Moonlighting in China with GE’s Intellectual Property
There seems to be a never-ending supply of stories about insiders who believe their company’s intellectual property is also their intellectual property. This month, we see Xiaoqing Zheng, 56-year-old naturalized U.S. citizen originally from China, who was arrested for the theft of the intellectual property of his employer, General Electric (GE). Often, when intellectual property is stolen, the ultimate end user isn’t identified firmly. Not this time: Zheng had a variety of business entities in China to which he was personally involved and to which he was funneling GE’s information.
Zheng’s actions remind me of the adage most often associated with marriage: “What’s mine is mine and what’s yours is mine.”
Zheng’s LinkedIn profile tells us that he received his doctorate in Aero Engines from Northwestern Polytechnical University and an executive certificate in Technology, Operations and Value Chain Management from MIT. The job history in the profile is sparse, listing only GE from 2008 onward, where he is a “Principal Engineer at GE Power & Water.” Does he know his stuff? Apparently so, as among those who publicly endorsed Zheng for his knowledge of “gas turbines” came from 15 individuals who were current or past colleagues at GE. China is conspicuously absent from his profile.
Zheng’s Moonlighting
According to the complaint filed by the U.S. Department of Justice, Zheng declared to GE in 2015 that he was involved with his family’s business, Nanjing Tainyi Aeronautical Technology, Ltd., located in Nanjing, China. Zheng told GE that he and his brothers were owners of the company. GE did an internal review to determine conflict of interest at that time and found three areas of concern:
- The company could sell parts to GE.
- The company could sell parts to GE’s competitors.
- Zheng’s time spent focused on his family’s business would take away from his GE engagement.
The complaint noted that GE investigated further and determined that Zheng’s participation was not passive and, indeed, he was leading his China-based company’s research into “seal technology.” That said, GE did not ask Zheng to make any adjustments with respect to his engagement with GE.
Zheng was now moonlighting with GE’s knowledge and tacit approval.
What he may have omitted in his discussions with GE was his involvement with two other Chinese aviation technology companies and that he had been selected in 2012 (still while employed at GE) for China’s “Thousand Talents Program,” a Chinese government program specifically created to bring highly educated researchers to China.
What Intellectual Property Did Zheng Steal from GE?
In 2014, Zheng was identified as having copied 19,020 files from his GE devices to a USB drive. GE interviewed Zheng at the time and was satisfied with his responses, and his attestation that he had destroyed the files.
In the November-December 2017 time frame, Zheng encrypted 400 unidentified files on his GE desktop computer. He used an encryption program called “Axcrypt,” which was not an approved GE application. Following this discovery, GE began monitoring his company-provided devices via monitoring software it had installed.
This surveillance eventually bore fruit, as on July 5, Zheng encrypted about 40 files. With this action, GE now had the encryption key used by Zheng and was able to determine what was contained in the 400 encrypted files.
The files were Excel spreadsheets and MatLab files, which contained the mathematical computations related to sealing and optimizing turbines.
Exfiltration of the Information from GE
In 2014, Zheng used the tried-and-true method of simply copying files to a USB drive. This was detected by GE’s data loss prevention (DLP) program and he was able to explain his way out of the situation.
Zheng went to school on this and adjusted his own tradecraft used to affect his intellectual property theft, making it difficult for the internal GE infosec team. He kept his activities within his own swim lane: He only purloined information to which he had natural access. The fact that he had unencumbered access due to both his tenure and citizenship to GE’s trade secrets surrounding turbine technology was fully exploited by Zheng.
Furthermore, he used steganography to hide the presence of the stolen files when it came time to exfiltrate the information from GE. He then emailed the seemingly innocuous image of a sunset to his personal Hotmail account. According to the DoJ, the process took about 10 minutes for Zheng to execute, indicating it may not have been the first time Zheng had copied, encrypted and then hidden files using steganography to exfiltrate info from GE to himself for use in China.
During the FBI’s July 5 interview of Zheng, he admitted to having used steganography on “five or 10 occasions” to exfiltrate information from GE. He also noted his moonlighting engagements in China are in the same technological research as he is involved in with GE, and his companies in China have received funding from the government of the People’s Republic of China.
Whether Zheng is an enterprising individual or working at the behest of the Chinese government has not yet been determined. For now, Zheng’s passport has been seized and he has been released with an ankle monitor, following posting $100,000 bail. His movement is confined to his home or those locations approved by the court within the Northern District of New York.