Exposing the weak link
Indictment of five Chinese military officials accused of stealing trade secrets highlights vulnerability of some of the biggest corporations
Some of the biggest companies in the US remain vulnerable to one of the oldest hacking tricks in the book, according to Monday's indictment of five Chinese military officials accused of stealing trade secrets.
The common tactic, called spearphishing, was used to access the computer networks of companies including United States Steel and Alcoa, according to the US Department of Justice, which unveiled the charges yesterday.
By sending employees false e-mails purporting to be official messages, hackers were able to trick them into divulging user names, passwords and other sensitive information.
The charges, which effectively accuse China and its government of using cyber-espionage to steal technology, expose what remains a gaping hole for many companies: their own workers. Even though computer-security firms are profiting from record spending on technologies to prevent hacks, people end up being the weakest link in such attacks, according to Dmitri Alperovitch, chief technology officer of CrowdStrike, a cybersecurity firm in California.
"It's not the vulnerability in the computer - it's the vulnerability in the human that always gets targeted," Alperovitch said. "This is not a problem like cancer where you can get to an end point where you can declare you've won."
Even with the computer-security industry poised to top US$85 billion in revenue by 2016 - almost 70 per cent higher than at the start of the decade, according to Gartner - it will be of little use if attackers are successful in targeting companies and employees with spearphishing attacks.
Annual losses from cybercrime, intellectual-property theft from corporations and other costs could run as high as US$400 billion, according to the Centre for Strategic and International Studies and McAfee, an Intel company. There were 450,000 known phishing attacks in 2013 and losses from them reached a record US$5.9 billion, according to EMC.
The indictment alleges the Chinese officers conspired to steal trade secrets and other information from US companies specialising in solar panels, metals and next-generation nuclear power plants.
Westinghouse Electric, Allegheny Technologies, SolarWorld and a US steelworker's union were among the companies and organisations named in the indictment.
Spearphishing, a more targeted version of mass-e-mail phishing attacks, has long been known as a glaring vulnerability. In 2011, RSA Security, a unit of EMC, was hacked that way, exposing a hiring campaign. A Coca-Cola executive opened a spearphishing message in 2012, leading hackers to gain access to internal company documents.
At Alcoa, about 19 employees received an e-mail purporting to be from a board member, Carlos Ghosn, who is also chief executive of Nissan Motor.
An attachment to the message, once opened, unleashed a virus that penetrated Alcoa's network. While Ghosn was not directly identified in Monday's indictment, the document refers to a director with the initials "C.G". Ghosn was the only board member at the time matching that criteria. Chris Keeffe, a spokesman for Nissan, and Monica Orbe, a spokeswoman for Alcoa, declined to comment.
Some of the main targets are personal assistants, who play a central role inside companies and are targeted because they often have access to executives' calendars, contact lists and e-mail accounts, according to Kevin Haley, director of Symantec Corp's Security Response team.
The other type of workers targeted most often are public-relations professionals, whose names and e-mail addresses are easy to harvest from public web pages. They are also accustomed to hearing from people they do not already know, Haley said.
Senior management is at medium risk of being hacked, while salespeople, recruiters, corporate officers and researchers pose the lowest risk, Symantec said in a report last month that ranked occupations by their likelihood of being targeted.
Support staff are particularly vulnerable because many companies overlook them as cybersecurity risks and do not spend enough time on training, Haley said.
The charges against the Chinese military officers should prompt more US firms to work with the government and share information about hacking incidents, Alperovitch said.
Employee education is also key. Riptide IO, a Santa Barbara firm that helps companies manage data from their buildings, issues frequent warnings about not putting passwords in e-mail and other basic cybersecurity measures to ensure that every employee is aware of hacking risks, chief executive Mike Franco said.
"Everybody has to realise that exposure does come from people, not technology," Franco said. "You can't stop this kind of intrusion with good technology. You have to do it with learning and education and attitude changes and awareness."