Information on the Chamber's 3 million members representing most of the top companies in the U.S. was potentially exposed in a targeted attack that might have been in operation for more than a year and was eventually halted by the Chamber in May 2010, according to a report today inThe Wall Street Journal.
The Chamber poses an attractive target for spies with its corporate membership representing U.S. business interests, so it's no surprise it would be in the bull's eye of so-called advanced persistent threat (APT) actors, security experts say.
"It doesn't surprise me at all," says Jeff Schmidt, founder and CEO of JAS Global Advisors. "It's an amalgamation of American businesses: What better place [for these attackers] to go than the U.S. Chamber?"
What was most striking about this attack was evidence that the perpetrators specifically went after four employees of the lobbying organization who work on Asia policy, pilfering six weeks' worth of their emails. The six-month long campaign involved some 300 IP addresses and compromised email of close to 50 members, who were told about the breach. Among the information exposed in the emails were trade policy documents, meeting notes, trip reports, schedules, and the names of members who are in contact with the Chamber, according to the article.
The Chamber's Asian group, among other things, helps U.S. businesses conduct business in China and Hong Kong. "That would be incredibly valuable information from a strategic perspective," says Anthony Bargar, executive vice president of cybersecurity solutions for Foreground Security. "It's not only what data was stolen [here], but we should not discount what [may have been] manipulated to steer companies into China."
And it's unclear whether the attackers were truly government agents or possibly Chinese businesses going after potential competitors, he says.
The FBI reportedly informed the Chamber that servers based in China were stealing data from the organization, and U.S. officials say the attacks were waged by a group with ties to the Chinese government. The attackers might have been inside the network for more than a year, according to the report. Chinese officials denied any wrongdoing, stating that cyberattacks are illegal in China and that its country is a victim of such attacks.
[Security consultants and the feds are tracking a dozen groups responsible for advanced threats -- all out of China. See Dastardly Dozen: A Few APT Groups Carry Out Most Attacks.]
Given the number of potential victims affected by the Chamber hack, what was surprising was that word of the attack didn't leak publicly until now, experts say. APT-type attacks such as this one are characteristically stealthy and unrelenting, often going on for long periods of time before the victims discover them, if at all.
The Chamber's attackers appear to have infiltrated its network starting at the latest in November 2009, according to the report. Like a typical APT, they took pains to hide their tracks and set up multiple backdoors with which to come and go and regularly siphon information to their computers in China. The attack was shut down after the Chamber shut down and destroyed some of its computers and then did a major security makeover.
David Chavern, chief operating officer of the Chamber, told The Journal that the attack appeared to be highly sophisticated. "What was unusual about it was that this was clearly somebody very sophisticated, who knew exactly who we are and who targeted specific people and used sophisticated tools to try to gather intelligence," he said. Even so, the Chamber says there has been no sign of any fallout or damage to the lobbying organization or its membership.
Joe Gottlieb, president and CEO of Sensage, says the attack demonstrates how these types of attackers are becoming more sophisticated. "This attack demonstrated a new level of sophistication in numerous dimensions. The hackers were able to choose the targeted organization -- the U.S. Chamber of Commerce. They were able to choose the people within that organization that mattered to them -- the individuals known to be working on Asia policy," he says. "They were able to obtain all email content, including attachments, exchanged between these individuals and other organizations, several of which must have been relevant to the matters of interest." Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.