You choose, we deliver
If you are interested in this story, you might be interested in others from The Journal Gazette. Go to www.journalgazette.net/newsletter and pick the subjects you care most about. We'll deliver your customized daily news report at 3 a.m. Fort Wayne time, right to your email.

U.S.

  • Miss America admits she was forced out of sorority
    Miss America says she was removed from her college sorority over a letter that made light of hazing, but she denies a report that she was involved in aggressively hazing fellow students.
  • Federal prison population drops by nearly 5,000
    The federal prison population has dropped in the last year by roughly 4,800, the first time in decades that the inmate count has gone down, according to the Justice Department.
  • Rights of same-sex military spouses vary by state
     JACKSONVILLE, N.C. – On the wall over her bunk in Kuwait, Marine Cpl. Nivia Huskey proudly displays a collection of sonogram printouts of the baby boy her pregnant spouse is carrying back home in North Carolina.
Advertisement

Chinese hackers used simple ruses

– The victims were their own worst enemies.

The hacking techniques the U.S. government says China used against American companies turned out to be disappointingly mundane, tricking employees into opening email attachments or clicking on innocent-looking website links.

The scariest part might be how successfully the ruses worked. With a mouse click or two, employees at big-name American makers of nuclear and solar technology gave away the keys to their computer networks.

In a 31-count indictment announced Monday, the Justice Department said five Chinese military officials operating under hacker aliases such as “Ugly Gorilla,” “KandyGoo” and “Jack Sun” stole confidential business information, sensitive trade secrets and internal communications for competitive advantage. The U.S. identified the alleged victims as Alcoa World Alumina, Westinghouse, Allegheny Technologies, U.S. Steel, United Steelworkers Union and SolarWorld.

China denied it all Tuesday.

“The Chinese government and Chinese military as well as relevant personnel have never engaged and never participated in so-called cybertheft of trade secrets,” Foreign Ministry spokesman Hong Lei said in Beijing. “What the United States should do now is withdraw its indictment.”

That’s unlikely. What the Justice Department is doing is spelling out exactly how it says China pulled it off.

The U.S. says the break-ins were more Austin Powers than James Bond. In some cases, the government says, the hackers used “spear-phishing” – a well-known scam to trick specific companies or employees into infecting their own computers.

The hackers are said to have created a fake email account under the misspelled name of a then-Alcoa director and fooled an employee into opening an email attachment called “agenda.zip,” billed as the agenda to a 2008 shareholders’ meeting. It exposed the company’s network.

At another time, a hacker allegedly emailed company employees with a link to what appeared to be a report about industry observations, but the link instead installed malicious software that created a back door into the company’s network.

“We are so used to solving problems by clicking an email link, looking at the information and forwarding it on,” said Chris Wysopal, a computer security expert and chief technology officer of the software-security firm Veracode. “And if hackers know about you and your company, they can create really realistic-looking messages.”

Use of the rudimentary efforts the Justice Department described doesn’t mean foreign governments and others won’t use more sophisticated and harder-to-detect techniques, said Joshua Corman, the chief technology officer for Sonatype, which helps businesses make their software development secure.

Determined hackers escalate their attacks when necessary, he said, but in the cases cited in the federal indictment announced Monday, they didn’t have to escalate very far.

Corman noted that the U.S. has much higher investments in research and intellectual property, making America’s risk of loss in such thefts disproportionately higher than China’s.

Advertisement