Major breach at Coca-Cola tied to Chinese hacker collective

Photo credit: Huguette Roe/
Photo credit: Huguette Roe/

The alleged perpetrators are likely a global Chinese hacking collective, the Comment Group, known for stealing state and corporate secrets for monetary gain.

According to Bloomberg News, which broke the news over the weekend, the hack came around the time the world's largest soft drink purveyor was attempting a $2.4 billion acquisition of China Huiyuan Juice Group. It started with an email sent to the Coke deputy president containing a malicious link that, when clicked on, enabled keyloggers and other malware to be installed. Then, the attackers set out to steal documents and data relating to the attempted acquisition.

According to an internal Coke report that Bloomberg acquired, the hackers hit the network daily for at least one month. But in the first two days, they uploaded a dozen information-stealing tools, including a keylogger on the machine of a top executive in Hong Kong. They also set about pilfering account credentials for other employees with administrative powers, successfully unlocking door after door within the network.

The Huiyuan deal, which would have been the largest foreign takeover of a Chinese company at the time, collapsed a short three days after the breach. While there is no direct acknowledgment that the breach is the reason why the deal fell through, Coke in its internal brief pointed the blame squarely at China itself.

However, others aren’t so sure that’s the correct finding.

“While the internal Coke report says the intruders were state-sponsored, the attributes of the hack, including the types of malware and techniques used, suggest they are part of Comment Group, one of the most prolific hacking groups based in China,” said Jaime Blasco, head of AlienVault’s security lab, in an email. “It’s very clear that Comment was behind it.”

Comment Group is known for harvesting intellectual property and trade secrets from energy companies, patent law firms and investment banks – earning its name thanks to its penchant for infiltrating computers using hidden HTML code known as “comments.” It most recently (that we know about) compromised energy supplier giant Telvent Canada in September, breaching its internal firewall and security systems, implanting malicious software and stealing highly valuable project files, according to a KrebsonSecurity blog.

But its reputation for targeting “tradable” information and secrets goes much deeper than that. It infiltrated the computers of top economic, security and foreign affairs officials at the EU Council who were weighing the Greek bailout, and has targeted a wide range of corporate targets, according to a Bloomberg special report.

The rising tide of IP theft should clue organizations worldwide into taking a new approach to security, some say. “The lesson the world should have already learned from incidents such as the Stuxnet attacks is that protection should be around data rather than around devices,” said Tal Be’ery, web researcher at Imperva, in an email. “Closely monitoring and controlling data at the source is one part of the solution. Looking for abusive access patterns to data or patterns that reflect the behavior of an outsider within our perimeter is the answer. Coupled with data encapsulation, organizations can achieve true mitigation of such risks.”

Organizations also should be encrypting internal email and sensitive data itself, said Mark Bower, data protection expert and vice president at Voltage Security. “This is the future of crime; data theft is big business,” he said. “And cases like this continue to raise awareness of the shortcomings of traditional infrastructure security in keeping sensitive data safe – whether that’s confidential client information, intellectual property or sensitive details about mergers and acquisitions.”

The switch should come sooner rather than later. In October, UK Foreign Secretary William Hague, speaking at the Budapest Conference on Cyberspace, warned of increasing commercial impact due to data-focused cybercrime.

“It is now possible to buy off-the-shelf malicious software, designed to steal bank details, for as little as £3,000, including access to a 24-hour technical support line,” he said. Hague added, “Attacks of [large] scale and severity continue to compromise many millions of pounds of investment in research and development, damaging a company’s ability to defend its intellectual property rights and wiping away years of sensitive negotiations and commercial positioning. If these attacks are left unchecked they could have a devastating impact on the future earning potential of many major companies and the economic well-being of countries.”

Coke may be a high-profile victim of data theft, but Bower warns that it will be far from the last. “Without new approaches like data-centric security, you can place a firm bet that systems will be breached,” he said. “It’s just a matter of when, not if – and even the best prepared organizations are at risk without a data-centric approach to protecting sensitive business data assets as history shows in this case.”

What’s hot on Infosecurity Magazine?