Attorney General Eric Holder, center, accompanied by U.S.
Intellectual Property Enforcement Coordinator Victoria Espinel, left,
and Acting Commerce Secretary Rebecca Blank, speaks about strategy to
mitigate the theft of US trade secrets, Wednesday, Feb. 20, 2013, in the
Eisenhower Executive Office Building on the White House complex in
Washington. (AP Photo/Jacquelyn Martin)
The revelation, made by the
New York Times and a firm called
Mandiant
last month, that the Chinese military is engaging in a sophisticated
campaign of Internet spying and cyber attacks targeting American
corporations and government websites provoked widespread alarm. What
hasn’t been noted is that the Chinese plot bears much in common with a
conspiracy to spy on and sabotage liberal advocacy groups and unions—a
plot developed on behalf of none other than the US Chamber of Commerce
back in 2011.
Indeed, Mandiant
identified
the Chinese plot by combing through the database of hacking tools
managed by the same individuals associated with the American firm that
had been enlisted to help the Chamber execute its spying and hacking
plan, before it was exposed by the hacktivist group Anonymous.
Attorneys for the Chamber were caught negotiating for a contract to
launch a cyber campaign using practically identical methods to those
attributed to the Chinese, which reportedly could be used to cripple
vital infrastructure and plunder trade secrets from Fortune 100
companies. The Chamber was seeking to undermine its political
opposition, including the Service Employee International Union (SEIU)
and
MoveOn.org, but apparently had to scotch the plan after it was revealed by Anonymous.
At the RSA Conference in San Francisco, the “nation’s largest gathering of
cyber security professionals,”
The Nation
spoke to a number of experts who said the same invasive strategies
employed by the Chinese military could be easily used in political
campaigns and other political contexts by anyone willing to take the
risk.
The story of both the Mandiant
report
and the American lobbyist hacking conspiracy begins in February of
2011, when the hacktivist group Anonymous stole some 70,000 e-mails from
a Bethesda, Maryland-based firm called HBGary Federal and dumped them
onto the Internet. HBGary Federal was an affiliate of HBGary, a firm
that maintained a database and discussion forum of hacking software
called
Rootkit.com, which served as a “
malware repository
where researchers stud[ied] hacking techniques from all over the
world.” It appears the Chinese hackers, known as the “Comment Crew,” had
participated to gain the types of software used to compromise computers
owned by dozens of American interests.
The Mandiant
report
details how the disclosure of Rootkit.com’s user database from
Anonymous not only revealed the e-mail account associated with
UglyGorilla, or Jack Wang, and SuperHard_M, or Mei Qiang, two of the
alleged Chinese hackers, but the IP address that helped confirm the
Shanghai Pudong location of the Chinese military office building, from
which it launched attacks on US-based targets. As Nate Anderson of Ars
Technica
reported, the theft of HBGary Federal’s data offered the Mandiant researchers a “treasure trove of information.”
Rootkits, a term used to describe software that can gain access to
computer systems without detection, can often be used for malicious
purposes. Asked why he thought the Chinese military would participate in
an American site like
Rootkit.com, Richard Bejtlich, Mandiant’s Chief Security Officer, told
The Nation that at least initially, “If you wanted to get up to speed on that technology, that’s where you went.”
Mandiant compared the information from the Rootkit.com user database
with data from other cyber security breaches attributed to Chinese
hacking attempts to come to the conclusions in their report.
According to the
New York Times
and Mandiant, the Shanghai-based Unit 61398 of the People’s Liberation
Army employing the “Comment Crew” hackers relied largely upon
spear-phishing (often an e-mail to trick the recipient into opening a
document or attachment containing a malicious piece of software, like a
rootkit) to gain access to firms like Coca-Cola, the National Electrical
Manufacturers Association, EMC, and Telvent, a company that produces
programs for remote access for oil and gas pipelines.
As policymakers and major American companies continue to react to
the news about the Chinese hacking, similar threats could play a role in
labor organizing and political campaigns.
The disclosure of HBGary Federal’s e-mails revealed one of the most
brazen political espionage efforts in recent memory, which underscores
this threat.
In October of 2010, HBGary Federal was solicited by Matthew Steckman
of the firm Palantir on behalf of attorneys representing the US Chamber
of Commerce “about offering a complete intelligence solution” and
“social media exploitation.” The Chamber had dealt with
critical news
about an IRS complaint alleging that the insurance giant AIG had
illegally laundered millions of dollars to the Chamber in September.
Also around that time, I wrote a
separate story
for ThinkProgress revealing fundraising documents that showed the
Chamber had solicited foreign corporate money for the same 501(c)(6)
legal entity the Chamber used to run campaign commercials during the
midterm elections. The leaked HBGary Federal e-mails show the Chamber
was interested in responding aggressively to this pressure.
By November of that year, Palantir, HBGary Federal and another firm,
Berico, had discussed the effort to push back against the Chamber’s
critics several times with a number of the Chamber’s attorneys at the
law/lobbying firm Hunton and Williams, and had prepared a series of
presentations detailing their proposal to the Chamber. One of the attorneys
involved in the discussions, Hunton and William's Richard Wyatt, had already been
retained by the Chamber to sue the Yes Men, a comedic advocacy group, for impersonating the Chamber at a prank press conference.
The presentations, which were also leaked by Anonymous, contained ethically questionable tactics, like
creating
a “false document, perhaps highlighting periodical financial
information,” to give to a progressive group opposing the Chamber, and
then subsequently exposing the document as a fake to undermine the
credibility of the Chamber’s opponents. In addition, the group proposed
creating a “fake insider persona” to “generate communications” with
Change to Win, a federation of labor unions that sponsored the watchdog
site, US Chamber Watch.
Even more troubling, however, were plans by the three contractors to
use malware and other forms of malicious software to hack into
computers owned by the Chamber’s opponents and their
families.
Boasting that they could develop a “fusion cell” of the kind “developed
and utilized by Joint Special Operations Command (JSOC),” the
contractors discussed how they could use “custom malware development”
and “zero day” exploits to gain control of a target’s computer network.
These types of hacks can allow an attacker not only to snoop, but to
delete files, monitor keystrokes, and manipulate websites, e-mail
archives and any database connected to the target computer.
In January of 2011, Hunton and Williams, which had
met with the Chamber to discuss the proposals, sent by courier a CD with
target data to the contractors. The targets
discussed
in e-mails included labor unions SEIU, IBT, UFW, UFCW, AFL-CIO, Change
to Win, as well as progressive organizations like the Center for
American Progress,
MoveOn.org, Courage Campaign, the Ruckus Society, Agit-Pop, Brave New Films and others.
Though HBGary markets itself as a firm that uses its expertise in
cyber security to help both companies and the government defend against
malicious attacks, the e-mail archives leaked by Anonymous make clear
that executives at the firm were interested in selling this technology
for offensive capabilities. In an e-mail with Greg Hoglund, the founder
of both HBGary and
Rootkit.com, and part owner of HB Gary Federal, Aaron Barr, HBGary Federal's chief executive,
described
a “spear phishing strategy” that could be used on “our adversaries.” In
another e-mail chain, HBGary staff discussed using a fake “patriotic
video of our soldiers overseas” to induce military officials to open
malicious data extraction viruses; in another, they discuss the success
of a dummy “evite” e-mail used to maliciously hack target computers.
The tactics described in the proposals are illegal. However, there
were no discussions in the leaked e-mails about the legality of using
such tactics. Rather, the Chamber’s attorneys and the three contractors
quibbled for weeks about how much to charge the Chamber for these
hacking services. At one point, they demanded
$2 million a month.
HBGary Federal and their partners were
scheduled to meet the Chamber to finalize the deal on February 14, 2011. However, on February 4, Barr boasted to the
Financial Times
that he was preparing to reveal the identities of Anonymous, which
responded with the hack that spilled the contents of HBGary Federal’s
e-mails and Rootkit.com’s user database. HBGary Federal had also entered
into talks about working on behalf of Bank of America to discredit the
website Wikileaks and its perceived allies in the media. The e-mail
trail ends on February 6th; the Chamber, despite e-mails showing they
met with Hunton and Williams to discuss the project, denied any
knowledge of the proposal and said they had never compensated the firms
or entered into any agreement for the work described in the proposals.
HBGary Federal, which shared the same owners and office space as
HBGary, shut down in the wake of the leaked e-mails. Last year, HBGary
was acquired by a military contracting firm called ManTech International
for $23.8 million, according to disclosures with the Securities and
Exchange Commission. The spokesperson for HBGary declined to comment on
this story.
Although
Rootkit.com
is no longer online, similar websites like MetaSploit and TrustedSec
offer hackers and cyber security professionals an array of software that
could be used by anyone seeking to break into an organization, take
control of their network, and seize data.
“There’s nothing so unique about how you break into an
organization,” said Nick Levay, the Director of Technical Operations
Information Security at the Center for American Progress, who spoke to
The Nation
by telephone. Levay, an expert on computer security, said there’s “lots
of overlap” between the documented Chinese military cyber hacking
incidents described by
The New York Times and the Mandiant report and the tactics proposed by the contractors working with the Chamber’s attorneys.
Mandiant’s Richard Bejtlich described the malware tools as a firearm
that could be used by anyone. “You could buy a firearm but what are you
going to do with it? Is it for hunting or self-defense?” Researchers
commonly use sites like MetaSploit to develop defense software against
certain cyber attacks. Or, Bejtlich said, “Are you outfitting an army to
conduct an insurgency where you’re going to harass a foreign military
for ten years?”
Levay said that malware or phishing attempts may be difficult to
detect if the perpetrator is only interested in gathering intelligence.
However, “any disruption or sabotage, they’re going to get caught,” said
Levay. Bejtlich made a similar case, arguing that if domestic political
organizations or cyber criminals attempt to sabotage computers in the
United States, “the Bureau’s going to find you.”
Large firms that have been victimized by malicious hacking,
including Google and Intel, at least have the resources to detect and
counter most forms of computer crimes. But what about a small company,
or political advocacy group with little resources?
“Political campaigns, absolutely, they have to be vigilant that they
will be attacked,” said Ajay Uggirala, the Director of Protect and
Technical Marketing at the cyber security firm Solera Networks. “It’s
going to be a dynamic,” Uggirala explained, “I wouldn’t be surprised if
people use the good tools we have for bad purposes on political
candidates.”
