The Wall Street Journal
DECEMBER 21, 2011
By SIOBHAN GORMAN
A group of hackers in China breached the computer defenses of America's top business-lobbying group and gained access to everything stored on its systems, including information about its three million members, according to several people familiar with the matter.
The break-in at the U.S. Chamber of Commerce is one of the boldest known infiltrations in what has become a regular confrontation between U.S. companies and Chinese hackers. The complex operation, which involved at least 300 Internet addresses, was discovered and quietly shut down in May 2010.
It isn't clear how much of the compromised data was viewed by the hackers. Chamber officials say internal investigators found evidence that hackers had focused on four Chamber employees who worked on Asia policy, and that six weeks of their email had been stolen.
It is possible the hackers had access to the network for more than a year before the breach was uncovered, according to two people familiar with the Chamber's internal investigation.
One of these people said the group behind the break-in is one that U.S. officials suspect of having ties to the Chinese government. The Chamber learned of the break-in when the Federal Bureau of Investigation told the group that servers in China were stealing its information, this person said. The FBI declined to comment on the matter.
A spokesman for the Chinese Embassy in Washington, Geng Shuang, said cyberattacks are prohibited by Chinese law and China itself is a victim of attacks. He said the allegation that the attack against the Chamber originated in China "lacks proof and evidence and is irresponsible," adding that the hacking issue shouldn't be "politicized."
In Beijing, Foreign Ministry spokesman Liu Weimin said at a daily briefing that he hadn't heard about the matter, though he repeated that Chinese law forbids hacker attacks. He added that China wants to cooperate more with the international community to prevent hacker attacks.
The Chamber moved to shut down the hacking operation by unplugging and destroying some computers and overhauling its security system. The security revamp was timed for a 36-hour period over one weekend when the hackers, who kept regular working hours, were expected to be off duty.
Damage from data theft is often difficult to assess.
People familiar with the Chamber investigation said it has been hard to determine what was taken before the incursion was discovered, or whether cyberspies used information gleaned from the Chamber to send booby-trapped emails to its members to gain a foothold in their computers, too.
Chamber officials said they scoured email known to be purloined and determined that communications with fewer than 50 of its members were compromised. They notified those members. People familiar with the investigation said the emails revealed the names of companies and key people in contact with the Chamber, as well as trade-policy documents, meeting notes, trip reports and schedules.
"What was unusual about it was that this was clearly somebody very sophisticated, who knew exactly who we are and who targeted specific people and used sophisticated tools to try to gather intelligence," said the Chamber's Chief Operating Officer David Chavern.
Nevertheless, Chamber officials said they haven't seen evidence of harm to the organization or its members.
The Chamber, which has 450 employees and represents the interests of U.S. companies in Washington, might look like a juicy target to hackers. Its members include most of the nation's largest corporations, and the group has more than 100 affiliates around the globe.
While members are unlikely to share any intellectual property or trade secrets with the group, they sometimes communicate with it about trade and policy.
U.S. intelligence officials and lawmakers have become alarmed by the growing number of cyber break-ins with roots in China. Last month, the U.S. counterintelligence chief issued a blunt critique of China's theft of American corporate intellectual property and economic data, calling China "the world's most active and persistent perpetrators of economic espionage" and warning that large-scale industrial espionage threatens U.S. competitiveness and national security.
Two people familiar with the Chamber investigation said certain technical aspects of the attack suggested it was carried out by a known group operating out of China. It isn't clear exactly how the hackers broke in to the Chamber's systems. Evidence suggests they were in the network at least from November 2009 to May 2010.
Stan Harrell, chief information officer at the Chamber, said federal law enforcement told the group: "This is a different level of intrusion" than most hacking. "This is much more sophisticated."
Chamber President and Chief Executive Thomas J. Donahue first learned of the breach in May 2010 after he returned from a business trip to China. Chamber officials tapped their contacts in government for recommendations for private computer investigators, then hired a team to diagnose the breach and overhaul the Chamber's defenses.
They first watched the hackers in action to assess the operation. The intruders, in what appeared to be an effort to ensure continued access to the Chamber's systems, had built at least a half-dozen so-called back doors that allowed them to come and go as they pleased, one person familiar with the investigation said. They also built in mechanisms that would quietly communicate with computers in China every week or two, this person said.
The intruders used tools that allowed them to search for key words across a range of documents on the Chamber's network, including searches for financial and budget information, according to the person familiar with the investigation. The investigation didn't determine whether the hackers had taken the documents turned up in the searches.
When sophisticated cyberspies have access to a network for many months, they often take measures to cover their tracks and to conceal what they have stolen.
To beef up security, the Chamber installed more sophisticated detection equipment and barred employees from taking the portable devices they use every day to certain countries, including China, where the risk of infiltration is considered high. Instead, Chamber employees are issued different equipment before their trips—equipment that is checked thoroughly upon their return.
Chamber officials say they haven't been able to keep intruders completely out of their system, but now can detect and isolate attacks quickly.
The Chamber continues to see suspicious activity, they say. A thermostat at a town house the Chamber owns on Capitol Hill at one point was communicating with an Internet address in China, they say, and, in March, a printer used by Chamber executives spontaneously started printing pages with Chinese characters.
"It's nearly impossible to keep people out. The best thing you can do is have something that tells you when they get in," said Mr. Chavern, the chief operating officer. "It's the new normal. I expect this to continue for the foreseeable future. I expect to be surprised again."
--Owen Fletcher in Beijing contributed to this article.