS database
Format: YYYYMMDD

Description: Statistical year ID label on data file obtained from the AOUSC which represents termination year
Format: YYYY

Data imported from FJC Integrated Database
Magistrate Docket Number:   SD-IN  1:18-mj-01307
Case Name:   USA v. ELLIOTT
Docket (0 Docs):   https://docs.google.com/spreadsheets/d/1pBm6DRQAD-EWmRW5VG-RxJtKRE_mRm2UIXJ8Z6k0Beg
  Last Updated: 2023-10-15 23:19:33 UTC
Description: The fiscal year of the data file obtained from the AOUSC
Format: YYYY

Description: The code of the federal judicial circuit where the case was located
Format: A2

Description: The code of the federal judicial district where the case was located
Format: A2

Description: The code of the district office where the case was located
Format: A2

Description: Docket number assigned by the district to the case
Format: A7

Description: A unique number assigned to each defendant in a case which cannot be modified by the court
Format: A3

Description: A unique number assigned to each defendant in a case which can be modified by the court
Format: A3

Description: A sequential number indicating whether a case is an original proceeding or a reopen
Format: N5

Description: Case type associated with the current defendant record
Format: A2

Description: Case type associated with a magistrate case if the current case was merged from a magistrate case
Format: A2

Description: A concatenation of district, office, docket number, case type, defendant number, and reopen sequence number
Format: A18

Description: A concatenation of district, office, docket number, case type, and reopen sequence number
Format: A15

Description: The docket number originally given to a case assigned to a magistrate judge and subsequently merged into a criminal case
Format: A7

Description: A unique number assigned to each defendant in a magistrate case
Format: A3

Description: The status of the defendant as assigned by the AOUSC
Format: A2

Description: A code indicating the fugitive status of a defendant
Format: A1

Description: The date upon which a defendant became a fugitive
Format: YYYYMMDD

Description: The date upon which a fugitive defendant was taken into custody
Format: YYYYMMDD

Description: The date when a case was first docketed in the district court
Format: YYYYMMDD

Description: The date upon which proceedings in a case commenced on charges pending in the district court where the defendant appeared, or the date of the defendant’s felony-waiver of indictment
Format: YYYYMMDD

Description: A code used to identify the nature of the proceeding
Format: N2

Description: The date when a defendant first appeared before a judicial officer in the district court where a charge was pending
Format: YYYYMMDD

Description: A code indicating the event by which a defendant appeared before a judicial officer in the district court where a charge was pending
Format: A2

Description: A code indicating the type of legal counsel assigned to a defendant
Format: N2

Description: The title and section of the U.S. Code applicable to the offense committed which carried the highest severity
Format: A20

Description: A code indicating the level of offense associated with FTITLE1
Format: N2

Description: The four digit AO offense code associated with FTITLE1
Format: A4

Description: The four digit D2 offense code associated with FTITLE1
Format: A4

Description: A code indicating the severity associated with FTITLE1
Format: A3

Description: The title and section of the U.S. Code applicable to the offense committed which carried the second highest severity
Format: A20

Description: A code indicating the level of offense associated with FTITLE2
Format: N2

Description: The four digit AO offense code associated with FTITLE2
Format: A4

Description: The four digit D2 offense code associated with FTITLE2
Format: A4

Description: A code indicating the severity associated with FTITLE2
Format: A3

Description: The title and section of the U.S. Code applicable to the offense committed which carried the third highest severity
Format: A20

Description: A code indicating the level of offense associated with FTITLE3
Format: N2

Description: The four digit AO offense code associated with FTITLE3
Format: A4

Description: The four digit D2 offense code associated with FTITLE3
Format: A4

Description: A code indicating the severity associated with FTITLE3
Format: A3

Description: The title and section of the U.S. Code applicable to the offense committed which carried the fourth highest severity
Format: A20

Description: A code indicating the level of offense associated with FTITLE4
Format: N2

Description: The four digit AO offense code associated with FTITLE4
Format: A4

Description: The four digit D2 offense code associated with FTITLE4
Format: A4

Description: A code indicating the severity associated with FTITLE4
Format: A3

Description: The title and section of the U.S. Code applicable to the offense committed which carried the fifth highest severity
Format: A20

Description: A code indicating the level of offense associated with FTITLE5
Format: N2

Description: The four digit AO offense code associated with FTITLE5
Format: A4

Description: The four digit D2 offense code associated with FTITLE5
Format: A4

Description: A code indicating the severity associated with FTITLE5
Format: A3

Description: The FIPS code used to indicate the county or parish where an offense was committed
Format: A5

Description: The date of the last action taken on the record
Format: YYYYMMDD

Description: The date upon which judicial proceedings before the court concluded
Format: YYYYMMDD

Description: The date upon which the final sentence is recorded on the docket
Format: YYYYMMDD

Description: The date upon which the case was closed
Format: YYYYMMDD

Description: The total fine imposed at sentencing for all offenses of which the defendant was convicted and a fine was imposed
Format: N8

Description: A count of defendants filed including inter-district transfers
Format: N1

Description: A count of defendants filed excluding inter-district transfers
Format: N1

Description: A count of original proceedings commenced
Format: N1

Description: A count of defendants filed whose proceedings commenced by reopen, remand, appeal, or retrial
Format: N1

Description: A count of defendants terminated including interdistrict transfers
Format: N1

Description: A count of defendants terminated excluding interdistrict transfers
Format: N1

Description: A count of original proceedings terminated
Format: N1

Description: A count of defendants terminated whose proceedings commenced by reopen, remand, appeal, or retrial
Format: N1

Description: A count of defendants pending as of the last day of the period including long term fugitives
Format: N1

Description: A count of defendants pending as of the last day of the period excluding long term fugitives
Format: N1

Description: The source from which the data were loaded into the AOUSC’s NewSTATS database
Format: A10

Description: A sequential number indicating the iteration of the defendant record
Format: N2

Description: The date the record was loaded into the AOUSC’s NewSTATS database
Format: YYYYMMDD

Description: Statistical year ID label on data file obtained from the AOUSC which represents termination year
Format: YYYY

Data imported from FJC Integrated Database
F U C K I N G P E D O S R E E E E E E E E E E E E E E E E E E E E