The U.S. Chamber of Commerce was breached a year ago by Chinese hackers targeting four employees working on Asia-related policy.
The hackers may have had access to the lobbying organization’s network for more than a year before they were blocked and removed in May 2010, two unidentified sources told The Wall Street Journal Dec. 21. A Chamber of Commerce spokesperson confirmed the incident and told eWEEK that the scope of the attack was limited.
It appears the attackers infiltrated at least 300 Internet addresses, stole six weeks of email correspondence from four employees who were focused on Asian policy, and had access to all the information the Chamber of Commerce has on its 3 million members. It is not known whether the attackers actually viewed the member information, according to The Wall Street Journal report.
“What was unusual about it was that this was clearly somebody very sophisticated, who knew exactly who we are and who targeted specific people and used sophisticated tools to try to gather intelligence,” David Chavern, the Chamber of Commerce’s COO, told The Journal.
The emails were stolen from four employees who focused on Asian policy and contained information, such as trade policy documents, trip reports and schedules.
The FBI discovered the breach, and the agency notified the Chamber of Commerce that information was being stolen. The organization unplugged and destroyed several of the compromised computers before quietly overhauling its entire network to implement sophisticated detection equipment that would be able to isolate future attacks quickly.
“The fact that the Chamber of Commerce had to be alerted by the FBI that data from their network was heading out to servers in China shows they did not have the appropriate endpoint-monitoring capabilities and log management technology in place to see who was accessing their data and where it was going,” David Pack, manager of LogRhythm Labs, told eWEEK.
It appears that the attackers had built at least a half-dozen backdoors to be able to enter the network quietly, sources told The Journal. The compromised computers also quietly communicated with computers based in China every week or so, The Journal reported.
Modern IT infrastructure can be very “porous” and it’s difficult for security teams to “understand it all,” Mike Lloyd, CTO of RedSeal Networks, told eWEEK. The Journal report highlighted “significant out-bound holes” as it appears the infiltrators were able to “exfiltrate” the data they found, Lloyd said. Most organizations build some defenses against in-bound attacks, but very few effectively know how to control out-bound traffic, he said.
Organizations need to have technology and policies in place to detect outbound network traffic, detect data leakage and use the right forensics to lock down problems, according to Pack.
Sources told The Journal that at least one of the perpetrators in the group is suspected of having ties to the Chinese government in Beijing. The Chinese Embassy in Washington told The Journal that the allegations were “irresponsible.”
There has been a lot of discussion recently in security circles about cyber-war, but this kind of incident against American organizations is a form of “silent global economic cold war” that has already been occurring for some time, Anup Ghosh, founder and CEO of Invincea, told eWEEK. Key research and intellectual property are being “systematically hoovered” by China, Ghosh said, adding that nations such as China are “amassing trade secrets to build their own economies on the back of our stolen innovation.”
“These events are becoming a lot like car alarms, common to the point that they simply annoy and are ignored, yet it continues to be an issue that we as a nation ignore at our own peril,” Ghosh said.
It is possible that the evidence is circumstantial and China may not be involved, Andrew Storms, director of security operations at nCircle, told eWEEK. “There sure is a lot of circumstantial evidence piling up, though,” he said.
In October, there were reports that Chinese agents had breached and taken control of U.S. government satellites on four occasions between 2007 and 2008. There was no proof to tie the Chinese government to these incidents, but what happened was “consistent” with known cyber-war techniques the Chinese have used, according to a congressional report.