U.S. Employees Are Weakest Link In America’s Cybersecurity – Part One

The Chinese People’s Liberation Army knows this vulnerability and attacks American employees every day to steal trade secrets and gain commercial advantage for state controlled businesses.


Gu Chunhui

Criminal hackers can cause tremendous damage, whether trained in China or not. If a high level expert, such as any member of China’s elite Unit 61398, aka Comment Crew, gets into your system, they can seize root control, and own it. They can then plant virtually undetectable back doors into your systems. This allows them to later come and go as they please.

A member of the Comment Crew could be in your computer system right now and you would not know it. For instance, Gu Chunhui, who often goes under the online alias, Kandy Goo, and is a high ranking military officer of Unit 61398, could be looking at your computer screen now. Captain Goo could be running programs in the background without your knowledge. Or he could be reading your email. He would be looking for some information of value to his country, or of value to any of the thousands of businesses controlled by the Chinese government. Captain Goo may have a cute Internet name, and look more like a movie star in a martial arts film than an army man, but do not be fooled. Do not underestimate his considerable computer skills and strong patriotic intent. Yes. Breaking into your computer systems and stealing data is a matter of patriotic duty for him and other hackers trained by the government of communist China.

Unit 61398 of the Third Department of the Chinese People’s Liberation Army is reported to be the best of the best in China. Gu Chunhui is a determined military officer. Although  DOJ documents show that Gu, like everybody else in Shanghai where he is stationed, takes a two hour break every day for lunch,  he still works hard the rest of the day to break into your computer system and steal your data (and your client’s). He and others in Unit 61398 are armed and dangerous. They have both viruses and guns. They should not be taken for granted. All of the Unit 61398 Comment Crew, including Captain Goo, are very good at what they do. I am worried, you should be too.

Do not get me wrong. The Chinese do not have a monopoly on black hat hacking. The whole idea was born in the United States. It could also just as easily be a criminal hacker from Russia, the Ukraine, Poland, the U.K., or Israel, who has taken control of your system. They could be from anywhere, although if they are after trade secrets, not money, it is probably one of the thousands of hackers who works for the Chinese government. It could even be one of the five officers in Unit 61398 in Shanghai that were indicted by the DOJ this week.


31 Count Criminal Indictment Against Five Military Officers
of Unit 61398 of the Third Department of the Chinese People’s Liberation Army

Five military officers of Unit 61398, including Gu Chunhui,  are alleged to have stolen commercial trade secrets from Alcoa, Westinghouse, Allegheny Technologies, SolarWorld, U.S. Steel, and the United Steelworkers Union. It is especially notable to those of us in the legal profession that the secrets allegedly stolen include highly confidential attorney-client communications. See the 31 count indictment against five Chinese military officers for details. The chart below provides a high level overview. Every count is against all five officers.

Count(s) Charge Statute Maximum Penalty
1 Conspiring to commit computer fraud and abuse 18 U.S.C. § 1030(b). 10 years.
2-9 Accessing (or attempting to access) a protected computer without authorization to obtain information for the purpose of commercial advantage and private financial gain. 18 U.S.C. §§ 1030(a)(2)(C), 1030(c)(2)(B)(i)-(iii), and 2. 5 years (each count).
10-23 Transmitting a program, information, code, or command with the intent to cause damage to protected computers. 18 U.S.C. §§ 1030(a)(5)(A), 1030(c)(4)(B), and 2. 10 years (each count).
24-29 Aggravated identity theft. 18 U.S.C. §§ 1028A(a)(1), (b), (c)(4), and 2 2 years (mandatory consecutive).
30 Economic espionage. 18 U.S.C. §§  1831(a)(2), (a)(4), and 2. 15 years.
31 Trade secret theft. 18 U.S.C. §§ 1832(a)(2), (a)(4), and 2. 10 years.

Hacker Threat

cyber-attackCriminal hackers from any country, including our own, can pick and steal whatever data you have, whenever they want, and they can do so without your knowledge. All they have to do is get inside your systems. Once in, they can also use your computer to do whatever they want, including launch attacks on other computers systems. Does your computer system seem to be running slow? That might explain why. It could be someone in Unit 61398 in Shanghai or a criminal down the street.

Once in, the criminal hacker can also spy on you and take photographs and videos of your without your knowledge. They can even record and report back your every keystroke that you make. They can then later search and steal all of your account usernames and passwords, even if you took the precaution of never writing them down. They will watch you enter them. In a short period of time a skilled criminal hacker can access all of your online accounts.

computer-virus-warning-signHave you ever seen your cursor move on it’s own? Have you ever seen your camera light come on, seemingly on its own? Is you computer sometimes sluggish for no apparent reason? A criminal hacker could be running your machine right now. When was the last time you updated your virus protection? It at least provides some protection from known attack malware. What, you do not have any virus protection? No firewall? You might as well put a Hackers Welcome sign up on the Internet. We are all under near constant cyber attack, maybe not from the Chinese military elite, they are only after people with data that can help their country, but from all kinds of cyber criminals big and small.

These crackers pose a serious threat to all computer users. Obviously we want to make it as difficult as possible for criminal hackers to break into your computers. There are many sophisticated technological defenses to help you defend your systems. They can make intrusion very difficult, and at least compartmentalize and limit the damages that can be caused when this happens. Virus detection software is just one link in a chain of cyber defenses available. Unfortunately, a chain of defenses is only as good as its weakest link. The bad new is, human computer users are the weakest link.

Employees Are The Weakest Link

Most cybersecurity experts agree that the weakest link in every organization’s cybersecurity systems is its own employees. See eg., Jordan Robertson Chinese Hackers Show Humans Are Weakest Security Link (Bloomberg News, May 19, 2014). All it takes is one naive untrained employee to let a hacker into a computer system. According to Dmitri Alperovitch of CrowdStrike Inc., a cybersecurity consulting firm, they have found that between 5% to 10% of employees will click on almost any email. Alleged Chinese Hacking: Alcoa Breach Relied on Simple Phishing Scam (WSJ, May 19, 2014). That’s very dangerous because once a hacker gets in, your secrets go out. Once they get it, it is a matter of damage control, detection, and eradication.

Cyber_shield_knowledgeThe answer is training of all employees as to the danger of hacking, not just a few specialists in charge of IT systems. For instance, it is just as important to train a lawyer’s assistant, as it is the lawyer, perhaps even more so. I agree completely with the Bloomberg article where Robertson states:

Some of the main targets are personal assistants, who play a central role inside companies and are targeted because they often have access to executives’ calendars, contact lists and e- mail accounts, according to Kevin Haley, director of Symantec Corp.’s Security Response team. The other type of workers targeted most often are public-relations professionals, whose names and e-mail addresses are easy to harvest from public Web pages. They’re also accustomed to hearing from people they don’t already know, Haley said. … Support staff are particularly vulnerable because many companies overlook them as cybersecurity risks and don’t spend enough time on training, Haley said. One of the most successful techniques for teaching employees of all levels about hacking risks is deploying mock spearphishing campaigns with the help of outside firms, he said.

The charges against the Chinese military officers should prompt more U.S. firms to work with the government and share information about hacking incidents, Alperovitch said.

Employee education is also key. Riptide IO Inc., a Santa Barbara, California-based firm that helps companies manage data from their buildings, issues frequent warnings about not putting passwords in e-mail and other basic cybersecurity measures to ensure that every employee — including support staff — is aware of hacking risks, CEO Mike Franco said. “Everybody has to realize that exposure does come from people, not technology,” Franco said. “You can’t stop this kind of intrusion with good technology. You have to do it with learning and education and attitude changes and awareness.”

If an employee is allowed to use a computer, and they are allowed anywhere on your network, then they must be trained in the basics of cybersecurity, including social engineering and phishing. The training should be especially intensive for personal assistants, receptionists, and marketing, but should include everyone, including the top brass. Otherwise, your employees will be easily tricked into letting a hacker into your systems.

Armies of Chinese Hackers

Chinese-cyber-war_DOJAny army officer in China with training in the basics of criminal hacking, including social engineering, can fool many naive Americans untrained in cyber defenses. They can do so with just one a clever email. They do it everyday. They have been doing it for years. See eg. Suspected Chinese spear-phishing attacks continue to hit Gmail users. They do it against our government employees to steal state and military secrets, or at least try too. They also do it everyday against U.S. corporations, law firms, and unions to steal commercial trade secrets. Since our government and military employees are better trained in cyber security, and have better defensive infrastructure, hackers enjoy greater success against our commercial sector than they do against our military and government. It is easier to hack civilians.

Spying on our government and military, and spying on our corporations, or us, on civilians; it is all the same thing to the Chinese. They do not seem to understand the clear line and so we are now forced to spell it out to them by the criminal indictments. You do not attack civilian targets without consequences, including criminal indictments. The FBI and DOJ have promised that this is just the beginning, not just a warning shot. In the words of FBI Director, James Comey:

For too long, the Chinese government has blatantly sought to use cyber espionage to obtain economic advantage for its state-owned industries … The indictment announced today is an important step. But there are many more victims, and there is much more to be done. With our unique criminal and national security authorities, we will continue to use all legal tools at our disposal to counter cyber espionage from all sources.

I hope our government is now serious about protecting us from criminal hackers who would take over our home and business computers and steal our data. But we should not depend on the government to protect us. I for one am suspicious of our government anyway. I am suspicious of any government. So too is the U.S. Constitution. It is designed to protect us from big government. We should not wait for government regulations. We must take the initiative now. We the people must be proactive in protecting ourselves. That includes especially all American businesses, trade unions, and law firms that represent any companies that compete against businesses in China. All organizations that hold confidential computer data should take action now to protect themselves from hackers of all nationalities.

Phishing Attacks

phishingA careless mistake by just one employee opening an email attachment from one hacker can open the door to an entire army of hackers. The attachment sent by hackers is actually a small software program designed to take over your computer system. It is a virus. Often all that needs to happen is for the attachment to be downloaded onto the employees computer. You do not even have to open it. It is self executing. All your gullible employee has to do is click on it once to download it, and then you are screwed.

It will probably look like nothing happened, even if you click on it again to run it. But in actuality, the attachment will automatically start to run as soon as it is downloaded onto your computer. It is usually a compressed file and so it first unpacks, and then automatically executes one or more of its many programs, all without any visible sign. The programs, viruses all, then automatically spread out and take control of as many parts of the computer network as possible.

The viruses exploit defects in your operating system software and firewalls. Hackers often discover mistakes in coding before the program manufacturers do. That is why so many of these viruses are nearly impossible to detect or prevent.

The viruses now living in your computer system after download will probably begin their life there by changing their identity, their hashed  signatures, to one that is unique to your system. The file names will even change. They then become invisible to virus detection.

The use of emails with virus attachments is one variant of one type of hack attack known as Phishing. As Wikipedia defines it:

Phishing is the act of attempting to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, banks, online payment processors or IT administrators are commonly used to lure unsuspecting public. Phishing emails may contain links to websites that are infected with malware. … Phishing is an example of social engineering techniques used to deceive users, and exploits the poor usability of current web security technologies.

The kind of phishing I have described here only requires you to trust the sender of an email enough to open an attachment. You do not have to go to any other Internet web page or fill out any forms. That still goes on, of course, but is somewhat old school, kind of like the Nigerian government official or Irish Lottery. The more modern email attachment approach is the kind of phishing attack used by Unit 61398 to steal industrial secrets from both Alcoa and U.S. Steel from 2006 to 2014. I will spell out the details of how they pulled it off in part two of this blog.

Phishing in general is one of the easiest types of cyber attacks to launch. The alarming truth is that since most employees today are so ill informed about cybersecurity, and thus so vulnerable to social engineering tactics like phishing, any bright, but terribly misguided teenager today could probably pull it off. It is a mere script kiddie maneuver, and, if you did not have your own army,  you could easily hire a hacker online to do it for you. Even though relatively easy, phishing is still very effective. It is part of every criminal hacker groups arsenal, and, as we now know from this week’s DOJ indictment, it is also used by Unit 61398 of the Third Department of the Chinese People’s Liberation Army.

To be continued … (In part two I will detail how Unit 61398 pulled off a Phishing attack of both Alcoa and U.S. Steel, and common steps you can take to avoid becoming the next victim. You can use this as a guide for your own edification and to help train your employees against phishing attacks.)

3 Responses to U.S. Employees Are Weakest Link In America’s Cybersecurity – Part One

  1. […] This is the second half of a two-part blog. Please read Part One first. […]

  2. […] U.S. Employees Are Weakest Link In America’s Cybersecurity – Part One […]

  3. […] U.S. Employees Are Weakest Link In America’s Cybersecurity – Part One […]

Leave a Reply