'State-sponsored' Chinese hackers blamed for Coca Cola cyberattack

Coca-Cola's computer system was hacked during its bid to take over Huiyuan Juice, but like many other firms, it kept mum about the cyberattack

PUBLISHED : Tuesday, 06 November, 2012, 12:00am
UPDATED : Tuesday, 06 November, 2012, 3:49pm

FBI officials quietly approached executives at Coca-Cola in March 2009 with some startling news.

Hackers had broken into the firm's computer systems and were pilfering sensitive files about its attempted US$2.4 billion acquisition of China Huiyuan Juice Group, according to three people familiar with the situation and an internal company document detailing the cyberintrusion.

The Huiyuan deal, which collapsed after the visit, would have been the largest foreign takeover of a Chinese firm at the time.

Coca-Cola, the world's largest soft-drink maker, has never publicly disclosed the loss of the Huiyuan information. It is just one in a global barrage of corporate computer attacks kept secret from shareholders, regulators, employees - and in some cases even from senior executives.

Like many other corporate cyberattacks, it appears that hackers in China were behind the Coca-Cola breach.

While the internal Coke report says the intruders were state-sponsored, its details, including the types of malware and techniques used, suggest they are part of Comment group, one of the most prolific hacking groups in China, according to AlienVault, a security firm.

When hackers last year waged a large-scale attack on BG Group, raiding troves of sensitive data, the British energy firm never made it public. Steelmaker ArcelorMittal also kept mum when intruders targeted, among others, its executive overseeing China.

Digital intruders are increasingly targeting information about high-stakes business deals - from mergers and acquisitions to joint ventures to long-term supply deals - and companies routinely conceal these breaches from the public, say government officials and security companies.

"Investors have no idea what is happening today," said Jacob Olcott, a former cyberpolicy adviser to the US Congress. "Companies provide little information about material events that occur on their networks."

The US Securities and Exchange Commission said companies were required to report any material losses from such attacks, and any information "a reasonable investor would consider important to an investment decision".

Yet no company had publicly disclosed the theft of sensitive deal-related information from a computer intrusion, said Olcott.

Many companies worry that such news could batter their reputation and stock price.

A striking aspect of the wave of corporate hacking is how little is sometimes known about the information taken, much less who is taking it and how it is being used, say security researchers.

Despite the estimated US$60 billion invested by corporations and governments in network security systems, hackers continue to circumvent them.

The Coca-Cola report provides a rare and chilling account of the intricate and determined ways that hackers raided its files - from pilfering internal e-mails to gaining the ability to access almost any server, workstation or laptop on the network with full remote control. Hackers made daily incursions through Coca-Cola networks for at least one month, often using systems that were first compromised by infected e-mails sent to executives.

It is unclear whether the attack played a role in the demise of the Huiyuan acquisition.

A Coca-Cola spokesman said the firm would not discuss "security matters", but in a statement said it "manages security risks in conjunction with the appropriate security and law enforcement organisations around the world".

Comment has extensive reach, having penetrated computer networks from the European Union Council to powerful Washington law firms to workers at a US nuclear power plant.

The Chinese Foreign Ministry said accusations that China engaged in broad hacking efforts were unfair "without concrete evidence and investigation".

Hackers showed prowess in penetrating the networks of Coca-Cola.

In 2008, shareholders of Huiyuan, the biggest fruit and vegetable juice company in China, hired Goldman Sachs to find a buyer for the company. After months of due diligence, Coca-Cola made the highest offer at US$2.4 billion. The deal was announced on September 3, 2008, pending approval from China's Ministry of Commerce.

Two weeks later, Paul Etchells, then the deputy president of Coca-Cola's Pacific group, met officials from the US Embassy in Beijing and expressed confidence that the deal would clear China's internal antitrust review, according to a US State Department cable published by Wikileaks.

Amid this review, the company learned that its computer systems had been breached and sensitive deal information taken from the computer account of Etchells on March 3, 2009, according to the internal report on the attack.

The investigation traced the breach back to an e-mail that appeared in Etchells' in-box on February 16, 2009.

The body of the e-mail contained a link to a file that purported to contain a message from the chief executive.

When Etchells clicked on the link, malware was surreptitiously loaded onto his machine, giving hackers full access to his computer through the internet. They installed a keystroke logger, which captured everything the executive typed.

Once in control of the computer, the hackers installed various other programs, gaining access to the company's corporate network and using Etchells' machine as a staging point to store and download data taken from other computers.

On March 13, 2009, a disguised malicious e-mail was sent to Brenda Lee, a Coca-Cola public affairs executive in China. When she opened an attached file, malware exploited a vulnerability in the software and gave hackers access to her machine, and to e-mails related to the Huiyuan deal and forwarding them to a Gmail account whose owner could not be identified.

Five days after the malicious e-mail landed in Lee's inbox and one month after Etchells' machine was compromised, the Chinese Ministry of Commerce rejected Coca-Cola's acquisition, citing antitrust grounds.