A targeted attack responsible for the U.S. Chamber of Commerce breach, exploited serious weaknesses in the lobbying group’s security defenses, according to security experts, and could have been a staging ground for attacks on Chamber member organizations.
If the attackers can send Chamber members a spear phishing message from a legitimate Chamber email address, then they have the potential to gain access to the systems of larger U.S. corporations.
Harry Sverdlove, CTO of Bit9 Inc.
Investigators have not determined how attackers infiltrated the U.S. Chamber of Commerce, but once in, the attackers stealthily targeted approximately four people involved in the Chamber’s Asian policy affairs, according to a report in the Washington Post. Experts said that while it’s unclear if spear phishing attacks were involved, they have become the modus operandi of many of the most sophisticated attacks, enabling cybercriminals to gain the initial foothold in an organization’s systems.
“Years ago we used to say people got in through server vulnerabilities, but if we look back at this year of Microsoft vulnerabilities, we see a high majority of them we would classify as client-side bugs,” said Andrew Storms, director of security operations at San Francisco-based vulnerability management vendor nCircle. “Many of these attacks require the user to take some action, but they’re taking advantage of a piece of software that is otherwise silent but the user has activated it.”
The organization learned of the attack from the FBI, and an independent team of forensics investigators said the Chamber’s systems were compromised between November 2009 and May of 2010, though investigators said the attackers may have had network access for more than a year.
The Chamber has 450 employees and is the country's largest lobbying organization on behalf of businesses. The attack is believed to have been carried out by malicious hackers in China. The forensics team uncovered evidence that as many as 50 Chamber members were compromised. Backdoor exploits on systems led to command-and-control servers where it’s believed that well-funded cybercriminals poured through stolen email messages for financial documents and other sensitive data. Data stolen, according to the Post report, included trade-policy documents, meeting notes, trip reports and schedules.
“Despite the trade information they gleaned off of emails, a very likely motivation behind the attack is to get to the members,” said Harry Sverdlove, CTO of application Waltham, Mass.-based whitelisting vendor Bit9 Inc. “If the attackers can send Chamber members a spear phishing message from a legitimate Chamber email address, then they have the potential to gain access to the systems of larger U.S. corporations.”
The attackers used techniques that were strikingly similar to those used in previous high-profile data breaches that were believed to have ties to nation-states. The RSA SecurID breach and the Operation Aurora attacks that targeted Google and other U.S. corporations last year started with spear phishing attacks on relatively benign employees. Additionally, attackers this year targeted oil and other energy companies in a targeted campaign dubbed the Night Dragon Attacks. Once the attackers gain a foothold, they often use stolen credentials to access systems containing more critical data, bypassing many security technologies.
“We’ve learned with RSA that with spear phishing, even very sophisticated users can be breached,” said Pete Lindstrom, research director at Pennsylvania-based security research firm Spire Security. “When we talk about targeted attacks, the cybercriminal organization is typically going after a specific type of information and intellectual property is increasingly becoming a favorite target of attackers.”
The U.S. Chamber of Commerce told the Post that it has since beefed up the security its systems, adding monitoring technology and enforcing stricter security policies for employees that travel to Asia.
Lindstrom said many organizations rely on endpoint security software, primarily signature-based email filtering and antivirus technology to weed out malicious attachments. Organizations with a lower risk tolerance will deploy intrusion detection and prevention systems to monitor for malicious network traffic.
Unified threat management systems or next generation firewalls can also alert on suspicious traffic attempting to send sensitive data to remote locations, he said. Data leakage prevention also attempts to address the issue. Whitelisting, which blocks users from installing many programs on their systems is effective, but can also lead to false positives, Lindstrom said.
“You need to develop context and understand who your adversary might be,” Lindstrom said. “There are a lot of different ways to skin this cat and prevent the unwanted outcome, including user awareness training. “