Chinese hackers used mundane ruses to enter US computers, says Justice

The Justice Department says five Chinese military officials stole sensitive trade secrets from Alcoa World Alumina, Westinghouse, Allegheny Technologies, US Steel, United Steelworkers Union, and SolarWorld. China denies it all.

|
Charles Dharapak/AP/File
Attorney General Eric Holder takes questions during a news conference at the Justice Department in Washington, where he announced that a US grand jury has charged five Chinese hackers with economic espionage and trade secret theft.

The victims were their own worst enemies.

The hacking techniques the US government says China used against American companies turned out to be disappointingly mundane, tricking employees into opening email attachments or clicking on innocent-looking website links.

The scariest part might be how successfully the ruses worked. With a mouse click or two, employees at big-name American makers of nuclear and solar technology gave away the keys to their computer networks.

In a 31-count indictment announced on Monday the Justice Department said five Chinese military officials operating under hacker aliases such as "Ugly Gorilla," ''KandyGoo" and "Jack Sun" stole confidential business information, sensitive trade secrets, and internal communications for competitive advantage. The US identified the alleged victims as Alcoa World Alumina, Westinghouse, Allegheny Technologies, US Steel, United Steelworkers Union, and SolarWorld.

China denied it all on Tuesday.

"The Chinese government and Chinese military as well as relevant personnel have never engaged and never participated in so-called cybertheft of trade secrets," Foreign Ministry spokesman Hong Lei said in Beijing. "What the United States should do now is withdraw its indictment."

That's unlikely. What the Justice Department is doing is spelling out exactly how it says China pulled it off.

The US says the break-ins were more Austin Powers than James Bond. In some cases, the government says, the hackers used "spear-phishing" — a well-known scam to trick specific companies or employees into infecting their own computers.

The hackers are said to have created a fake email account under the misspelled name of a then-Alcoa director and fooled an employee into opening an email attachment called "agenda.zip," billed as the agenda to a 2008 shareholders' meeting. It exposed the company's network. At another time, a hacker allegedly emailed company employees with a link to what appeared to be a report about industry observations, but the link instead installed malicious software that created a back door into the company's network.

"We are so used to solving problems by clicking an email link, looking at the information and forwarding it on," said Chris Wysopal, a computer security expert and chief technology officer of the software-security firm Veracode. "And if hackers know about you and your company, they can create really realistic-looking messages."

And use of the rudimentary efforts the Justice Department described doesn't mean foreign governments and others won't use more sophisticated and harder-to-detect techniques, said Joshua Corman, the chief technology officer for Sonatype, which helps businesses make their software development secure. Determined hackers escalate their attacks when necessary, he said, but in the cases cited in the federal indictment announced Monday, they didn't have to escalate very far.

Corman noted that the US has much higher investments in research and intellectual property, making America's risk of loss in such thefts disproportionately higher than China's.

Other security layers failed in the hackings blamed on China, too. More-effective antivirus or security software could have blocked the malicious attachments or prevented users from visiting risky web links. Back-end server filters could have prevented dangerous emails from reaching employees. Intrusion-detection systems on corporate networks could have more quickly raised red flags internally after a successful break-in.

"The problem is the technology hasn't advanced enough to detect malicious code," said Kevin Mitnick, the famous hacker who now works as a corporate security consultant. Tricking someone to let you into the system is far easier than identifying hidden vulnerabilities that can be exploited.

Even worse: Employees, by their nature, are socially conditioned to want to open and respond to an email that purports to be from the boss — never mind that the message may actually be a trick.

"If you start with an incorrect assumption that every email that comes in is a real email," said Hossein Eslambolchi, chief executive at security company CyberFlow Analytics, "you're putting yourself and your corporation at a major risk."

Copyright 2014 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Chinese hackers used mundane ruses to enter US computers, says Justice
Read this article in
https://www.csmonitor.com/USA/Latest-News-Wires/2014/0520/Chinese-hackers-used-mundane-ruses-to-enter-US-computers-says-Justice
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe