Ride the Lightning

Do You Have a Dusty Old Back Office Server Controlled by the Chinese?

June 13, 2016

While that may seem an improbable question, The New York Times has reported that this is precisely what happened to the rural Wisconsin firm Cate Machine & Welding. The company did indeed have a dusty old computer humming away in the back office. That server had been taken over by Chinese hackers – and a Silicon Valley start-up, Area 1, is tracking them in real time and, in some cases, blocking their attacks.

Targets included a Silicon Valley food delivery start-up, a major Manhattan law firm, one of the world's biggest airlines, a prominent Southern university and targets across Thailand and Malaysia. The New York Times viewed the action on the Cates' computer on the condition that it not name the targets.

The activity had the hallmarks of Chinese hackers known as the C0d0s0 group, a collection of hackers for hire that the security industry has been tracking for years. The group has breached banks, law firms and tech companies, and once hijacked the Forbes website to try to infect visitors' computers with malware.

As the article notes, there is a murky and much hyped emerging industry in selling intelligence about attack groups like the C0d0s0 group. In general, companies have been on the defensive, trying to keeping hackers out. But today, threat intelligence providers sell services that promise to go on the offensive. They track hackers, and for annual fees that can climb into the millions, they try to spot and thwart attacks before they happen.

Although the record of success is mixed, Gartner, a market research company, expects the market for threat intelligence to reach $1 billion next year, up from $255 million in 2013.

Remarkably, many attacks rely on a maze of compromised computers including small shops like Cate Machine & Welding. The hackers don't want the Cates' data. Instead, they have converted their server, and others like it, into launchpads for their attacks.

These servers offer the perfect cover. They aren't usually well protected, and rarely, if ever, do the owners discover that their computers have become conduits for hackers. And who would suspect the Cate family? Who indeed? It strikes me as a very clever gambit.

Two years ago, the Cates received a visit from men informing them that their server had become a conduit for Chinese spies. Area 1 asked the Cates to allow them to add their server to their network of 50 others that had been co-opted by hackers. Area 1 monitors the activity flowing into and out of these computers to glean insights into attackers' methods, tools and websites so that it can block them from breaching its clients' networks, or give them a warning days, weeks or even months before they strike. After a family meeting, the Cates assented.

According to the article, threat intelligence is still more art than science and the jury is still out on whether companies are equipped to use that intelligence to thwart hackers. Area 1 claims that it can head off attacks through the compromised servers it is tracking. It can also use its vantage point to see where attackers are setting up shop on the web and how they plan to target their intended victims.

A handful of Area 1 customers confirmed that its technology had helped head off attackers. That is certainly a good thing. But Area 1's business model can pose ethical dilemmas. What does the company do when it sees attacks against prominent companies and government agencies who are not Area 1 customers? The company sees itself as a bodyguard for its clients and it is clear that it doesn't always warn targets of attacks. But they have warned some victims, including a law firm, a manufacturer, a financial services firm and an electronics company that were attacked via the Cates' server after they saw the C0d0s0 hackers steal their intellectual property. Some of those victims, including the law firm, later signed up for Area 1 services.

An interesting marketing model, to say the least.

The owners of Cate Machine & Welding say that living with Chinese attackers in your office can be a strange feeling. I'll bet.

Recently, Area 1 executives visited the shop and showed the Cates some of what they had learned from watching their computer. The C0d0s0 group had used their server to pilfer a law firm's due diligence on an impending acquisition, a financial services firm's confidential trading plans, a mobile payment start-up's proprietary source code, some blueprints and loan applications at a mortgage company.

Apparently, if you have a dusty old server in your back office, you might want to regard it suspiciously.

Hat tip to Dave Ries.

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
http://www.senseient.com
http://twitter.com/sharonnelsonesq
www.linkedin.com/in/sharondnelson