By Alan Sipress
Washington Post Staff Writer
Friday, October 6, 2006
Hackers operating through Chinese Internet servers have launched a debilitating attack on the computer system of a sensitive Commerce Department bureau, forcing it to replace hundreds of workstations and block employees from regular use of the Internet for more than a month, Commerce officials said yesterday.
The attack targeted the computers of the Bureau of Industry and Security, which is responsible for controlling U.S. exports of commodities, software and technology having both commercial and military uses. The bureau has stepped up its activity in regulating trade with China in recent years as the United States increased its exports of such dual-use items to the growing Chinese market.
This marked the second time in recent months that U.S. officials confirmed that a major attack traced to China had succeeded in penetrating government computers.
"Through established security procedures, BIS discovered a targeted effort to gain access to BIS user accounts," said Commerce Department spokesman Richard Mills. "We have no evidence that BIS data has been lost or compromised."
The significance of the attacks was underscored in a series of e-mails sent to BIS employees by acting Undersecretary of Commerce Mark Foulon since July, informing them of "a number of serious threats to the integrity of our systems and data." In an August e-mail, Foulon reported that the bureau had "identified several successful attempts to attack unattended BIS workstations during the overnight hours." Then, early last month, he wrote: "It has become clear that Internet access in itself is a vulnerability that we cannot mitigate. We have tried incremental steps and they have proven insufficient."
A source familiar with the security breach said the hackers had penetrated the computers with a "rootkit" program, a stealthy form of software that allows attackers to mask their presence and then gain privileged access to the computer system. The attacks were traced to Web sites registered on Chinese Internet service providers, Commerce officials said. "We determined they were owned by the Chinese," a senior Commerce official said. He did not say who in China was responsible or whether officials had even been able to identify the culprits. Although bureau employees were informed of the problem in July, commerce officials declined to say when the attacks were discovered and how long they had been going on. Only over time did bureau officials realize the extent of the damage from the breach.
"The more we learned, the more we did," the senior official said.
Since Sept. 1, the bureau has blocked employees from accessing the Internet from their own computers. Instead, several separate computers unconnected to the BIS computer network have been set up so employees can try to continue carrying out their duties.
Commerce officials have also decided they cannot salvage the workstations that employees had been using and instead will build an entirely new system for the bureau in the coming months with "clean hardware and clean software," the senior official said. Foulon told employees in late August that they hoped to replace all the bureau's workstations within three months.
The official acknowledged that some of the emergency measures have made it more difficult for the bureau to communicate with other government agencies and the public, including companies that turn to BIS for export licenses.
In July, the State Department confirmed that hackers in China had broken into its computers in Washington and overseas. Last year, U.S. officials reported that the Defense Department and other U.S. agencies were under relentless attack from unidentified computers in China.
China has long been a focus of high-level attention at BIS and was the destination for the largest number of licenses approved by the bureau in 2004, according to the bureau's most recent annual report. In weighing applications for licenses, bureau officials seek to protect U.S. national security interests without hamstringing legitimate commercial trade.
Commerce officials recently reported that they had taken significant steps to enhance computer security at the department, both by deploying new software and improving the management of the system.
These steps came after the General Accounting Office (since renamed the Government Accountability Office) issued a scathing report five years ago, which concluded that "significant and pervasive computer security weaknesses place Department of Commerce systems at risk." The report found that outsiders could gain unauthorized access to the computer system and access confidential data. "Intruders could disrupt the operations of systems that are critical to the mission of the department," the report found.