By: Michael Riley & Sara Forden | Bloomberg Businessweek
March 9 (Bloomberg) -- The FBI broke the news to executives at DuPont Co. late last year that hackers had cracked the company’s computer networks for the second time in 12 months, according to a confidential Dec. 9, 2010, e-mail discussing the investigation.
About a year earlier, DuPont had been hit by the same China- based hackers who struck Google Inc. and unlike Google, DuPont kept the intrusion secret, internal e-mails from cyber-security firm HBGary Inc. show. As DuPont probed the incidents, executives concluded they were the target of a campaign of industrial spying, the e-mails show.
The attacks on DuPont and on more than a dozen other companies are discussed in about 60,000 confidential e-mails that HBGary, hired by some of targeted businesses, said were stolen from it on Feb. 6 and posted on the Internet by a group of hacker-activists known as Anonymous. The companies attacked include Walt Disney Co., Sony Corp., Johnson & Johnson, and GE, the e-mails show
The incidents described in the stolen e-mails portray industrial espionage by hackers based in China, Russia and other countries. U.S. law enforcement agencies say the attacks have intensified in number and scope over the past two years.
“We are on the losing end of the biggest transfer of wealth through theft and piracy in the history of the planet,” said Democratic Senator Sheldon Whitehouse of Rhode Island, who chaired a U.S. Senate Select Committee on Intelligence task force on U.S. cyber security in 2010. Its classified report addressed weaknesses in network security.
FBI Deputy Assistant Director Steven Chabinsky, who works in the agency’s cyber division, said it would be hard to imagine that the scale of the current range of cyber attacks could grow larger.
“It appears that every industry is being victimized by intrusions,” he said.
The companies identified by Bloomberg News from the e-mails never disclosed the security breaches to investors or regulators. Secrecy may be a reason why the dangers of the intrusions are “underappreciated” by investors and regulators, Whitehouse said in an interview.
“The companies don’t want to disclose it,” he said. “They want to just basically eat the harm that was done to them and pretend that all is well.”
HBGary, based in Sacramento, California, is one of a handful of cyber-security firms, including Santa Clara, California-based McAfee Inc. and Alexandria, Virginia-based Mandiant Corp., that are hired by global companies to investigate illegal computer break-ins and advise on how to prevent them. HBGary shares its forensic findings with other security firms and got information on undisclosed break-ins in return, the e-mails show.
The targets of the recent attacks included energy, pharmaceutical and defense companies, as well as the high-tech manufacturers of global satellite imagery and smart bombs, according to the HBGary e-mails, which include correspondence with clients or potential clients such as DuPont.
Executives of attacked companies feared the intrusions would spark questions from investors and regulators about what was stolen, according to the e-mails and interviews with cyber- security experts such as Scott Borg, director of the nonprofit U.S. Cyber Consequences Unit and Kevin Mandia, chief executive officer of Mandiant. All said they can’t discuss specific clients because of nondisclosure agreements.
Events considered “material” must be reported to investors under U.S. securities laws.
Google said in January 2010 it had lost intellectual property assets to hackers based in China. It also said that about 20 other companies it declined to identify then and again on March 7 were victims of the same kind of intrusions. Adobe Systems Inc. said it had been attacked by hackers based in China. Intel Corp. said it was attacked in a “sophisticated incident” around the same time as Google. Others remained silent. DuPont denied it had been hacked.
The attacks on DuPont were disclosed in some of the stolen HBGary e-mails, which Bloomberg News examined.
“DuPont’s concern and comfort factor was puckered when they received external notice of breach by FBI,” Jim Butterworth, HBGary’s vice president for services, wrote colleagues on Dec. 9, 2010, regarding the second attack. “DuPont likes that we have close ties to them and other three letter agencies.”
Earlier, a DuPont internal investigation had discovered that some of its computers were implanted with spyware during a business trip to China where the PC’s were stored in a hotel safe, according to a Feb. 4, 2010, e-mail by HBGary’s Rich Cummings.
“To DuPont it’s personal,” HBGary investigator Bob Slapnik wrote after a meeting with company managers in December 2009. “They believe their bad guys are the Chinese who want to catch up and leapfrog them in the global marketplace.”
The attacks were done by hackers who represented “people, organizations and countries that strive to do them harm,” in the view of DuPont managers, Slapnik wrote.
A spokesman for China’s embassy in Washington, Wang Baodong, said China is a victim of hacking attacks and “the wrong target of unwarranted blame.” Its government supports international efforts to fight hacking, he said by e-mail.
DuPont spokesman Dan Turner said the company doesn’t comment on “cyber security-related risks.” Johnson & Johnson spokeswoman Carol Goodrich declined to comment. Representatives of Disney and GE didn’t return phone calls and e-mails seeking comment. A Sony spokeswoman declined to comment and asked not to be identified because of company policy.
Energy Company Assault
Among HBGary’s clients was Houston-based drilling company Baker Hughes Inc., which said it was hacked recently as part of a wide assault on energy companies. Baker Hughes provides advanced drilling equipment and proprietary techniques for assessing the quality and accessibility of oil reserves.
HBGary Chief Executive Officer Greg Hoglund wrote in a January e-mail that his company had been tracking cyber attacks against oil and gas companies aimed at “stealing competitive bids, architectural plans, project definition documents, functional operational aspects to use in competitive bid situations from Siberia to China.”
Hoglund wrote in the January e-mail that “when dealing with energy bids the potential loss is billions.”
Butterworth, the HBGary vice president, said the company won’t comment on the e-mails, except to say it was the victim of a crime and the e-mails were stolen.
A Baker Hughes spokesman, Gary Flaharty, confirmed in an interview last month that his company’s networks were breached.
Baker Hughes decided the intrusion was not a material event and so didn’t file a disclosure with U.S. regulators, he said.
A previous review of HBGary e-mails by Bloomberg News showed hackers also stole proprietary data from Exxon Mobil Corp., Royal Dutch Shell Plc, BP Plc, ConocoPhillips, and Marathon Oil Corp, as well as Morgan Stanley.
In e-mails mentioning Sony, J&J, GE and other companies, there’s little detail on what was taken or how deeply the hackers penetrated. Much of the e-mail traffic involved the technical work of hunting hackers who have infiltrated computer networks with stealthy tools.
HBGary investigator Sam Maccherola said in an e-mail to two company colleagues that Sony had asked for help in dealing with an attack that “looks relatively nasty.”
In the case of GE, disclosure was enough of a concern that the company’s lawyers reviewed whether to approve the release of malware -- malicious software -- found on their network so that HBGary investigators could analyze it, the e-mails show.
Hackers also appear to be widening their targets, stealing information from vendors or contractors that may have strategic data about their clients, including public relations and law firms, Chabinsky said.
Law Firm Attack
Among those attacked, the e-mails show, was Atlanta-based King & Spalding LLP, the 38th biggest law firm in the country in 2010, according to the National Law Journal. The e-mails don’t indicate what information the hackers targeted. Among King & Spalding’s practice specialties is corporate espionage, according to the firm’s website.
Les Zuke, spokesman for King & Spalding, didn’t return phone calls seeking comment.
HBGary investigators routinely worked 60 to 80 hours a week to plug holes in networks, often exchanging information about the attacks with other cyber-security firms, as companies fretted they were losing secret data, the e-mails show.
“I’ve been battling with APT for the last 6 months,” Matthew Babcock, an employee of the CareFirst BlueCross BlueShield, a health insurance provider in Maryland and Washington, wrote in an e-mail to HBGary investigators as he sought help with the intrusion. APT refers to an “advanced persistent threat,” a sophisticated form of hacking that is difficult to identify and remedy.
“I am sure they are watching me just as I am watching them,” Babcock said.
Security experts say that the hackers’ techniques now surpass the ability of even the most sophisticated companies to catch them easily. The e-mails show that hackers routinely bypassed firewalls with so-called spear-fishing e-mails that target executives, tricking the companies’ own employees into downloading malicious software and infecting their own networks.
“You can’t buy enough security to match the threat today,” said Anup Ghosh, chief executive officer of the cyber security firm Invincea Inc.
QinetiQ Group Plc, a London-based defense company, found out its secure network had been breached after the FBI noticed suspicious traffic between the Pentagon contractor and an unidentified U.S. government agency, an HBGary report attached to an e-mail shows.
The company’s investigation, which HBGary aided, found that the hackers may have gone unnoticed within the breached network for more than a year.
“Given that we continue to find malware from early 2009 it may be a matter of them never having left,” one HBGary investigator wrote in September, as the company struggled to contain the intrusion.
“We’ve made changes to ensure we secure everything as well as possible,” said Sophie Barrett, a QinetiQ spokeswoman. “We’d rather not continue to give the story life,” she said, declining to comment further.
The investigators followed the hackers’ electronic footprints from QinetiQ to a command-and-control server that appeared to be directing attacks against at least three other Pentagon contractors, including Alliant Techsystems Inc., which makes smart weapons.
A spokesman for Minneapolis-based Alliant, Bryce Hallowell, declined to comment on cyber security matters.
“They only steal ITAR restricted data,” HBGary’s CEO wrote in an October 2010 e-mail to the FBI, alerting the agency to the other possible breaches. ITAR refers to International Traffic in Arms Regulations, which limit exports of critical defense-related technology.
The FBI supervisor responded that he would send over an agent from the Sacramento office over immediately for more information.
“I like to avoid unencrypted e-mail if possible,” the agent wrote back.