Spend enough time with cybersecurity experts and chances are you will hear some variation of this line: There are two types of companies in the United States, those that have been hacked and those that don’t yet know they’ve been hacked.
Government intelligence officials and cybersecurity specialists say hackers — predominantly from China — are siphoning gigabytes, if not terabytes, of data from companies in the United States every day. We count on much of this information to deliver the innovative products and services that will lead to new jobs and economic growth. The security software company McAfee estimates that in 2008 alone, companies around the world lost more than $1 trillion because of this sort of intellectual property theft.
“I’ve seen behind the curtain,” Shawn Henry, the Federal Bureau of Investigation.’s former top cyber agent, who recently joined the cybersecurity start-up CrowdStrike, told me in an interview in April. “I can’t go into the particulars because it’s classified, but the vast majority of companies have been breached.”
The problem is that such breaches rarely make headlines because companies fear what disclosure will mean for their stock price. Google was the first to try to change that mentality when, in 2010, it disclosed that it and 34 other companies, many based in Silicon Valley, had been attacked by Chinese hackers. Of those 34, only Intel and Adobe Systems came forward, and they provided few details.
Still, news of some breaches leak out. That was the case, most recently, with Coca-Cola. This month, Bloomberg News reported that Coca-Cola was breached by Chinese hackers in 2009 during a failed $2.4 billion takeover attempt of the China Huiyuan Juice Group. That attempted deal would have been the largest foreign acquisition of a Chinese company.
Now, a 2010 case study published by the Mandiant Corporation, a cybersecurity firm, may offer further details. The study, which does not mention Coca-Cola specifically, details a 2009 breach of a “Fortune 500 Manufacturer” that aligns almost perfectly with Bloomberg’s account of Coca-Cola’s breach.
According to the study:
In 2009, a U.S. based Fortune 500 manufacturing company initiated discussions to acquire a Chinese corporation. During the negotiations, APT [advanced persistent threat] attackers compromised computers belonging to the executives of the U.S.-based company, most likely in an effort to learn more details of the negotiations. Sensitive data left the company on a weekly basis during negotiations, potentially providing the Chinese company with visibility to pricing and negotiation strategies.
As Bloomberg reported, Mandiant’s study said the company gained knowledge of the breach only when law enforcement officials notified it of the intrusion. The study also details how hackers penetrated the company via a so-called spearphishing attack, in which the attackers sent e-mails to certain executives from a fake account ostensibly belonging to the chief executive.
According to Bloomberg, an e-mail containing the subject line: “Save power is save money! (from CEO)” was sent to the e-mail account of Bernhard Goepelt, Coca-Cola’s current general counsel. The e-mail contained a malicious link that, once clicked, downloaded malware that gave the attackers full access to Coca-Cola’s network.
Mandiant’s 2010 report said the e-mail “was crafted to look like it originated from a fellow employee and discussed a message from the CEO on conserving resources.”
Tal Be’ery, a senior Web researcher at Imperva, a data security firm, compared details of the Coca-Cola breach with Mandiant’s study and said the two accounts clearly referred to the same company. Executives at Mandiant and media officers at Coca-Cola did not return requests for comment.
If Mandiant’s study is, in fact, based on Coca-Cola, then it offers new insights into the breach. According to the study, once in, hackers used password-stealing software to gain access to other systems on the company’s network. They also used the compromised executive’s account to launch what is known as an SQL server attack, in which hackers exploit a software vulnerability and enter commands that cause databases to produce their contents.
But one of the most interesting aspects of the breach, according to Mandiant, was how well the attackers had concealed their tracks. According to Mandiant, hackers used so-called stub malware. This is an agile agent whose code can be tweaked by hackers to use it for various functions while leaving a small forensic footprint.
The one discrepancy between the Bloomberg and Mandiant accounts was why, ultimately, the company’s acquisition fell apart. According to Bloomberg, Coca-Cola’s takeover attempt of China Huiyuan Juice Group was thwarted because China’s Ministry of Commerce rejected it for antitrust reasons. Mandiant’s report offered a different take:
The intrusion had a significant impact on the victim organization. As a result of the compromise, the U.S. company terminated their acquisition plans. While it was not possible to determine all the data that had been lost, the victim company was not able to compete the acquisition and accomplish their business objectives.
Updated: In an e-mail, Kent J. Landers, a spokesman for Coca-Cola, said that the company does not comment on security matters, but said Coca-Cola did not complete its acquisition of China Huiyuan Juice Group ”as a result of the China Ministry of Commerce declining approval for the proposed transaction.”
