Hackers Stole Emails From Employees in Chamber of Commerce Breach

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.eweek.com/c/a/Security/Hackers-Stole-Emails-From-Employees-in-Chamber-of-Commerce-Breach-744336/

A group of hackers with some connection to the Chinese government
breached the Chamber of Commerce and targeted four employees working
on Asian policy.

The U.S. Chamber of Commerce was breached a year ago by Chinese
hackers targeting four employees working on Asia-related policy.

The hackers may have had access to the lobbying organization's network
for more than a year before they were blocked and removed in May 2010,
two unidentified sources told The Wall Street Journal Dec. 21. A
Chamber of Commerce spokesperson confirmed the incident and told eWEEK
that the scope of the attack was limited.

It appears the attackers infiltrated at least 300 Internet addresses,
stole six weeks of email correspondence from four employees who were
focused on Asian policy, and had access to all the information the
Chamber of Commerce has on its 3 million members. It is not known
whether the attackers actually viewed the member information,
according to The Wall Street Journal report.

"What was unusual about it was that this was clearly somebody very
sophisticated, who knew exactly who we are and who targeted specific
people and used sophisticated tools to try to gather intelligence,"
David Chavern, the Chamber of Commerce's COO, told The Journal.

The emails were stolen from four employees who focused on Asian policy
and contained information, such as trade policy documents, trip
reports and schedules.

The FBI discovered the breach, and the agency notified the Chamber of
Commerce that information was being stolen. The organization unplugged
and destroyed several of the compromised computers before quietly
overhauling its entire network to implement sophisticated detection
equipment that would be able to isolate future attacks quickly.

"The fact that the Chamber of Commerce had to be alerted by the FBI
that data from their network was heading out to servers in China shows
they did not have the appropriate endpoint-monitoring capabilities and
log management technology in place to see who was accessing their data
and where it was going," David Pack, manager of LogRhythm Labs, told
eWEEK.

It appears that the attackers had built at least a half-dozen
backdoors to be able to enter the network quietly, sources told The
Journal. The compromised computers also quietly communicated with
computers based in China every week or so, The Journal reported.

Modern IT infrastructure can be very "porous" and it's difficult for
security teams to "understand it all," Mike Lloyd, CTO of RedSeal
Networks, told eWEEK. The Journal report highlighted "significant
out-bound holes" as it appears the infiltrators were able to
"exfiltrate" the data they found, Lloyd said. Most organizations build
some defenses against in-bound attacks, but very few effectively know
how to control out-bound traffic, he said.

Organizations need to have technology and policies in place to detect
outbound network traffic, detect data leakage and use the right
forensics to lock down problems, according to Pack.

Sources told The Journal that at least one of the perpetrators in the
group is suspected of having ties to the Chinese government in
Beijing. The Chinese Embassy in Washington told The Journal that the
allegations were "irresponsible."

There has been a lot of discussion recently in security circles about
cyber-war, but this kind of incident against American organizations is
a form of "silent global economic cold war" that has already been
occurring for some time, Anup Ghosh, founder and CEO of Invincea, told
eWEEK. Key research and intellectual property are being
"systematically hoovered" by China, Ghosh said, adding that nations
such as China are "amassing trade secrets to build their own economies
on the back of our stolen innovation."

"These events are becoming a lot like car alarms, common to the point
that they simply annoy and are ignored, yet it continues to be an
issue that we as a nation ignore at our own peril," Ghosh said.

It is possible that the evidence is circumstantial and China may not
be involved, Andrew Storms, director of security operations at
nCircle, told eWEEK. "There sure is a lot of circumstantial evidence
piling up, though," he said.

In October, there were reports that Chinese agents had breached and
taken control of U.S. government satellites on four occasions between
2007 and 2008. There was no proof to tie the Chinese government to
these incidents, but what happened was "consistent" with known
cyber-war techniques the Chinese have used, according to a
congressional report.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Small, inexpensive USB drives pose huge threats to organizations left unprotected. 
Download Chapter 1 of CREDANT Technologies eBook
Data Protection to the Rescue
http://www.credant.com/campaigns/external_media_ebook/chapter1/lp/