The hackers clocked in at precisely 9:23 a.m. Brussels time on July 18 last year, and set to their task. In just 14 minutes of quick keyboard work, they scooped up the e-mails of the president of the European Union Council, Herman Van Rompuy, Europes point man for shepherding the delicate politics of the bailout for Greece, according to a computer record of the hackers activity.
Over 10 days last July, the hackers returned to the councils computers four times, accessing the internal communications of 11 of the EUs economic, security and foreign affairs officials. The breach, unreported until now, potentially gave the intruders an unvarnished view of the financial crisis gripping Europe.
And the spies were themselves being watched. Working together in secret, some 30 North American private security researchers were tracking one of Chinas biggest and busiest hacking groups.
Observed for years by U.S. intelligence, which dubbed it Byzantine Candor, the team of hackers also is known in security circles as the Comment group for its trademark of infiltrating computers using hidden webpage computer code known as comments.
During almost two months of monitoring last year, the researchers say they were struck by the sheer scale of the hackers work as data bled from one victim after the next: from oilfield services leader Halliburton Co. to Washington law firm Wiley Rein LLP; from a Canadian magistrate involved in a sensitive China extradition case to Kolkata-based tobacco and technology conglomerate ITC Ltd.
What the general public hears about -- stolen credit card numbers, somebody hacked LinkedIn -- thats the tip of the iceberg, the unclassified stuff, said Shawn Henry, former executive assistant director of the FBI in charge of the agencys cyber division until leaving earlier this year. Ive been circling the iceberg in a submarine. This is the biggest vacuuming up of U.S. proprietary data that weve ever seen. Its a machine.
Exploiting a hole in the hackers security, the researchers created a digital diary, logging the intruders every move as they crept into networks, shut off anti-virus systems, camouflaged themselves as system administrators and covered their tracks, making them almost immune to detection by their victims.
The minute-by-minute accounts spin a never-before told story of the workaday routines and relentless onslaught of a group so successful that a cyber unit within the Air Forces Office of Special Investigations in San Antonio is dedicated to tracking it, according to a person familiar with the unit.
Those logs -- a record of the hackers commands to their victims computers -- also reveal the highly organized effort behind a group that more than any other is believed to be at the spear point of Chinas vast hacking industry. Byzantine Candor is linked to Chinas military, the Peoples Liberation Army, according to a 2008 diplomatic cable released by WikiLeaks. Two former intelligence officials verified the substance of the document.
The activity were seeing now is the tremor, but the earthquake is coming, said Ray Mislock, who before retiring in September was chief security officer for DuPont Co.