The US Commerce Department?s Bureau of Industry and Security (BIS) recently reported a breach of its computer network. According to Commerce Department spokesman Richard Mills, ?[BIS] discovered a targeted attempt to gain access to user accounts.? Mills attempted to downplay the attack by stating, ?we have no evidence that BIS data has been lost or compromised.? Unfortunately, other evidence contradicts this benign assessment and points to a serious breach at the Commerce Department as part of an overall espionage campaign against the US government.
A Critical Breach
According to a July e-mail from Undersecretary of Commerce Mark Foulon recently obtained by the Washington Post, there have been ?a number of serious threats to the integrity of our systems and data? (source). A follow-up e-mail from Foulon, sent in August, added that BIS ?identified several successful attempts to attack unattended BIS workstations during the overnight hours? (source).
It is also instructive to study BIS?s recovery plan. First, it has restricted Internet access to standalone workstations that are not connected to any other Commerce Department network or systems (source). Second, BIS has opted to procure new workstations to replace the infected and untrustworthy workstations (source).
This response reflects how serious BIS and the Commerce Department take the attacks. According to Eric Sites, Vice President of Research and Development for Sunbelt Software, ?If they are taking these computers off-line and junking them, I don?t believe they haven?t lost any data. This seems to be a pretty severe attack if they are going through this level of response, which is replacing all their systems? (source). Richard Stiennon, principal analyst with security consultancy IT-Harvest, added ?replacing systems is pretty draconian, but it really indicates that Commerce is very concerned? (source).
Methods of Attack
These recovery strategies offer insight into the scope of the attack. That BIS decided to procure new workstations as opposed to reformatting the disks and reinstalling the operating system on the infected workstations suggests that the attacker utilized a BIOS-based rootkit (source), which is a piece of software that is able to conceal its presence and functions from the operating system and therefore allow the attack to maintain access to an infected machine. BIOS code embedded directly onto hardware is run each time the computer is started. Installing a rootkit into the BIOS would allow the attacker to control the workstation even in the event of a disk reformat and operating system reinstall ? hence the need to procure entirely new workstations.
It is unclear how the attacker was able to gain access to the affected BIS workstations. However, the targeted nature of this attack suggests that the attacker used a phishing email to lure the selected BIS users to a malicious web site that surreptitiously installed the rootkit onto the BIS workstation.
It is also unclear how the attacker managed to siphon data off the infected BIS workstations. While this remains a mystery, BIS administrators most likely noticed anomalies in their access logs. It is likely that an investigation into any ?network anomalies? revealed the presence of the rootkit.
More Chinese Espionage?
According to a senior Commerce Department official, the attacks were traced to web sites registered with Chinese Internet service providers (source). It should come as no surprise that China has been implicated in this attack. A number of breaches have been traced to China, including attacks against US Army Information Systems Engineering Command at Fort Huachuca, Arizona, the Defense Information Systems Agency in Arlington, Virginia, the Naval Ocean Systems Center, the United States Army Space and Strategic Defense installation in Huntsville, Alabama (source), the US State Department , and the British Parliament (source).
The Commerce Department?s BIS would make an extremely attractive target for Chinese government-sponsored hackers. BIS is charged with managing exports of US commodities, such as software and hardware applications, having both commercial and military uses. China would be extremely interested in data from BIS, as it has increased its regulation of the growing trade partnership with the expanding Chinese market.
Some computer security experts point out that while the available evidence is certainly convincing, it does not prove conclusively that the Chinese government is responsible for the attacks. One US government official familiar with the investigation into the many of the attacks attributed to China said, ?Is this an orchestrated campaign by PRC or just a bunch of disconnected hackers? We just can?t say at this point? (source). Even if the attacks were routed through China, hackers not affiliated with the Chinese government could have hijacked vulnerable computers located in China to stage these attacks.
Others experts are convinced of China?s, and specifically the Peoples Liberation Army?s (PLA; Group Profile), involvement in the attacks. According to Allan Paller, the director of the SANS Institute, ?these attacks come from someone with intense discipline. No other organization could do this if they were not a military organization? (source). Paller further pointed out that, in some cases during the string of attacks, the attacker was ?in and out with no keystroke errors and left no fingerprints, and created a backdoor in less than 30 minutes. How can this be done by anyone other than a military organization?? (source). Added Richard Stiennon, ?the continuous nature of these attacks means there is a link to a state source.?
More to Come?
The US federal government will likely announce evidence of additional attacks and data breaches in the future. As the recent past has demonstrated, there are significant weaknesses in many government agencies? cyber security posture. Moreover, the ongoing nature of these breaches indicates that many breaches are successful; otherwise, attacker would embrace other espionage techniques. Moreover, the apparent low-risk and high-reward ratio of cyber espionage dictates that not only will China continue this avenue of attack, but other countries will also embrace this tactic.
