The U.S. Chamber of Commerce was breached a year ago by Chinese hackers targeting four employees working on Asia-related policy.
The hackers may have had access to the lobbying organization's network for more than a year before they were blocked and removed in May 2010, two unidentified sources told The Wall Street Journal Dec. 21. A Chamber of Commerce spokesperson confirmed the incident and told eWEEK that the scope of the attack was limited.
It appears the attackers infiltrated at least 300 Internet addresses, stole six weeks of email correspondence from four employees who were focused on Asian policy, and had access to all the information the Chamber of Commerce has on its 3 million members. It is not known whether the attackers actually viewed the member information, according to The Wall Street Journal report.
"What was unusual about it was that this was clearly somebody very sophisticated, who knew exactly who we are and who targeted specific people and used sophisticated tools to try to gather intelligence," David Chavern, the Chamber of Commerce's COO, told The Journal.
The emails were stolen from four employees who focused on Asian policy and contained information, such as trade policy documents, trip reports and schedules.
The FBI discovered the breach, and the agency notified the Chamber of Commerce that information was being stolen. The organization unplugged and destroyed several of the compromised computers before quietly overhauling its entire network to implement sophisticated detection equipment that would be able to isolate future attacks quickly.
"The fact that the Chamber of Commerce had to be alerted by the FBI that data from their network was heading out to servers in China shows they did not have the appropriate endpoint-monitoring capabilities and log management technology in place to see who was accessing their data and where it was going," David Pack, manager of LogRhythm Labs, told eWEEK.
It appears that the attackers had built at least a half-dozen backdoors to be able to enter the network quietly, sources told The Journal. The compromised computers also quietly communicated with computers based in China every week or so, The Journal reported.
Modern IT infrastructure can be very "porous" and it's difficult for security teams to "understand it all," Mike Lloyd, CTO of RedSeal Networks, told eWEEK. The Journal report highlighted "significant out-bound holes" as it appears the infiltrators were able to "exfiltrate" the data they found, Lloyd said. Most organizations build some defenses against in-bound attacks, but very few effectively know how to control out-bound traffic, he said.
Organizations need to have technology and policies in place to detect outbound network traffic, detect data leakage and use the right forensics to lock down problems, according to Pack.
This article was originally published on 12-22-2011