WASHINGTON — The victims were their own worst enemies.
The hacking techniques that the U.S. government says China used against American companies turned out to be disappointingly mundane, tricking employees into opening e-mail attachments or clicking on innocent-looking website links.
The scariest part might be how successfully the ruses worked. With a mouse click or two, employees at big-name American makers of nuclear and solar technology gave away the keys to their computer networks.
In a 31-count indictment Monday, the Justice Department said five Chinese military officials operating under hacker aliases such as “Ugly Gorilla,” “KandyGoo” and “Jack Sun” stole confidential business information, sensitive trade secrets and internal communications for competitive advantage. The U.S. identified the alleged victims as Alcoa World Alumina, Westinghouse, Allegheny Technologies, U.S. Steel, United Steelworkers Union and SolarWorld.
China denied it all Tuesday, warning that the United States was jeopardizing military ties by charging five Chinese officers with cyberspying and tried to turn the tables by calling Washington “the biggest attacker of China’s cyberspace.”
China announced it was suspending cooperation with the United States in a joint cybersecurity task force.
The testy exchange marked an escalation in tensions over U.S. complaints that China’s military uses its cyber-warfare skills to steal foreign trade secrets to help the country’s vast state-owned industrial sector. A U.S. security firm, Mandiant, last year said it traced attacks on American and other companies to a military unit in Shanghai.
“The Chinese government and Chinese military, as well as relevant personnel, have never engaged and never participated in so-called cybertheft of trade secrets,” Foreign Ministry spokesman Hong Lei said in Beijing. “What the United States should do now is withdraw its indictment.”
What the Justice Department is doing instead is spelling out exactly how it says China pulled it off.
The U.S. says the break-ins were more Austin Powers than James Bond. In some cases, the government says, the hackers used “spear-phishing” — a well-known scam to trick specific companies or employees into infecting their own computers.
The hackers are said to have created a fake e-mail account under the misspelled name of a then-Alcoa director and fooled an employee into opening an e-mail attachment called “agenda.zip,” billed as the agenda to a 2008 shareholders’ meeting. It exposed the company’s network.
At another time, a hacker allegedly e-mailed company employees with a link to what appeared to be a report about industry observations, but the link instead installed malicious software that created a back door into the company’s network.
“We are so used to solving problems by clicking an e-mail link, looking at the information and forwarding it on,” said Chris Wysopal, a computer-security expert and chief technology officer of the software-security firm Veracode. “And if hackers know about you and your company, they can create really realistic-looking messages.”
The United States denies spying for commercial advantage, although documents released by former National Security Agency contractor Edward Snowden said the NSA broke into the computers of Brazil’s main state-owned oil company, Petrobras. Brazilian President Dilma Rousseff said if that was true, then the motive would be to gather economic information.
