Security Experts:

China Hackers Breached U.S. Chamber of Commerce

Hackers from China have breached computer systems at the U.S. Chamber of Commerce, resulting in access to operational data and information on its 3 million members, according to a report from the Wall Street Journal.

Citing unnamed sources familiar with the matter, the Journal reported that the cyber attack involved at least 300 IP addresses and was discovered and shut down in May 2010.

Cyber Attack: Chamber of Commerce Breached by China HackersWhile the extent of what the hackers may have been able to access is unknown, two people familiar with the matter told the Journal that hackers might have had access to the Chamber systems for more than a year.

“From the few details available, it seems the infiltrators were readily able to exfiltrate the secrets they uncovered,” Dr. Mike Lloyd, CTO at RedSeal Networks told SecurityWeek. “While most networks try to build at least some defenses against inbound attack, few organizations effectively control outbound traffic.”

"What was unusual about it was that this was clearly somebody very sophisticated, who knew exactly who we are and who targeted specific people and used sophisticated tools to try to gather intelligence," David Chavern, Chief Operating Officer at the Chamber of Commerce told the Wall Street Journal.

The sources told the Journal that “certain technical aspects of the attack suggested it was carried out by a known group operating out of China.” The FBI reportedly notified the Chamber of Commerce that servers in China were stealing its information.

As would be expected, China is dismissing the claims.

Liu Weimin, a spokesman for the Chinese Foreign Ministry, dismissed the accusations, saying "There's nothing to be said about the baseless whipping up of so-called hacking and it won't come to anything," during a news briefing in Beijing. Weimin added that Chinese law bans hacking, and reminded of China’s desire to cooperate with other nations to combat cyber attacks. Earlier this year, a senior cyber-security official in China said that the country wants to work with other nations to improve cyber security. 

Over the past few years, talk about state-sponsored cyber attacks and espionage have habitually pointed to China as a suspect. In 2010, Google blamed China for Operation Aurora. In 2009, there was GhostNet, an espionage operation linked to China that targeted political targets in more than 100 countries. In 2005, a series of attacks dubbed “Titan Rain” were uncovered, which targeted military and government systems and may have dated back to as early as 2003.

More recently, some have speculated that China may be the mastermind behind Operation Shady RAT—though McAfee, the vendor that uncovered it, was cautious not publicly place blame. This past summer, a cyber attack on the IMF was uncovered, that resulted in the loss of a “large quantity” of data, including emails and documents, which experts believe was the result of a state-sponsored attack connected to foreign governments.

“Economic espionage by the Chinese has hit its 5th gear in 2011,” Tom Kellermann, CTO at AirPatrol, and who formerly worked for both the IMF and the World Bank, told SecurityWeek. “This attack has the signature modus operandi of the Chinese’s Thousand Grains of Sand approach to infiltrate the trust relationships between the pillars of the economic community in the US and their constituencies,” Kellermann added.

“We talk about an eventual cyber war, but this is the latest disclosure of a silent global economic coldwar that has been raging for sometime without broad awareness by the real targets—American corporations where our key R&D and intellectual property are being systematically hoovered by China,” said Anup Ghosh, Founder & Chief Executive Officer at Invincea.

The fact that the event was discovered back in 2010, and is just now coming to the surface via a third party has sparked some concern.

“The lag in communicating this breach to the public underscores another fundamental problem in the industry—victims are afraid to disclose breaches and how they are compromised, which at the same time provides cover for a failing security industry and enables the attackers to continue to loot with impunity,” said Ghosh. “Talk of public/private partnerships between Government and industry rings hollow when we don't have in place fundamental architectures to proactively defeat the threat before it hits networks in the first place.”

“We need to collaborate and inform when breaches take place, we need diplomatic support to reduce the desire or economic benefit to steal and we need to protect our assets as best as possible,” said Steven Sprague, CEO of Wave Systems.

“Nations like China continue to amass what is the equivalent of America's economic future – trade secrets and intellectual property that they can use to build their own economies on the back of our stolen innovation,” Ghosh explained.

“Now is the time for state sponsored economic espionage to be raised up to the level of the WTO and the G20 Summit, because we can no longer tolerate the campaign of digital colonization,” added AirPatrol's Kellermann.

“There are also significant outbound holes highlighted here – once an attacker finds a way in, how easily can they get the information back out?,” LLyod commented. “The US Chamber of Commerce representatives acknowledge that this is a new area to focus on – it is not wise to assume your defenses are going to prevent all attacks, and so you have to plan to contain or constrain the attacks that do gain access.”

So what would make the Chamber of Commerce an attractive target to attackers? The pro-business organization employs hundreds of policy experts, lobbyists, and lawyers, and and works businesses of all sizes, to the tune of large business and coordinates initiatives covering energy, infrastructure, education and more. While the Chamber serves many of the nation’s largest corporations, more than 96% of its members are small businesses with 100 employees or fewer.

Is this attack just another cyber attack headline that may be big news today, but forgotten about by many in short time? Invincea’s Chief believes that attitude may be all too common. “These events are becoming a lot like car alarms, common to the point that they simply annoy and are ignored, yet it continues to be an issue that we as a nation ignore at our own peril,” Ghosh said. “We are collectively waiting for some Digital Pearl Harbor event while we suffer death by a thousand cuts - or the equivalent of digital Chinese water torture.”

SecurityWeek did speak with the U.S. Chamber of Commerce and is waiting for an official response and additional information on the incident.