From Robert O’Harrow Jr., Washington Post: The e-mails arrived like poison darts from cyberspace.
Some went to the Chertoff Group, a national security consulting firm in Washington. Others targeted intelligence contractors, gas pipeline executives and industrial-control security specialists. Each note came with the personal touches of a friend or colleague.
“Attach[ed] is a quote for the Social Media training we discussed,” said one message sent on July 3 to the vice president of EnergySec, a federally funded group in Oregon that focuses on the cybersecurity of the nation’s power grid.
But like much of the digital universe, the e-mails were not what they seemed. They were cyberweapons, part of a devastating kind of attack known as “social engineering. . . .”
The technique involves tricking people to subvert a network’s security. It often relies on well-known scams involving e-mail, known as “spear phishing,” or phony Web pages. But such ploys now serve as the pointed tips of far more sophisticated efforts by cyberwarriors to penetrate networks and steal military and trade secrets.
The e-mails this spring and summer appear to be part of a long-running espionage campaign by a hacker group in China, according to interviews with security researchers and documents obtained by The Washington Post. Some of the e-mails, including those sent to the Chertoff Group and EnergySec, were caught by suspicious employees. Others hit home.
“Multiple natural gas pipeline sector organizations have reported either attempted or successful network intrusions related to this campaign,” officials at the Department of Homeland Security said in a confidential alert obtained by The Post.
The May 15 alert, by the department’s specialists in industrial control systems, said “the number of persons targeted appears to be tightly focused. In addition, the email messages have been convincingly crafted to appear as though they were sent from a trusted member internal to the organization. . . .”
Once malicious software code is delivered, it burrows in and hides in a targeted network. That code, known as malware, can lurk for years in intelligence or attack schemes that are sometimes known as “advanced persistent threats.” Eventually, the code reaches back out to the hackers for instructions, often cloaking the communication through encryption or masking it to seem like innocuous Web browsing by an employee.
Over the past three years, most major cyberattacks on U.S. corporations have included social engineering, specialists said. That includes hacks of Google and security giant RSA. Researchers think that scores of attacks were designed by the same Chinese hackers who appear to be involved in the current e-mail campaign. Some U.S. officials think the hackers may have links to the Chinese military.
The Chinese are not the only ones using the technique. Cyberwarriors at the Pentagon receive social-engineering training for offensive and defensive missions, knowledgeable specialists said.
David Kennedy, a security consultant and former National Security Agency analyst, said he is amazed at the effectiveness of the techniques.
“I have done hundreds of these, and I have never been stopped,” said Kennedy, who teaches social engineering to other security specialists. “It sounds horrible, but it works every single time.”
The human factor
Social engineering works because it targets a vulnerable part of cyberspace that cannot be patched with technical fixes: human beings. People want to believe that their communication is safe.
“Because it goes at the human level, not at the technological level, we’re all vulnerable,” said Joseph Nye Jr., a distinguished service professor at Harvard University who is on the board of advisers to the Chertoff Group. Nye said he has received at least six spear-phishing e-mails purporting to be from the Chertoff Group. He said he deleted them all, but he added, “Every once in awhile, one of these will get by you. . . .”
Based on evidence, it appeared to be the same attackers: a group of Chinese hackers that had been using social engineering for nearly a decade to break into systems across the globe with impunity.
Cyber-researchers have dubbed them the Comment Crew or Comment Group. The name stems from the fact that hackers include attack commands in the comments that programmers typically include in HTML code to document their goals or make notes of changes.
The Comment Crew has become notorious for using simple social-engineering techniques, including well-crafted e-mails, in elaborate hacks that breach security, load “remote access tools,” or RATs, and siphon off oceans of data from victims.
Though it is sometimes impossible to definitively identify hackers, because of the hall-of-mirrors nature of cyberspace, they often leave behind compelling digital evidence. Researchers said the IP address of a Web server and a particular method of writing HTML comments links the attacks on the gas pipeline executives to those against the Chertoff Group and others. It also links the current campaign to a series of earlier devastating attacks by the Comment Crew, dubbed Operation Shady RAT.
Those intrusions compromised hundreds of systems over at least five years, including federal agencies, defense contractors and the United Nations, according to studies by McAfee and the Dell SecureWorks Counter Threat Unit. . . .
Joe Stewart, director of malware research at the Dell SecureWorks Counter Threat Unit, estimates the group has at least 100 members who work at specific tasks such as social-engineering research, malware development and the processing of stolen information. In essence, the Comment Crew has made a business of cyber-espionage. Their activity online shows they typically work 9 to 5 — Shanghai time — and take off Chinese holidays. . . .
With enough money, focus, malware and social-engineering skills, “anybody can get into anyplace,” Stewart said. “The most careful person is not going to have a defense against it.” (photo: Reuters)