The intrusion failed in part because the attackers slipped up and because a Digital Bond researcher was alert. The e-mail was signed “Peterson.” But the security researchers knew that their boss uses his first name on e-mail, not his last.
Other security researchers asked to review the situation found the attachments were not actually .pdf documents but “executable files” that deposited “Trojan horse” code when a computer user clicked on them, said Jaime Blasco, security lab manager at AlienVault, who reviewed the attack.
Blasco and his partner, Ruben Santamarta of the security firm IOActive, found the hackers had used multiple Web server computers to give instructions to the malicious code. The electronic trail on those servers led to other victims, including the Chertoff Group; NJVC of Vienna, Va., a contractor for the National Geospatial-Intelligence Agency; and the National Electrical Manufacturers Association (NEMA) in Arlington County, which represents companies that make components for power grids.
Officials at NJVC and NEMA acknowledged the attacks but said employees prevented network intrusions. Department of Homeland Security officials declined to discuss the episodes.
The scope of the attacks expanded in July, when the cybersecurity group EnergySec was hit. EnergySec President Patrick Miller also reached out to Blasco for help. Based on evidence, it appeared to be the same attackers: a group of Chinese hackers that had been using social engineering for nearly a decade to break into systems across the globe with impunity.
Cyber-researchers have dubbed them the Comment Crew or Comment Group. The name stems from the fact that hackers include attack commands in the comments that programmers typically include in HTML code to document their goals or make notes of changes.
The Comment Crew has become notorious for using simple social-engineering techniques, including well-crafted e-mails, in elaborate hacks that breach security, load “remote access tools,” or RATs, and siphon off oceans of data from victims.
Though it is sometimes impossible to definitively identify hackers, because of the hall-of-
mirrors nature of cyberspace, they often leave behind compelling digital evidence. Researchers said the IP address of a Web server and a particular method of writing HTML comments links the attacks on the gas pipeline executives to those against the Chertoff Group and others. It also links the current campaign to a series of earlier devastating attacks by the Comment Crew, dubbed Operation Shady RAT.
Those intrusions compromised hundreds of systems over at least five years, including federal agencies, defense contractors and the United Nations, according to studies by McAfee and the Dell SecureWorks Counter Threat Unit.
“The above patterns of attack are very similar to attacks carried out by the actors responsible for the Shady RAT campaign,” said Ned Moran, a researcher at the nonprofit Shadowserver Foundation who also analyzed the attack on Digital Bond.
Joe Stewart, director of malware research at the Dell SecureWorks Counter Threat Unit, estimates the group has at least 100 members who work at specific tasks such as social-engineering research, malware development and the processing of stolen information. In essence, the Comment Crew has made a business of cyber-espionage. Their activity online shows they typically work 9 to 5 — Shanghai time — and take off Chinese holidays.
Stewart and others say Chinese hackers have been using a troubling variation of social engineering called a “watering hole” attack. Instead of sending e-mails with links — something that some security-conscious computer users now avoid — they try to entice wary victims to visit familiar, authentic Web sites that have been secretly loaded with attack code. Think of a lion near a watering hole.
One ploy involves an e-mail announcement of online coupons for half-price drinks or food at a favorite bar. The attack comes when the victims visit the Web site seeking the coupons and unwittingly download the malware.
In a new report, Symantec researchers said some hackers are simply co-opting Web pages popular in certain industries, such as the energy sector, and waiting for victims to arrive.
With enough money, focus, malware and social-engineering skills, “anybody can get into anyplace,” Stewart said. “The most careful person is not going to have a defense against it.”