The hackers clocked in at precisely 9:23 a.m. Brussels time on July 18 last year, and set to their task. In just 14 minutes of quick keyboard work, they scooped up the e-mails of the president of the European Union Council, Herman Van Rompuy, Europe’s point man for shepherding the delicate politics of the bailout for Greece, according to a computer record of the hackers’ activity.
Over 10 days last July, the hackers returned to the council’s computers four times, accessing the internal communications of 11 of the EU’s economic, security and foreign affairs officials. The breach, unreported until now, potentially gave the intruders an unvarnished view of the financial crisis gripping Europe.
And the spies were themselves being watched. Working together in secret, some 30 North American private security researchers were tracking one of China’s biggest and busiest hacking groups.
Observed for years by U.S. intelligence, which dubbed it Byzantine Candor, the team of hackers also is known in security circles as the Comment group for its trademark of infiltrating computers using hidden webpage computer code known as “comments.”
During almost two months of monitoring last year, the researchers say they were struck by the sheer scale of the hackers’ work as data bled from one victim after the next: from oilfield services leader Halliburton Co. to Washington law firm Wiley Rein LLP; from a Canadian magistrate involved in a sensitive China extradition case to Kolkata-based tobacco and technology conglomerate ITC Ltd.
“What the general public hears about -- stolen credit card numbers, somebody hacked LinkedIn -- that’s the tip of the iceberg, the unclassified stuff,” said Shawn Henry, former executive assistant director of the FBI in charge of the agency’s cyber division until leaving earlier this year. “I’ve been circling the iceberg in a submarine. This is the biggest vacuuming up of U.S. proprietary data that we’ve ever seen. It’s a machine.”
Exploiting a hole in the hackers’ security, the researchers created a digital diary, logging the intruders’ every move as they crept into networks, shut off anti-virus systems, camouflaged themselves as system administrators and covered their tracks, making them almost immune to detection by their victims.
The minute-by-minute accounts spin a never-before told story of the workaday routines and relentless onslaught of a group so successful that a cyber unit within the Air Force’s Office of Special Investigations in San Antonio is dedicated to tracking it, according to a person familiar with the unit.
Those logs -- a record of the hackers’ commands to their victims’ computers -- also reveal the highly organized effort behind a group that more than any other is believed to be at the spear point of China’s vast hacking industry. Byzantine Candor is linked to China’s military, the People’s Liberation Army, according to a 2008 diplomatic cable released by WikiLeaks. Two former intelligence officials verified the substance of the document.
“The activity we’re seeing now is the tremor, but the earthquake is coming,” said Ray Mislock, who before retiring in September was chief security officer for DuPont Co.
