Lobbyists Targeting Liberal Groups Channeled Chinese Hackers’ Strategy

The revelation, made by The New York Times and a firm called Mandiant last month, that the Chinese military is engaging in a sophisticated campaign of Internet spying and cyber attacks targeting American corporations and government websites provoked widespread alarm. What hasn’t been noted is that the Chinese plot bears much in common with a conspiracy to spy on and sabotage liberal advocacy groups and unions—a plot developed on behalf of none other than the US Chamber of Commerce back in 2011.

Indeed, Mandiant identified the Chinese plot by combing through the database of hacking tools managed by the same individuals associated with the American firm that had been enlisted to help the Chamber execute its spying and hacking plan, before it was exposed by the hacktivist group Anonymous.

Attorneys for the Chamber were caught negotiating for a contract to launch a cyber campaign using practically identical methods to those attributed to the Chinese, which reportedly could be used to cripple vital infrastructure and plunder trade secrets from Fortune 100 companies. The Chamber was seeking to undermine its political opposition, including the Service Employee International Union (SEIU) andMoveOn.org, but apparently had to scotch the plan after it was revealed by Anonymous.

At the RSA Conference in San Francisco, the “nation’s largest gathering of cyber security professionals,” The Nation spoke to a number of experts who said the same invasive strategies employed by the Chinese military could be easily used in political campaigns and other political contexts by anyone willing to take the risk.

The story of both the Mandiant report and the American lobbyist hacking conspiracy begins in February of 2011, when the hacktivist group Anonymous stole some 70,000 e-mails from a Bethesda, Maryland-based firm called HBGary Federal and dumped them onto the Internet. HBGary Federal was an affiliate of HBGary, a firm that maintained a database and discussion forum of hacking software called Rootkit.com, which served as a “malware repository where researchers stud[ied] hacking techniques from all over the world.” It appears the Chinese hackers, known as the “Comment Crew,” had participated to gain the types of software used to compromise computers owned by dozens of American interests.

The Mandiant report details how the disclosure of Rootkit.com’s user database from Anonymous not only revealed the e-mail account associated with UglyGorilla, or Jack Wang, and SuperHard_M, or Mei Qiang, two of the alleged Chinese hackers, but the IP address that helped confirm the Shanghai Pudong location of the Chinese military office building, from which it launched attacks on US-based targets. As Nate Anderson of Ars Technica reported, the theft of HBGary Federal’s data offered the Mandiant researchers a “treasure trove of information.”

Rootkits, a term used to describe software that can gain access to computer systems without detection, can often be used for malicious purposes. Asked why he thought the Chinese military would participate in an American site like Rootkit.com, Richard Bejtlich, Mandiant’s Chief Security Officer, told The Nation that at least initially, “If you wanted to get up to speed on that technology, that’s where you went.”

Mandiant compared the information from the Rootkit.com user database with data from other cyber security breaches attributed to Chinese hacking attempts to come to the conclusions in their report.

According to The New York Times and Mandiant, the Shanghai-based Unit 61398 of the People’s Liberation Army employing the “Comment Crew” hackers relied largely upon spear-phishing (often an e-mail to trick the recipient into opening a document or attachment containing a malicious piece of software, like a rootkit) to gain access to firms like Coca-Cola, the National Electrical Manufacturers Association, EMC, and Telvent, a company that produces programs for remote access for oil and gas pipelines.

As policymakers and major American companies continue to react to the news about the Chinese hacking, similar threats could play a role in labor organizing and political campaigns.

The disclosure of HBGary Federal’s e-mails revealed one of the most brazen political espionage efforts in recent memory, which underscores this threat.

In October of 2010, HBGary Federal was solicited by Matthew Steckman of the firm Palantir on behalf of attorneys representing the US Chamber of Commerce “about offering a complete intelligence solution” and “social media exploitation.” The Chamber had dealt with critical news about an IRS complaint alleging that the insurance giant AIG had illegally laundered millions of dollars to the Chamber in September. Also around that time, I wrote a separate story for ThinkProgress revealing fundraising documents that showed the Chamber had solicited foreign corporate money for the same 501(c)(6) legal entity the Chamber used to run campaign commercials during the midterm elections. The leaked HBGary Federal e-mails show the Chamber was interested in responding aggressively to this pressure.

By November of that year, Palantir, HBGary Federal and another firm, Berico, had discussed the effort to push back against the Chamber’s critics several times with a number of the Chamber’s attorneys at the law/lobbying firm Hunton and Williams, and had prepared a series of presentations detailing their proposal to the Chamber. One of the attorneys involved in the discussions, Hunton and William’s Richard Wyatt, had already been retained by the Chamber to sue the Yes Men, a comedic advocacy group, for impersonating the Chamber at a prank press conference.

The presentations, which were also leaked by Anonymous, contained ethically questionable tactics, likecreating a “false document, perhaps highlighting periodical financial information,” to give to a progressive group opposing the Chamber, and then subsequently exposing the document as a fake to undermine the credibility of the Chamber’s opponents. In addition, the group proposed creating a “fake insider persona” to “generate communications” with Change to Win, a federation of labor unions that sponsored the watchdog site, US Chamber Watch.

Even more troubling, however, were plans by the three contractors to use malware and other forms of malicious software to hack into computers owned by the Chamber’s opponents and their families. Boasting that they could develop a “fusion cell” of the kind “developed and utilized by Joint Special Operations Command (JSOC),” the contractors discussed how they could use “custom malware development” and “zero day” exploits to gain control of a target’s computer network. These types of hacks can allow an attacker not only to snoop but to delete files, monitor keystrokes and manipulate websites, e-mail archives and any database connected to the target computer.

In January of 2011, Hunton and Williams, which had met with the Chamber to discuss the proposals, sent by courier a CD with target data to the contractors. The targets discussed in e-mails included labor unions SEIU, IBT, UFW, UFCW, AFL-CIO, Change to Win, as well as progressive organizations like the Center for American Progress, MoveOn.org, Courage Campaign, the Ruckus Society, Agit-Pop, Brave New Films and others.

Though HBGary markets itself as a firm that uses its expertise in cyber security to help both companies and the government defend against malicious attacks, the e-mail archives leaked by Anonymous make clear that executives at the firm were interested in selling this technology for offensive capabilities. In an e-mail with Greg Hoglund, the founder of both HBGary and Rootkit.com, and part owner of HB Gary Federal, Aaron Barr, HBGary Federal’s chief executive, described a “spear phishing strategy” that could be used on “our adversaries.” In another e-mail chain, HBGary staff discussed using a fake “patriotic video of our soldiers overseas” to induce military officials to open malicious data extraction viruses; in another, they discuss the success of a dummy “evite” e-mail used to maliciously hack target computers.

The tactics described in the proposals are illegal. However, there were no discussions in the leaked e-mails about the legality of using such tactics. Rather, the Chamber’s attorneys and the three contractors quibbled for weeks about how much to charge the Chamber for these hacking services. At one point, they demanded$2 million a month.

HBGary Federal and their partners were scheduled to meet the Chamber to finalize the deal on February 14, 2011. However, on February 4, Barr boasted to the Financial Times that he was preparing to reveal the identities of Anonymous, which responded with the hack that spilled the contents of HBGary Federal’s e-mails and Rootkit.com’s user database. HBGary Federal had also entered into talks about working on behalf of Bank of America to discredit the website Wikileaks and its perceived allies in the media. The e-mail trail ends on February 6; the Chamber, despite e-mails showing it met with Hunton and Williams to discuss the project, denied any knowledge of the proposal and said it had never compensated the firms or entered into any agreement for the work described in the proposals.

HBGary Federal, which shared the same owners and office space as HBGary, shut down in the wake of the leaked e-mails. Last year, HBGary was acquired by a military contracting firm called ManTech International for $23.8 million, according to disclosures with the Securities and Exchange Commission. The spokesperson for HBGary declined to comment on this story.

Although Rootkit.com is no longer online, similar websites like MetaSploit and TrustedSec offer hackers and cyber security professionals an array of software that could be used by anyone seeking to break into an organization, take control of their network and seize data.

“There’s nothing so unique about how you break into an organization,” said Nick Levay, the director of technical operations information security at the Center for American Progress, who spoke to The Nation by telephone. Levay, an expert on computer security, said there’s “lots of overlap” between the documented Chinese military cyber hacking incidents described by The New York Times and the Mandiant report and the tactics proposed by the contractors working with the Chamber’s attorneys.

Mandiant’s Richard Bejtlich described the malware tools as a firearm that could be used by anyone. “You could buy a firearm, but what are you going to do with it? Is it for hunting or self-defense?” Researchers commonly use sites like MetaSploit to develop defense software against certain cyber attacks. Or, Bejtlich said, “Are you outfitting an army to conduct an insurgency where you’re going to harass a foreign military for ten years?”

Levay said that malware or phishing attempts may be difficult to detect if the perpetrator is only interested in gathering intelligence. However, “any disruption or sabotage, they’re going to get caught,” said Levay. Bejtlich made a similar case, arguing that if domestic political organizations or cyber criminals attempt to sabotage computers in the United States, “the Bureau’s going to find you.”

Large firms that have been victimized by malicious hacking, including Google and Intel, at least have the resources to detect and counter most forms of computer crimes. But what about a small company, or political advocacy group with little resources?

“Political campaigns, absolutely, they have to be vigilant that they will be attacked,” said Ajay Uggirala, the director of product and technical marketing at the cyber security firm Solera Networks. “It’s going to be a dynamic,” Uggirala explained, “I wouldn’t be surprised if people use the good tools we have for bad purposes on political candidates.”