The hackers clocked in at precisely 9:23 a.m. Brussels time on July 18 last year, and set to their task. In just 14 minutes of quick keyboard work, they scooped up the e-mails of the president of the European Union Council, Herman Van Rompuy, Europe’s point man for shepherding the delicate politics of the bailout for Greece, according to a computer record of the hackers’ activity.
Over 10 days last July, the hackers returned to the council’s computers four times, accessing the internal communications of 11 of the EU’s economic, security and foreign affairs officials. The breach, unreported until now, potentially gave the intruders an unvarnished view of the financial crisis gripping Europe.
And the spies were themselves being watched. Working together in secret, some 30 North American private security researchers were tracking one of China’s biggest and busiest hacking groups.
Observed for years by U.S. intelligence, which dubbed it Byzantine Candor, the team of hackers also is known in security circles as the Comment group for its trademark of infiltrating computers using hidden webpage computer code known as “comments.”
During almost two months of monitoring last year, the researchers say they were struck by the sheer scale of the hackers’ work as data bled from one victim after the next: from oilfield services leader Halliburton Co. to Washington law firm Wiley Rein LLP; from a Canadian magistrate involved in a sensitive China extradition case to Kolkata-based tobacco and technology conglomerate ITC Ltd.
The researchers identified 20 victims in all -- many of them organizations with secrets that could give China an edge as it strives to become the world’s largest economy. The targets included lawyers pursuing trade claims against the country’s exporters and an energy company preparing to drill in waters China claims as its own.
“What the general public hears about -- stolen credit card numbers, somebody hacked LinkedIn -- that’s the tip of the iceberg, the unclassified stuff,” said Shawn Henry, former executive assistant director of the FBI in charge of the agency’s cyber division until leaving earlier this year. “I’ve been circling the iceberg in a submarine. This is the biggest vacuuming up of U.S. proprietary data that we’ve ever seen. It’s a machine.”
Exploiting a hole in the hackers’ security, the researchers created a digital diary, logging the intruders’ every move as they crept into networks, shut off anti-virus systems, camouflaged themselves as system administrators and covered their tracks, making them almost immune to detection by their victims.
The minute-by-minute accounts spin a never-before told story of the workaday routines and relentless onslaught of a group so successful that a cyber unit within the Air Force’s Office of Special Investigations in San Antonio is dedicated to tracking it, according to a person familiar with the unit.
Those logs -- a record of the hackers’ commands to their victims’ computers -- also reveal the highly organized effort behind a group that more than any other is believed to be at the spear point of China’s vast hacking industry. Byzantine Candor is linked to China’s military, the People’s Liberation Army, according to a 2008 diplomatic cable released by WikiLeaks. Two former intelligence officials verified the substance of the document.
Hackers and Spies
The methods behind China’s looting of technology and data - - and most of the victims -- have remained for more than a decade in the murky world of hackers and spies, fully known in the U.S. only to a small community of investigators with classified clearances.
“Until we can have this conversation in a transparent way, we are going to be hard pressed to solve the problem,” said Amit Yoran, former National Cyber Security Division director at the Department of Homeland Security.