[Infowarrior] - Morgan Stanley Hacked in China-Based Attacks That Hit Google

[Richard Forno]

http://www.bloomberg.com/news/print/2011-02-28/morgan-stanley-network-hacked-in-same-china-based-attacks-that-hit-google.html

Morgan Stanley Hacked in China-Based Attacks That Hit Google

By Michael Riley - Feb 28, 2011

Morgan Stanley, the world’s top merger adviser, experienced a “very sensitive” break-in to its network by the same China-based hackers who attacked Google Inc.’s computers in January 2010, according to leaked e-mails from a cyber-security company working for the bank.

The e-mails from the Sacramento, California-based computer security firm HBGary Inc., which identify the first financial institution targeted in the series of attacks, said the bank considered details of the intrusion a closely guarded secret.

“They were hit hard by the real Aurora attacks (not the crap in the news),” wrote Phil Wallisch, a senior security engineer at HBGary, who said he read an internal Morgan Stanley report detailing the so-called Operation Aurora attacks.

McAfee Inc., a Santa Clara, California-based cyber-security firm, dubbed the attacks Operation Aurora and called them “a watershed moment in cyber security.” The number of companies known to be hit in the attacks was initially estimated at 20 to 30 and now exceeds 200, said Christopher Day, senior vice president for Terremark Worldwide Inc., which provides information-technology security services.

The HBGary e-mails don’t indicate what information may have been stolen from Morgan Stanley’s databanks or which of the bank’s multinational operations were targeted.

“They have given me access to a very sensitive report on their Aurora experience,” Wallisch wrote in a May 10 e-mail to HBGary President Penny Leavy-Hoglund. “I will honor their wishes about not sharing the info with anyone, but the good news is that I have some great ideas for our final reports.”

Sandra Hernandez, a spokeswoman for the New York-based bank, which unlike Google didn’t disclose the attacks publicly, declined to comment on them specifically.

‘Conducting Business’

“Like any other company in our industry we deal with malware and attempted computer compromises as a matter of conducting business and work with law enforcement where appropriate,” Hernandez said today by phone.

FBI Deputy Assistant Director Steven Chabinsky said that hackers have increasingly targeted information related to mergers and acquisitions related to China-based companies, data that can give those companies an advantage in negotiations.

Google said in January 2010 that it was one of 20 major U.S. companies breached by hackers using China-based servers, an event that McAfee Chief Technology Officer George Kurtz described as the “largest and most sophisticated cyberattack we have seen in years targeted at specific corporations.”

‘Politburo Standing Committee’

U.S. diplomatic cables published by WikiLeaks and citing high-level Chinese sources later traced direction of the attack to the “Politburo Standing Committee level” of China’s government.

Wang Baodong, a spokesman for the Chinese embassy in Washington, said cyber-hacking is an international issue and that many Chinese governmental websites have been attacked.

“China’s stand on fighting hacking activities is clear and consistent, with relevant strict domestic laws and regulations in place, and is always ready to work with other countries to jointly strike down on hacking crimes,” he said today in an e-mail.

China’s official news agency last year quoted an unidentified spokesman from the Ministry of Industry and Information Technology saying that accusations the government was behind the attacks were “groundless.”

Forensic Investigations

Kevin Mandia, chief executive officer of the cyber-security firm Mandiant, based in Alexandria, Virginia, said forensic investigations of the attacks showed that the hackers had penetrated company networks over a period lasting more than a year and had hit some companies multiple times.

Day and Mandia, citing client confidentiality, didn’t discuss the companies that were victims of the attack.

The e-mails were stolen from HBGary’s computer network by the group of hacker activists called Anonymous, which posted them on the Internet as a searchable database. HBGary confirmed the messages were stolen and declined last week to comment on their content.

Marc Zwillinger, an attorney for HBGary, didn’t immediately respond to a phone message seeking comment. Zwillinger has previously declined to comment on the HBGary e-mails’ content, citing client confidentiality.

Morgan Stanley hired HBGary in 2010 to address suspected network breaches by hackers not linked to Operation Aurora who broke through the company’s Internet security systems. The hackers successfully implanted software designed to steal confidential files and internal communications, according to dozens of HBGary e-mails that detail efforts to plug the holes.

One e-mail, dated June 19, said that the attackers may be the same ones who had hit a U.K.-based defense contractor and discusses hacking software called Monkif, which can be used by intruders to remotely orchestrate a sophisticated form of cyber attack known as an ‘advanced persistent threat’ or APT.

“This Monkif payload may represent APT or play a part in the APT’s campaign,” HBGary Chief Executive Officer Greg Hoglund wrote to Wallisch. “Phil, you might find this of value given that you are dealing with the same attack over at Morgan.”

To contact the reporter on this story: Michael Riley in Washington at michaelriley at bloomberg.net.

To contact the editor responsible for this story: John Pickering at jpickering at bloomberg.net.