Chamber Raid: Hackers Target US Commerce Lobby
Dec 27, 2011 8:54 AM PT
As the U.S. government continues to pound out proposals for getting its IT security ducks in a row, it appears it's not the only party in Washington, D.C., to have a problem with network intrusion.
IT systems belonging to the lobbying group the United States Chamber of Commerce were breached by hackers using servers located in China, according to The Wall Street Journal.
The Chamber reportedly learned of the break-in only when it was informed by the U.S. Federal Bureau of Investigation. China's government has denied accusations that it was behind the hack.
The Chamber's members include most of the largest U.S. corporations, and the organization has more than 100 affiliates worldwide.
"We are already involved in a cyberwar with China, and we are only reading about a small percentage of the actual attacks that are occurring," Darren Hayes, the CIS program chair at Pace University, told TechNewsWorld.
About the Chamber Breach
Evidence reportedly shows the hackers were in the chamber's networks for at least six months, from November 2009 to May 2010. The breach of the chamber's systems was discovered and shut down in May of 2010, and it's not clear just why the information has leaked out more than 18 months later.
The attack is said to have involved at least 300 Internet addresses. Chamber officials apparently said internal investigators found that the hackers had focused on four employees who worked on Asia policy and had stolen six weeks' worth of their emails.
Some people familiar with the Chamber's internal investigation apparently believe that the hackers are suspected by U.S. officials of having ties to the Chinese government.
However, security experts have repeatedly said that suspecting a government of being behind cyberattacks because servers are located in its territory may be misleading, as cybercriminals often set up servers abroad to avoid detection, and it's easy to do so in China.
The Aftermath of the Attack
The Chamber of Commerce reportedly concluded that communications with fewer than 50 of its members were compromised, and it notified them. However, there's apparently been no evidence of harm to the organization or its members.
It's not quite clear what else was stolen, but the intruders used keyword searches to peruse documents in the chamber's servers.
The chamber reportedly found that the hackers had built at least six back doors to let them enter and leave the system as they pleased. They apparently also built in mechanisms that would communicate with computers in China every week or two.
A thermostat at a town house the chamber owns on Capitol Hill was reportedly communicating with an Internet address in China, and, in March, a printer used by chamber executives began printing out pages with Chinese characters.
The Circle of Life
Perhaps the chamber was the author of its own cybersecurity problems. It had circulated an internal draft document in May criticizing the White House's legislative proposals on cybersecurity as regulatory overreach, according to the Journal.
The White House had sent this proposal to Congress.
The main reason for the chamber's opposition was reportedly that the White House plan would require some companies running the most critical infrastructure to submit to more rigorous outside oversight of their cybersecurity practices. This would be costly, and cybersecurity assessments of companies by U.S. government agencies would be made public.
Cybersecurity experts warned at the time that this could sabotage the White House's efforts to beef up cybersecurity.
The Cybersecurity Full Court Life
"The fact that the Chamber ... had to be alerted by the FBI ... shows they did not have the appropriate endpoint monitoring capabilities and log management technology in place to see who was accessing their data and where it was going," Dave Pack, manager of LogRhythm Labs, told TechNewsWorld.
The chamber reportedly unplugged and destroyed some computers and overhauled its security system over a 36-hour period one weekend, thought that amounted to cleaning up after the fact.
"There is no denying that attacks will happen and the bad guys will get inside," Ken Pickering, development manager of security intelligence at Core Networks, told TechNewsWorld. "We advocate that an organization focus first on breach prevention instead of considering detection and isolation to be the only option," Pickering said.