Attacks/Breaches
12/21/2011
03:14 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

U.S. Chamber Of Commerce Hit By Chinese Cyberspies

Targeted attack against the nation's business lobbying organization zeroed in on Asian policy intelligence, according to The Wall Street Journal

The latest casualty in China's alleged cyberespionage campaign against U.S. interests? The U.S. Chamber of Commerce.

Information on the Chamber's 3 million members representing most of the top companies in the U.S. was potentially exposed in a targeted attack that might have been in operation for more than a year and was eventually halted by the Chamber in May 2010, according to a report today inThe Wall Street Journal.

The Chamber poses an attractive target for spies with its corporate membership representing U.S. business interests, so it's no surprise it would be in the bull's eye of so-called advanced persistent threat (APT) actors, security experts say.

"It doesn't surprise me at all," says Jeff Schmidt, founder and CEO of JAS Global Advisors. "It's an amalgamation of American businesses: What better place [for these attackers] to go than the U.S. Chamber?"

What was most striking about this attack was evidence that the perpetrators specifically went after four employees of the lobbying organization who work on Asia policy, pilfering six weeks' worth of their emails. The six-month long campaign involved some 300 IP addresses and compromised email of close to 50 members, who were told about the breach. Among the information exposed in the emails were trade policy documents, meeting notes, trip reports, schedules, and the names of members who are in contact with the Chamber, according to the article.

The Chamber's Asian group, among other things, helps U.S. businesses conduct business in China and Hong Kong. "That would be incredibly valuable information from a strategic perspective," says Anthony Bargar, executive vice president of cybersecurity solutions for Foreground Security. "It's not only what data was stolen [here], but we should not discount what [may have been] manipulated to steer companies into China."

And it's unclear whether the attackers were truly government agents or possibly Chinese businesses going after potential competitors, he says.

The FBI reportedly informed the Chamber that servers based in China were stealing data from the organization, and U.S. officials say the attacks were waged by a group with ties to the Chinese government. The attackers might have been inside the network for more than a year, according to the report. Chinese officials denied any wrongdoing, stating that cyberattacks are illegal in China and that its country is a victim of such attacks.

[Security consultants and the feds are tracking a dozen groups responsible for advanced threats -- all out of China. See Dastardly Dozen: A Few APT Groups Carry Out Most Attacks.]

Given the number of potential victims affected by the Chamber hack, what was surprising was that word of the attack didn't leak publicly until now, experts say. APT-type attacks such as this one are characteristically stealthy and unrelenting, often going on for long periods of time before the victims discover them, if at all.

The Chamber's attackers appear to have infiltrated its network starting at the latest in November 2009, according to the report. Like a typical APT, they took pains to hide their tracks and set up multiple backdoors with which to come and go and regularly siphon information to their computers in China. The attack was shut down after the Chamber shut down and destroyed some of its computers and then did a major security makeover.

David Chavern, chief operating officer of the Chamber, told The Journal that the attack appeared to be highly sophisticated. "What was unusual about it was that this was clearly somebody very sophisticated, who knew exactly who we are and who targeted specific people and used sophisticated tools to try to gather intelligence," he said. Even so, the Chamber says there has been no sign of any fallout or damage to the lobbying organization or its membership.

Joe Gottlieb, president and CEO of Sensage, says the attack demonstrates how these types of attackers are becoming more sophisticated. "This attack demonstrated a new level of sophistication in numerous dimensions. The hackers were able to choose the targeted organization -- the U.S. Chamber of Commerce. They were able to choose the people within that organization that mattered to them -- the individuals known to be working on Asia policy," he says. "They were able to obtain all email content, including attachments, exchanged between these individuals and other organizations, several of which must have been relevant to the matters of interest." Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7392
Published: 2014-07-22
Gitlist allows remote attackers to execute arbitrary commands via shell metacharacters in a file name to Source/.

CVE-2014-2385
Published: 2014-07-22
Multiple cross-site scripting (XSS) vulnerabilities in the web UI in Sophos Anti-Virus for Linux before 9.6.1 allow local users to inject arbitrary web script or HTML via the (1) newListList:ExcludeFileOnExpression, (2) newListList:ExcludeFilesystems, or (3) newListList:ExcludeMountPaths parameter t...

CVE-2014-3518
Published: 2014-07-22
jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to exec...

CVE-2014-3530
Published: 2014-07-22
The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via...

CVE-2014-4326
Published: 2014-07-22
Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1) zabbix.rb or (2) nagios_nsca.rb in outputs/.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.