A naturalized US citizen who was working as a tour guide in San Francisco has been sentenced to four years in prison for being a Chinese spy.
Last Tuesday, 56-year-old Xuehua (Edward) Peng, also known as Edward Peng, was sentenced in US District Court in San Francisco and ordered to pay a $30,000 fine for acting as an agent of the People’s Republic of China’s Ministry of State Security (MSS).
The MSS instructed an agent – a double agent working for the FBI, as it turns out – to dead-drop SD cards full of classified data at various hotels. (“Dead drop” is spy-speak for techniques to pass information or items between two individuals using a secret location, so they never meet, to thereby keep the lid on the operation.)
What classified information was on those cards, and from what government agency, private business or government contractor was it copied? The US isn’t saying.
According to the criminal complaint, Peng’s undoing started in March 2015, when the FBI planted its double agent in the MSS. The double agent met with MSS intelligence officers and handed over classified information relating to US national security, for which he was paid.
At one point, the spy bosses told the double agent that they had a new way to pass classified information: on an SD card, stuck in a book, wrapped in a bag addressed to “Ed”, and left at the front desk of a hotel in Newark, California.
Ed’s reliable, he’s got family in China, and he’s had business dealings in China, the MSS agents told the FBI mole.
Peng pleaded guilty in November 2019. According to his plea agreement, Peng, who lives in Hayward, California, admitted that in March 2015, a Chinese official introduced himself while Peng was on a business trip to China. The official – whom Peng eventually figured out was working for the MSS – asked Peng to use his citizenship in the US to assist the official with “matters of interest” to the PRC.
After that, Peng admitted, he got paid at least $30,000 for running data over to China over the course of about 3.5 years.
This is how the dead drops went down, according to the complaint:
On October 24, 2015, Peng goes to the hotel [in Newark, California] and retrieves a package that was left for him there. The package contains a secure digital (SD) memory card. The next day, Peng drives to San Francisco International Airport and flies directly to Beijing, China. In Beijing, Peng meets with agents of the Ministry of State Security (MSS), including the People’s Republic of China (PRC) official with whom Peng had been communicating, and delivers the SD card to MSS.
A PRC official uses coded language to tell Peng that another dead drop will occur on April 23, 2016. The official directs Peng to book a hotel room where he will conduct the exchange. The PRC official directed Peng to leave $20,000 cash in the hotel room and that Peng be will be reimbursed for the payment. The PRC official instructs Peng to return to the PRC on April 24, and to fly directly to Beijing, Shanghai, or Guangdong. Peng is informed that the PRC official with whom he is communicating would meet Peng when he landed.
Peng complied with the instructions. On April 23, 2016, Peng drives to an Oakland hotel, reserves a room, and leaves a key to the room at the front desk. Peng leaves $20,000 concealed on the underside of a dresser in the room. Hours later, Peng returns, observes that the money had been retrieved and determines that a cigarette pack with an SD card inside of it has been left for him in place of the money. Peng travels on a direct flight from San Francisco to Beijing the next day where he meets with agents of the MSS, including the PRC official.
Between June 2015 and July 2018, Pen pulled off six dead drops at hotels in California and Georgia. He was on his way to pull off a seventh dead drop when he was busted at his home on 27 September 2019.
According to the FBI, Peng first came to the US on a temporary business visitor visa before he petitioned to be a non-immigrant worker in June 2001. After he married, he became a lawful permanent resident in February 2006 and was naturalized in September 2012.
According to his immigration file, Peng has a degree in mechanical engineering and is trained in traditional Chinese medicine. I don’t know how much tour guides or traditional Chinese medicine practitioners make in San Francisco, but Peng, apparently, wasn’t doing bad.
At least, that’s what one might surmise from the FBI’s telling of the investigation: after agents traced the cars used to pick up the SD card packages, they found a Lexus, a Fiat and a Mercedes parked at Peng’s house and registered to him and/or his wife.
Crime sure does pay. Well, at least in the short term. In the long term, the US promises that it’s determined to thwart the Chinese government’s “multi-faceted espionage efforts”. Peng’s conviction serves as a warning to other potential spies that “we will find you and ensure you are punished,” in the words of Assistant Attorney General for National Security John C. Demers.
Here’s Attorney David L. Anderson:
Today Xuehua Peng suffers the consequences of acting in the United States at the direction of a foreign government. This day of reckoning comes from Peng’s decision to execute dead drops, deliver payments, and personally carry to Beijing, China, secure digital cards containing classified information related to the national security of the United States. Peng will now spend years in prison for compromising the security of the United States.
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/-B205f_8nM4/
Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “Security Lessons We’ve Learned (So Far) from COVID-19.“
Check out 
