How five Chinese hackers stole secrets from some of America's largest companies
208 Datong Road is a nondescript concrete high rise on one of Shanghai's busiest roads. Amid the lingering smog rising like mist off the honking lines of traffic, and the trains screeching to a halt in the nearby main railway station, this building doesn't look like much. But this is exactly where five members of an elite People's Liberation Army group codenamed Unit 61398 were assigned to hack into some of the largest companies in the United States of America.
According to an indictment unveiled on Monday, "the co-conspirators used email messages known as 'spearfishing' messages to trick unwitting recipients into giving the co-conspirators access to their computers”.
The group is being indicted for "conspiracy to commit computer fraud and abuse".
"Spearfishing messages were typically designed to resemble emails from trustworthy senders, like colleagues, and encourage the recipients to open attached files or click on hyperlinks in the messages," it went on.
The group, whose members went by aliases such as "Jack Wang", "UglyGorilla", "jack Sun" and "KandyGoo", was also hired by Chinese firms to steal specific secrets from identified companies. The group relied on the technique known as spear-phishing, which involves sending compromised emails to employees of a company, and uses details about employees' lives gleaned through social media or reconnaissance to make the emails convincing enough to click.
Once the compromised file is opened, the hackers can gain full access of the user's computer, and from there work on gaining further access to the corporate network.
For instance, back in 2008, the hackers of Unit 61398 sent emails to 19 senior employees at aluminum-manufacturer Alcoa, based in Pennsylvania. The account of the sender impersonated a member of the company's board of directors, and the message included malware in an attachment "disguised as an agenda for Alcoa's annual board meeting".
This sophisticated attack led to the theft of more than 2,900 email messages and 863 attachments, "including internal messages among Alcoa senior managers" that discussed a Chinese acquisition, according to the indictment. It's not certain whether this intelligence was used to any advantage by any Chinese firms, but it's sensitive information nonetheless.
But the attacks were sometimes even more finely targeted. A 2010 strike saw just a single employee of United States Steel targeted by a spear-phishing email. The effect was staggering, providing "hostnames and descriptions for more than 1,700 servers, including servers that controlled physical access to the company's facilities and mobile device access to the company's networks".
A 2012 attack allowed the hacking unit to access "network credentials for virtually every employee" at Allegheny Technologies, which employs over 9,500 full-time workers in the aerospace, defense and "specialty materials solutions" sectors.
Perhaps most worryingly, the group accessed secret files belonging to Westinghouse Electric, which contained details on nuclear power plants. Unit 61398 even hijacked emails from its CEO back in 2010.
According to the indictment, the Chinese military stole a total of at least 1.4GB of data, "the equivalent of roughly 700,000 pages of email messages and attachments, from Westinghouse's computers" alone, between 2010 and 2012.
The shocking series of attacks shows just how dangerous the spear-phishing technique can be, and just how important it is to properly train staff in defending against social engineering attacks.
When we spoke to Bullguard's Alex Balan back in November, he said that companies need "military-style drills" against social engineering attacks. Looks like he might have been right.
Published under license from ITProPortal.com, a Net Communities Ltd Publication. All rights reserved.