Report: Hackers hit 2,500 companies, agencies

Posted Feb. 18, 2010 at 6:10 a.m.

Dow Jones Newswires | Hackers in Europe and China successfully
broke into computers at nearly 2,500 companies and government agencies
over the last 18 months in a coordinated global attack that exposed
vast amounts of personal and corporate secrets to theft, according to a
computer-security company that discovered the breach.

Disclosure of the attack comes on the heels of Google Inc.’s allegation
that it and more than 20 other companies were breached by Chinese
hackers. This operation appears to be more far-reaching, infiltrating
some 75,000 computers and touching 196 countries. The highest
concentrations of infected computers are in Egypt, Mexico, Saudi
Arabia, Turkey and the U.S.


The damage from the latest cyberattack is still being assessed, and affected companies are still being notified. But data compiled by NetWitness, the closely held firm that discovered the breaches, showed that hackers gained access to a wide array of data at 2,411 companies, from credit-card transactions to intellectual property.

The hacking operation, the latest of several major hacks that have raised alarms for companies and government officials, is still running and it isn’t clear to what extent it has been contained, NetWitness said. Also unclear is the full amount of data stolen and how it was used. Two companies that were infiltrated, pharmaceutical giant Merck & Co. and Cardinal Health Inc., said they had isolated and contained the problem.

Starting in late 2008, hackers operating a command center in Germany got into corporate networks by enticing employees to click on contaminated Web sites, email attachments or ads purporting to clean up viruses, NetWitness found.

In more than 100 cases, the hackers gained access to corporate servers that store large quantities of business data, such as company files, databases and email.

They also broke into computers at 10 U.S. government agencies. In one case, they obtained the user name and password of a soldier’s military email account, NetWitness found. A Pentagon spokesman said the military didn’t comment on specific threats or intrusions.

At one company, the hackers gained access to a corporate server used for processing online credit-card payments. At others, stolen passwords provided access to computers used to store and swap proprietary corporate documents, presentations, contracts and even upcoming versions of software products, NetWitness said.

Data stolen from another U.S. company pointed to an employee’s apparent involvement in criminal activities; authorities have been called in to investigate, NetWitness said. Criminal groups have used such information to extort sensitive information from employees in the past.

The spyware used in this attack allows hackers to control computers remotely, said Amit Yoran, chief executive of NetWitness. NetWitness engineer Alex Cox said he uncovered the scheme Jan. 26 while installing technology for a large corporation to hunt for cyberattacks.

That discovery points to the growing number of attacks in recent years that have drafted computers into cyber armies known as botnets–intrusions not blocked by standard antivirus software. Researchers estimate millions of computers are conscripted into these armies.

“It highlights the weaknesses in cyber security right now,” said Adam Meyers, a senior engineer at consulting firm SRA International Inc. who reviewed the NetWitness data. “If you’re a Fortune 500 company or a government agency or a home DSL user, you could be successfully victimized.”

NetWitness, based in Herndon, Va., said it was sharing information with the companies infected. Mr. Yoran declined to name them. The company provides computer security for U.S. government agencies and companies. Mr. Yoran is a former Air Force officer who also served as cyber security chief at the Department of Homeland Security.

Besides Merck and Cardinal Health, people familiar with the attack named several other companies infiltrated, including Paramount Pictures and software company Juniper Networks Inc. (JNPR).

Merck said in a statement that one computer had been infected. It said it had isolated the attack and that “no sensitive information was compromised.”

Cardinal said it removed the infected computer from its network. Paramount declined to comment. Juniper’s security chief, Barry Greene, wouldn’t speak about any specific incidents but said the company worked aggressively to counter infections.

NetWitness, which does extensive work for the U.S. government and private-sector clients, said it was sharing its information with the Federal Bureau of Investigation. The FBI said it received numerous allegations about potential compromises of network systems and responded promptly, in coordination with law-enforcement partners.

The computers were infected with spyware called ZeuS, which is available free on the Internet in its basic form. It works with the FireFox browser, according to computer-security firm SecureWorks. This version included a $2,000 feature that works with FireFox, according to SecureWorks.

 

25 comments:

  1. who donit Feb. 18, 2010 at 8:15 a.m.

    2 of my pc’s crashed, despite my anti-virus/anti-malware software running…..

  2. justme Feb. 18, 2010 at 8:18 a.m.

    Who donit- stop watching so many nudie people on the internet.

  3. gposner Feb. 18, 2010 at 8:21 a.m.

    Only imbeciles put sensitive information on their computers in the first place.

  4. thedevilsadvocate Feb. 18, 2010 at 9:00 a.m.

    “Starting in late 2008, hackers operating a command center in Germany got into corporate networks by enticing employees to click on contaminated Web sites, email attachments or ads purporting to clean up viruses, NetWitness found.”
    Soooooo, in other words, typical social engineering attack. For 2411 companies, that means at least 2411 complete idiots clicked on malware links and provided some type of privileged information. Proof once again that there’s one born every minute.

  5. Walter White Feb. 18, 2010 at 9:10 a.m.

    The sad thing is – it wasn’t even a very good picture of Anna Kournikova.

  6. DebS Feb. 18, 2010 at 9:18 a.m.

    gposner,
    uhmm…where else should people put their computerized business or financial information?

  7. Geno Feb. 18, 2010 at 9:31 a.m.

    I guess you are only as good as your weakest link, and these hackers know how to find them. Companies should make you take an internet test before you’re hired, in which you are given some situations that determine whether you are stupid enough to actually allow the virus onto the computer. Not giving inept workers access to your network might be the best security out there.

  8. Bob Feb. 18, 2010 at 9:32 a.m.

    gposner – Member in Good Standing: Flat Earth Society

  9. CorporateMondayQB Feb. 18, 2010 at 10:08 a.m.

    All affected (infected) companies should have their HR recruiters patrolling comment boards such as this one when looking to hire their IT security people.
    Judging from these comments, it appears that the smartest people in the world are underemployed and spending all their time on these sites, sharing their wisdom after-the-fact.

  10. BritGuy Feb. 18, 2010 at 10:10 a.m.

    A lot of this would be reduced if people stopped using PCs and used Apple Macs instead. Still, even these can be compromised if people are stupid enough to install Trojan software on their machines.
    The big difference though is that PCs allow you to do it without you knowing about it.

  11. MountAnalogue Feb. 18, 2010 at 10:24 a.m.

    It may seem like Monday morning quarterbacking, but honestly, who in their right mind nowadays would actually click on spam links, especially someone employed at a large corporation that handles sensitive data? 2411 idiots indeed!

  12. tom Feb. 18, 2010 at 10:31 a.m.

    This would not be a problem if these companies would simply patch there endpoints with an effective patching solution instead of relying on some outdated desktop and server management tool.

  13. Spike Feb. 18, 2010 at 10:47 a.m.

    Hey gposner – welcome to the 21st Century!
    Tell us – how is it back in 1979?

  14. BigPete5 Feb. 18, 2010 at 11:03 a.m.

    This sounds an aweful lot like cyber warfare. As we have a cyber warfare department in the department of defense now, why aren’t we fighting back by infecting the attacks and melting their hard drives???

  15. Lee Feb. 18, 2010 at 11:28 a.m.

    Well let’s all head to the next HACKERS convention and do some botnetting of our own

  16. HA HA HA Feb. 18, 2010 at 11:54 a.m.

    @Lee: Ya know, there isn’t a “Hacker’s Local 404.” Thus, no associated convention. But if there was a convention at least we all know it wouldn’t not be held at McCormick Place. Too expensive!

  17. Hm Feb. 18, 2010 at 12:57 pm

    @ HA HA HA
    You mean there isn’t a convention called DEFCON in Las Vegas every year full of hackers? A convention for which the organizers encourage attendees to bring a laptop they don’t care about as it will be attacked, hacked, loaded with viruses, and rendered useless during the show?

  18. kdawg Feb. 18, 2010 at 1:00 pm

    The point of this is it doesn’t matter how careful YOU are – you are still vunerable because you can’t control the security of the companies you give your information to.

  19. who donit Feb. 18, 2010 at 3:26 pm

    justme | February 18, 2010 8:18 AM | Reply
    Who donit- stop watching so many nudie people on the internet.
    ~~~~~
    ha ha very funny NOT. This malware FYI got in because of a vulnerability in IE 6,7 & 8 which allowed remote access no matter where or what you may have been doing.
    As a middle age female, I have no interest viewing “nudie
    people”… seen one, seen them all.
    This is a very serious matter with microsoft being the culprit for allowing this breach and then publishing the details on the web for the hackers to help themselves to, which is exactly what they did.

  20. JON WINDY, CHICAGO Feb. 18, 2010 at 4:22 pm

    Thing about being hacked by the Chinese is that a half-hour later you wanna be hacked again!

  21. Camfield Feb. 18, 2010 at 10:35 pm

    The attacks were not limited to government agencies, corporations, etc. I had an attempted intrusion on my PC. The usual “bait” is a pop-up that appears saying you need anti-virus software. If you attempt to close the pop-up by clicking on the red X, it activates the pop-up. I unplugged my computer to interrupt the attempted download, then ran Anti-Malware (available free on the Web) that detected and eliminated a Trojan, as well as some Spyware and Adware that had slipped past my Symantec anti-virus software. The malicious pop-up occurred several times after that (it could only be closed by rebooting the computer). I finally did some cleanup, deleting all temporary files that had loaded with Web access, cookies, etc., and discontinued accessing one news site that I suspected. I have not had a problem since then. We had some discussion of this on an Internet Forum, and other people had the same problem (with the same pop-up). You can do a Google search for “Anti-Malware” to find the protective software.

  22. Fredomfighter Feb. 20, 2010 at 8:40 a.m.

    “A lot of this would be reduced if people stopped using PCs and used Apple Macs instead. Still, even these can be compromised if people are stupid enough to install Trojan software on their machines.”
    While I will agree that as of right now Mac is a little safer when it comes to virus’ and this type of stuff that is simply because there are far less macs used than pc. If the number of Mac users was equal to the number of PC users they would be having the same problem. I mean think about it. If you are a hacker are you going to spend time trying to break into something that will only give you access to 20% of computers or would you go for the much larger percentage of PCs.

  23. Lenita Jech April 16, 2010 at 6:43 pm

    Thank you for information! My computer was infected by virus. I have tried several applications as suggested to get rid of it, but no luck. :( At the end I found great blog about viruses and guys running this blog were able to help me with the problem. They have removed this rootkit from my computer in 30 minutes remotely! You might try it! :)

  24. Guy Billingsly April 16, 2010 at 6:50 pm

    Thank you for information! My computer was infected by rootkit. I have tried several applications as suggested to get rid of it, but no luck. :( At the end I found great blog about rootkits and guys running this blog were able to help me with the problem. They have removed this rootkit from my computer in 30 minutes remotely! You might try it! :)

  25. Larisa Falto April 16, 2010 at 6:57 pm

    Thank you for information! My computer was infected by virus. I have tried several applications as suggested to get rid of it, but no luck. :( At the end I found great blog about viruses and guys running this blog were able to help me with the problem. They have removed this virus from my computer in 30 minutes remotely! You might try it! :)