Attacks/Breaches
12/21/2011
03:14 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

U.S. Chamber Of Commerce Hit By Chinese Cyberspies

Targeted attack against the nation's business lobbying organization zeroed in on Asian policy intelligence, according to The Wall Street Journal

The latest casualty in China's alleged cyberespionage campaign against U.S. interests? The U.S. Chamber of Commerce.

Information on the Chamber's 3 million members representing most of the top companies in the U.S. was potentially exposed in a targeted attack that might have been in operation for more than a year and was eventually halted by the Chamber in May 2010, according to a report today inThe Wall Street Journal.

The Chamber poses an attractive target for spies with its corporate membership representing U.S. business interests, so it's no surprise it would be in the bull's eye of so-called advanced persistent threat (APT) actors, security experts say.

"It doesn't surprise me at all," says Jeff Schmidt, founder and CEO of JAS Global Advisors. "It's an amalgamation of American businesses: What better place [for these attackers] to go than the U.S. Chamber?"

What was most striking about this attack was evidence that the perpetrators specifically went after four employees of the lobbying organization who work on Asia policy, pilfering six weeks' worth of their emails. The six-month long campaign involved some 300 IP addresses and compromised email of close to 50 members, who were told about the breach. Among the information exposed in the emails were trade policy documents, meeting notes, trip reports, schedules, and the names of members who are in contact with the Chamber, according to the article.

The Chamber's Asian group, among other things, helps U.S. businesses conduct business in China and Hong Kong. "That would be incredibly valuable information from a strategic perspective," says Anthony Bargar, executive vice president of cybersecurity solutions for Foreground Security. "It's not only what data was stolen [here], but we should not discount what [may have been] manipulated to steer companies into China."

And it's unclear whether the attackers were truly government agents or possibly Chinese businesses going after potential competitors, he says.

The FBI reportedly informed the Chamber that servers based in China were stealing data from the organization, and U.S. officials say the attacks were waged by a group with ties to the Chinese government. The attackers might have been inside the network for more than a year, according to the report. Chinese officials denied any wrongdoing, stating that cyberattacks are illegal in China and that its country is a victim of such attacks.

[Security consultants and the feds are tracking a dozen groups responsible for advanced threats -- all out of China. See Dastardly Dozen: A Few APT Groups Carry Out Most Attacks.]

Given the number of potential victims affected by the Chamber hack, what was surprising was that word of the attack didn't leak publicly until now, experts say. APT-type attacks such as this one are characteristically stealthy and unrelenting, often going on for long periods of time before the victims discover them, if at all.

The Chamber's attackers appear to have infiltrated its network starting at the latest in November 2009, according to the report. Like a typical APT, they took pains to hide their tracks and set up multiple backdoors with which to come and go and regularly siphon information to their computers in China. The attack was shut down after the Chamber shut down and destroyed some of its computers and then did a major security makeover.

David Chavern, chief operating officer of the Chamber, told The Journal that the attack appeared to be highly sophisticated. "What was unusual about it was that this was clearly somebody very sophisticated, who knew exactly who we are and who targeted specific people and used sophisticated tools to try to gather intelligence," he said. Even so, the Chamber says there has been no sign of any fallout or damage to the lobbying organization or its membership.

Joe Gottlieb, president and CEO of Sensage, says the attack demonstrates how these types of attackers are becoming more sophisticated. "This attack demonstrated a new level of sophistication in numerous dimensions. The hackers were able to choose the targeted organization -- the U.S. Chamber of Commerce. They were able to choose the people within that organization that mattered to them -- the individuals known to be working on Asia policy," he says. "They were able to obtain all email content, including attachments, exchanged between these individuals and other organizations, several of which must have been relevant to the matters of interest." Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0103
Published: 2014-07-29
WebAccess in Zarafa before 7.1.10 and WebApp before 1.6 stores credentials in cleartext, which allows local Apache users to obtain sensitive information by reading the PHP session files.

CVE-2014-0475
Published: 2014-07-29
Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*, (2) LANG, or other locale environment variable.

CVE-2014-2226
Published: 2014-07-29
Ubiquiti UniFi Controller before 3.2.1 logs the administrative password hash in syslog messages, which allows man-in-the-middle attackers to obtains sensitive information via unspecified vectors.

CVE-2014-3541
Published: 2014-07-29
The Repositories component in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary code via serialized data associated with an add-on.

CVE-2014-3542
Published: 2014-07-29
mod/lti/service.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) is...

Best of the Web
Dark Reading Radio