Chinese malware broker behind US hacks is now teaching computer skills in China

The malware Yu Pingan provided in the conspiracy included a rare software tool called Sakula that granted hackers remote control over computers. PHOTO: REUTERS

SHANGHAI (REUTERS) - A Chinese malware broker who was sentenced in the United States this year for dealing in malicious software linked to major hacks is back at his old workplace: teaching high-school computer courses, including one on Internet security.

Mr Yu Pingan, who spent 18 months in a San Diego federal detention centre, had pleaded guilty to conspiracy to commit computer hacking.

The high school instructor was arrested at Los Angeles International Airport in August 2017 upon arriving with a group of teachers to observe a US university.

A Reuters reporter found him teaching at his old school in Shanghai last month.

Mr Yu was sentenced by a federal judge in February to time served and allowed to return to China.

Victims of the hacking conspiracy included microchip supplier Qualcomm Inc, aerospace and defence firm Pacific Scientific Energetic Materials Co, and gaming company Riot Games, according to the judgment. Exactly what was stolen in the computer breaches was not disclosed in public court filings.

A Riot Games spokesman said the company lost no data.

Mr Yu specialises in computer network security and programming, according to court records. The malware he provided in the conspiracy included a rare software tool called Sakula that granted hackers remote control over computers. It is unclear who authored the malware or how Mr Yu obtained it.

Sakula has been linked to some of the most notorious cyber attacks of the decade.

In addition to the intrusions detailed in the case against Mr Yu, these include hacks of US health insurer Anthem Inc, where millions of patient records were exposed, and the US Office of Personnel Management, in which the personal information of millions of current and former US government employees and contractors was compromised. Mr Yu was not accused of involvement in those two breaches.

His prosecution was one of a series of criminal cases Washington has brought against Chinese nationals in recent years, in response to what the Americans say is a concerted campaign by China's military and security ministry to steal technology from Western companies.

In another case involving Sakula malware, the US last year alleged that two Chinese intelligence officers and a team of recruited hackers repeatedly intruded into Western companies' computer systems for more than five years.

Many of the Chinese defendants in the series of hacking cases have not been apprehended. Mr Yu is one of the few alleged Chinese hackers to have been arrested and convicted in the US crackdown.

In addition to jail time, Mr Yu was ordered to pay nearly US$1.1 million (S$1.5 million) in restitution to five companies that were victims of the hacking. The fine was to be paid in installments of US$100 a month, with no interest, according to the judgment. The payment schedule would take more than 900 years to complete.

Mr Jeremy Warren, a San Diego criminal defence attorney who represented Mr Yu, said: "With a Chinese national, a school teacher, there's no real expectation of payment."

Mr Yu's 18 months in federal prison, he said, was no "walk in the park".


China's Ministry of Foreign Affairs said it had "no understanding" of the Yu case.

"We resolutely oppose any type of cyber attack, and we investigate and crack down on any cyber attack occurring inside China or making use of Chinese Internet infrastructure", the ministry spokesman's office said.

The ministry added that it had no knowledge of other cases alleging Chinese hacking of US companies, and it accused Washington of displaying a "Cold War mentality" in its tech-related prosecutions.

Mr Yu, according to court filings by US prosecutors, went by the nickname "Goldsun". He was accused of conspiring with other Chinese individuals to use malware to hack into the computer networks of companies in the US and elsewhere.

An affidavit from Federal Bureau of Investigation Special Agent Adam James alleged that Mr Yu provided Sakula and other malware used in the case. Citing seized communications between Mr Yu and two unindicted co-conspirators, Mr James alleged that Mr Yu had installed "an unauthorised backdoor" on an unidentified company's computer network to gain remote access.

The conspirators' cyber intrusions included so-called "watering hole attacks", in which malicious software infects the computers of visitors to compromised websites.

"This is akin to a predator waiting to ambush prey at the location the prey goes to drink water," a court document stated.


Last month, Reuters found Mr Yu, who is 39, teaching at Shanghai Commercial School, a state-run vocational technical high school in central Shanghai.

US officials told Reuters that Mr Yu had been teaching there prior to his arrest.

Digital signs outside classrooms indicated he was teaching at least two basic computer courses, including one called "Basic English for Internet Security".

One of his former students, a computer science major who is now in China's military, said he could not answer questions about Mr Yu because of "political reasons" and that the school had instructed him not to discuss the matter.

On Nov 1, a Reuters reporter saw Mr Yu at an office on the school's campus. Dressed in a red and blue plaid Oxford shirt, he declined to answer questions. He called a school official, who arrived with a security guard and escorted the reporter off the campus.

The school official called Mr Yu's situation a private matter. "It's his own experience, and it has nothing to do with the school," she said.

Join ST's Telegram channel and get the latest breaking news delivered to you.