Some of the biggest companies in the U.S. remain vulnerable to one of the oldest hacking tricks in the book, according to yesterday’s indictment of five Chinese military officials accused of stealing trade secrets.
The common tactic, called spearphishing, was used to access the computer networks of companies including United States Steel Corp. and Alcoa Corp., according to the U.S. Justice Department, which unveiled the charges yesterday. By sending employees false e-mails purporting to be official messages, hackers were able to trick them into divulging user names, passwords and other sensitive information.
The charges, which effectively accuse China and its government of using cyber-espionage to steal technology, expose what remains a gaping hole for many companies: their own workers. Even though computer-security firms are profiting from record spending on technologies to prevent hacks, people end up being the weakest link in such attacks, according to Dmitri Alperovitch, chief technology officer of CrowdStrike Inc., a cybersecurity firm in Irvine, California.
“It’s not the vulnerability in the computer -- it’s the vulnerability in the human that always gets targeted,” Alperovitch said. “This is not a problem like cancer where you can get to an end point where you can declare you’ve won.”
Even with the computer-security industry poised to top $85 billion in revenue by 2016 -- almost 70 percent higher than at the start of the decade, according to Gartner Inc. -- it will be of little use if attackers are successful in targeting companies and employees with spearphishing attacks.
Annual losses from cybercrime, intellectual-property theft from corporations and other costs could run as high as $400 billion, according to the Center for Strategic and International Studies and McAfee, an Intel Corp. company. There were 450,000 known phishing attacks in 2013 and losses from them reached a record $5.9 billion, according to EMC Corp.
The indictment, unsealed yesterday in District Court in Pennsylvania, allege the Chinese officers conspired to steal trade secrets and other information from U.S. companies specializing in solar panels, metals and next-generation nuclear power plants. Westinghouse Electric Co. and Allegheny Technologies Inc. and the United Steel, Paper and Forestry, Rubber, Manufacturing, Energy, Allied Industrial Services Workers International Union were named in the indictment.
Spearphishing, a more targeted version of mass-e-mail phishing attacks, has long been known as a glaring vulnerability. In 2011, RSA Security, a unit of EMC, was hacked that way, exposing a hiring campaign. A Coca-Cola Co. executive opened a spearphishing message in 2012, leading hackers to gain access to internal documents.
At Alcoa, about 19 employees received an e-mail purporting to be from a board member, Carlos Ghosn, who is also chief executive officer of Nissan Motor Co. An attachment to the message, once opened, unleashed a virus that penetrated Alcoa’s network. While Ghosn wasn’t directly identified in yesterday’s indictment, the document refers to a director with the initials “C.G.” Ghosn was the only board member at the time matching that criteria.
Chris Keeffe, a spokesman for Nissan, and Monica Orbe, a spokeswoman for Alcoa, declined to comment.
Some of the main targets are personal assistants, who play a central role inside companies and are targeted because they often have access to executives’ calendars, contact lists and e-mail accounts, according to Kevin Haley, director of Symantec Corp.’s Security Response team. The other type of workers targeted most often are public-relations professionals, whose names and e-mail addresses are easy to harvest from public Web pages. They’re also accustomed to hearing from people they don’t already know, Haley said.
Senior management is at medium risk of being hacked, while salespeople, recruiters, corporate officers and researchers pose the lowest risk, Symantec said in a report last month that ranked occupations by their likelihood of being targeted.
Support staff are particularly vulnerable because many companies overlook them as cybersecurity risks and don’t spend enough time on training, Haley said. One of the most successful techniques for teaching employees of all levels about hacking risks is deploying mock spearphishing campaigns with the help of outside firms, he said.
At Websense Inc., a San Diego-based security-software firm, 600 salespeople were sent a mock spearphishing e-mail in November as part of an experiment. Two-thirds opened a link to an unfamiliar website asking for their user names and passwords, the study showed. After a year of training, the proportion fell to 30 percent.
“Users can sense if something is wrong if they are trained in that way,” Haley said. “I should be telling you that you have to buy more stuff, and obviously you need the technology, but the technology can’t do it alone.”
At Amara Health Analytics, everyone from executives to administrative staff are warned that they could be targeted by hackers seeking access to data, according to CEO Steve Nathan. The San Diego-based company, which mines medical files on behalf of health-care providers to find early signs of disease, conducts pre-employment background checks and gives a review of the company’s privacy and security policies every time new data is received, he said.
“As a business owner, it starts with being paranoid,” Nathan said. “You have to be super-sensitive to these privacy issues. Any kind of problem could be the end of your business.”
The charges against the Chinese military officers should prompt more U.S. firms to work with the government and share information about hacking incidents, Alperovitch said.
Employee education is also key. Riptide IO Inc., a Santa Barbara, California-based firm that helps companies manage data from their buildings, issues frequent warnings about not putting passwords in e-mail and other basic cybersecurity measures to ensure that every employee -- including support staff -- is aware of hacking risks, CEO Mike Franco said.
“Everybody has to realize that exposure does come from people, not technology,” Franco said. “You can’t stop this kind of intrusion with good technology. You have to do it with learning and education and attitude changes and awareness.”