Ltd, known as Boyusec, located in Guangzhou, Guangdong Province, China.
Acting U.S. Attorney for Western Pennsylvania Soo C. Song charged Wu Yingzhuo, Dong Hao and Xia Lei with conspiracy to commit computer fraud and abuse, conspiracy to steal trade secrets, wire fraud and identity theft.
Security firm CrowdStrike, which refers to the alleged hacking ring as Gothic Panda, says it's seen a rise in activity associated with the group since 2016. According to Reuters, the company, also known as Boyusec, is affiliated with China's People's Liberation Army Unit 61398 and that most, if not all of its hacking operations are state-sponsored and directed. "Their previous targeting includes industries such as Aerospace, Defense, Energy, Technology, NGOs, etc., that are primarily aligned with China's economic objectives".
The three defendants are believed to be in China and aren't in United States custody, a Justice Department spokesman was quoted as saying. If the attack was successful, attackers would gain long-term, backdoor access to victims' PC, according to the indictment.
In 2015 and 2016, the alleged hackers also stole information from Siemens's energy, technology and transportation businesses and from the networks of Global Positioning System developer Trimble Inc., the indictment said.
Dong hacked into Siemens computers and stole usernames and passwords and planted malware that helped steal some 407 gigabytes of data on the company's energy technology and transportation businesses.More news: How worried should Trump be about Michael Flynn?
More news: The most adorable revelations from Prince Harry and Meghan Markle's first interview
More news: Pelosi: Conyers deserves 'due process' on misconduct charges
Wu is accused of exfiltrating a 252-megabyte zip file that contained technical, design and marketing documents related to the GNSS project. It says no client data was breached.
Officials with Moody's Analytics, which specializes in evaluating risk, didn't immediately respond to a request for comment about the indictment.
The most recent hacking took place between 2011 and May 2017 and involved the use of fraudulent emails and a malware called UPS Backdoor, the Justice Department said.
Between 2013 and 2014, the hackers also "accessed the internal email server of Moody's Analytics and placed a forwarding rule in the email account of a prominent employee".
Christopher Glyer, chief security architect at cybersecurity firm FireEye, says that unlike some APT attackers who focus on attack quantity and simply being "good enough", APT 3 differentiated itself by the quality of the attacks it launched.