The hackers clocked in at precisely 9:23 a.m. Brussels time onJuly 18 last year, and set to their task. In just 14 minutes ofquick keyboard work, they scooped up the e-mails of the presidentof the European Union Council, Herman Van Rompuy, Europe's pointman for shepherding the delicate politics of the bailout forGreece, according to a computer record of the hackers'activity.

Over 10 days last July, the hackers returned to the council'scomputers four times, accessing the internal communications of 11of the EU's economic, security and foreign affairs officials. Thebreach, unreported until now, potentially gave the intruders anunvarnished view of the financial crisis gripping Europe.

And the spies were themselves being watched. Working together insecret, some 30 North American private security researchers weretracking one of China's biggest and busiest hacking groups.

Observed for years by U.S. intelligence, which dubbed itByzantine Candor, the team of hackers also is known in securitycircles as the Comment group for its trademark of infiltratingcomputers using hidden webpage computer code known as“comments.”

During almost two months of monitoring last year, theresearchers say they were struck by the sheer scale of the hackers'work as data bled from one victim after the next: from oilfieldservices leader Halliburton Co. to Washington law firm Wiley ReinLLP; from a Canadian magistrate involved in a sensitive Chinaextradition case to Kolkata-based tobacco and technologyconglomerate ITC Ltd.

The researchers identified 20 victims in all — many of themorganizations with secrets that could give China an edge as itstrives to become the world's largest economy. The targets includedlawyers pursuing trade claims against the country's exporters andan energy company preparing to drill in waters China claims as itsown.

“What the general public hears about — stolen credit cardnumbers, somebody hacked LinkedIn — that's the tip of the iceberg,the unclassified stuff,” said Shawn Henry, former executiveassistant director of the FBI in charge of the agency's cyberdivision until leaving earlier this year. “I've been circling theiceberg in a submarine. This is the biggest vacuuming up of U.S.proprietary data that we've ever seen. It's a machine.”

Exploiting a hole in the hackers' security, the researcherscreated a digital diary, logging the intruders' every move as theycrept into networks, shut off anti-virus systems, camouflagedthemselves as system administrators and covered their tracks,making them almost immune to detection by their victims.

The minute-by-minute accounts spin a never-before told story ofthe workaday routines and relentless onslaught of a group sosuccessful that a cyber unit within the Air Force's Office ofSpecial Investigations in San Antonio is dedicated to tracking it,according to a person familiar with the unit.

Those logs — a record of the hackers' commands to their victims'computers — also reveal the highly organized effort behind a groupthat more than any other is believed to be at the spear point ofChina's vast hacking industry. Byzantine Candor is linked toChina's military, the People's Liberation Army, according to a 2008diplomatic cable released by WikiLeaks. Two former intelligenceofficials verified the substance of the document.

Hackers and Spies

The methods behind China's looting of technology and data — andmost of the victims — have remained for more than a decade in themurky world of hackers and spies, fully known in the U.S. only to asmall community of investigators with classified clearances.

“Until we can have this conversation in a transparent way, weare going to be hard-pressed to solve the problem,” said AmitYoran, former National Cyber Security Division director at theDepartment of Homeland Security.

Yoran now works for RSA Security Inc., a Bedford,Massachusetts-based security company which was hacked by Chineseteams last year. “I'm just not sure America is ready for that,” hesaid.

What started as assaults on military and defense contractors haswidened into a rash of attacks from which no corporate entity issafe, say U.S. intelligence officials, who are raising the alarm inincreasingly dire terms.

In an essay in the Wall Street Journal July 19, President BarackObama warned that “the cyber threat to our nation is one of themost serious economic and national security challenges we face.”Ten days earlier, in a speech given in Washington, NationalSecurity Agency director Keith Alexander said cyber espionageconstitutes “the greatest transfer of wealth in history,” and citeda figure of $1 trillion spent globally every year by companiestrying to protect themselves.

The networks of major oil companies have been harvested forseismic maps charting oil reserves; patent law firms for theirclients' trade secrets; and investment banks for market analysisthat might impact the global ventures of state-owned companies,according to computer security experts who asked not to be namedand declined to give more details.

China's foreign ministry in Beijing has previously dismissedallegations of state-sponsored cyberspying as baseless and said thegovernment would crack down if incidents came to light. Contactedfor this story, it did so again, referring to earlier ministrystatements.

Private researchers have identified 10 to 20 Chinese hackinggroups but said they vary significantly in activity and size,according to government investigators and security firms.

Group Apart

What sets the Comment group apart is the frenetic pace of itsoperations. The attacks documented last summer represent a fragmentof the Comment group's conquests, which stretch back at least to2002, according to incident reports and interviews withinvestigators. Milpitas, California-based FireEye Inc. alone hastracked hundreds of victims in the last three years and estimatesthe group has hacked more than 1,000 organizations, said AlexLanstein, a senior security researcher.

Stolen information is flowing out of the networks of law firms,investment banks, oil companies, drug makers, and high technologymanufacturers in such significant quantities that intelligenceofficials now say it could cause long-term harm to U.S. andEuropean economies.

“The activity we're seeing now is the tremor, but the earthquakeis coming,” said Ray Mislock, who before retiring in September waschief security officer for DuPont Co., which has been hacked byunidentified Chinese teams at least twice since 2009.

“A successful company can't sustain a long-term loss ofknowledge that creates economic power,” he said.

Even those offline aren't safe. Y.C. Deveshwar, 65, abusinessman who heads ITC, India's largest maker of cigarettes,doesn't use a computer. The Comment hackers last year still managedto steal a trove of his documents, navigating the conglomerate'shuge network to pinpoint the machine used by Deveshwar's personalassistant.

On July 5, 2011, the thieves accessed a list of documents thatincluded Deveshwar's family addresses, tax filings, and meetingminutes, as well as letters to fellow executives, such asLondon-based British American Tobacco Plc chairman Richard Burrowsand BAT chief executive, Nicandro Durante, according to the logs.They tried to open one entitled “YCD LETTERS” but couldn't, so thehackers set up a program to steal a password the next time hisassistant signed on.

When Bloomberg contacted the company in May, spokesman NazeebArif said ITC was unaware of the breach, potentially giving thehackers unimpeded access to ITC's network for more than a year.Deveshwar said in a statement that “no classified company relateddocuments” were kept on the computer.

Companies that discover their networks have been commandeeredusually keep quiet, leaving the public, shareholders and clientsunaware of the magnitude of the problem. Of the 10 Comment groupvictims reached by Bloomberg, those who learned of the hacks chosenot to disclose them publicly, and three said they were unawarethey'd been hacked until contacted for this story.

This account of the Comment group is based on the researchers'logs, as well as interviews with current and former intelligenceofficials, victims, and more than a dozen U.S. cybersecurityexperts, many of whom track the group independently.

Private Investigators

The researcher who provided the computer logs asked not to benamed because of the sensitivity of the data, which included thename of victims. He was part of a collaborative drawn from 20organizations that included people from private security companies,a university, internet service providers and companies that havebeen targeted, including a defense contractor and a pharmaceuticalfirm. The group included some of the top experts in the field, withexperience investigating cyberspying against the U.S. government,major corporations and high profile political targets, includingthe Dalai Lama.

Like similar, ad hoc teams formed temporarily to study hackers'techniques, the group worked in secret because of the sensitivitiesof the investigation aimed at state-sponsored espionage. A smallerversion of the group is continuing its research.

As the surge in attacks on businesses and non-government groupsover the last five years has pulled private security experts intothe hacker hunt, they say they're gradually catching up with U.S.counterintelligence agencies, which have been tackling the problemfor a decade.

One Comment group trademark involves hijacking unassuming publicwebsites to send commands to victim computers, turning mom-and-popsites into tools of foreign espionage, but also allowing the groupto be monitored if those websites can be found, according tosecurity experts. Sites it has commandeered include one for ateacher at a south Texas high school with the website motto“Computers Rock!” and another for a drag racing track outsideBoise, Idaho.

Adding a potentially important piece to the puzzle, researcherJoe Stewart, who works for Dell SecureWorks, an Atlanta-basedsecurity firm and division of Dell Inc., the computer technologycompany, last year uncovered a flaw in software used by Commentgroup hackers. Designed to disguise the pilfered data's ultimatedestination, the mistake instead revealed that in hundreds ofinstances, data was sent to Internet Protocol (IP) addresses inShanghai.

Military Link?

The location matched intelligence contained in the 2008 StateDepartment cable published by WikiLeaks that placed the group inShanghai and linked it to China's military. Commercial researchershave yet to make that connection. The basis for that cable'sconclusion, which includes the U.S.'s own spying, remainsclassified, according to two former intelligence specialists.

Lanstein said that although the make-up of the Comment group haschanged over time — the logs show some inexperienced hackers in thegroup making repeated mistakes, for example –the characteristics ofa single group are unmistakable. The code and tools used by Commentaren't public, and anyone using it would have to be given entreinto the hackers' ranks, he said.

By October 2008, when the diplomatic cable published byWikiLeaks outlined the group's activities, the Comment group hadraided the networks of defense contractors and the Department ofState, as well as made a specialty of hacking U.S. Army systems.The classified code names for China's hacking teams were changedlast year after that leak.

Cybersecurity experts have connected the group to a series ofheadline-grabbing hacks, ranging from the 2008 presidentialcampaigns of Barack Obama and John McCain to the 72 victimsdocumented last year by the Santa Clara, California-based securityfirm McAfee Inc., in what it called Operation Shady Rat.

Others, not publicly attributed to the group before, include acampaign against North American natural gas producers that began inDecember 2011 and was detailed in an April alert by the Departmentof Homeland Security, two experts who analyzed the attack said. Inanother case, the hackers first stole a contact list forsubscribers to a nuclear management newsletter, and then sent themforged e-mails laden with spyware.

In that instance, the group succeeded in breaking into thecomputer network of at least one facility, Diablo Canyon nuclearplant, next to the Hosgri fault north of Santa Barbara, accordingto a person familiar with the case who asked not to be named.

Last August, the plant's incident management team saw ananonymous Internet post that had been making the rounds amongcybersecurity professionals. It purported to identify web domainsbeing used by a Chinese hacking group, including one that suggesteda possible connection to Diablo plant operator Pacific Gas &Electric Co., according to an internal report obtained by BloombergNews.

Partial Control

It's unclear how the information got to the Internet, but whenthe plant investigated, it found that the computer of a seniornuclear planner was at least partly under the control of thehackers, according to the report. The internal probe warned thatthe hackers were attempting “to identify the operations,organizations, and security of U.S. nuclear power generationfacilities.”

The investigators concluded that they had caught the breachearly and there was “no solid indication” data was stolen,according to the report, though they also found evidence of severalprevious infections.

Blair Jones, a spokesman for PG&E, declined to comment,citing plant security.

Around the time the hackers were sending malware-laden e-mailsto U.S. nuclear facilities, six people at the Wiley Rein law firmwere ushered into hastily called meetings. In the room were anethics compliance officer and a person from the firm's informationtechnology team, according to a person familiar with theinvestigation. The firm had been hacked, each of the six were told,and they were the targets.

Among them were Alan Price and Timothy Brightbill. Firm partnersand among the best known international trade lawyers in thecountry, they've handled a series of major anti-dumping and unfairtrade cases against China. One of those, against China's solar cellmanufacturers, in May resulted in tariffs on more than $3 billionin Chinese exports, making it one of the largest anti-dumping casesin U.S. history.

Dale Hausman, Wiley Rein's general counsel, said he couldn'tcomment on how the breach affected the firm or its clients. WileyRein has since strengthened its network security, Hausman said.

“Given the nature of that practice, it's almost a cost of doingbusiness. It's not a surprise,” he said.

E-Mails to Spouses

Tipped off by the researchers, the firm called the FederalBureau of Investigation, which dispatched a team of cyberinvestigators, the person familiar with the investigation said.Comment hackers had encrypted the data it stole, a trick designedto make it harder to determine what was taken. The FBI managed todecode it.

The data included thousands of pages of e-mails and documents,from lawyers' personal chatter with their spouses to confidentialcommunications with clients. Printed out in a stack, the cache wastaller than a set of encyclopedias, the person said.

Researchers watching the hackers' keystrokes last summer saythey couldn't see most of what was stolen, but it was clear thatthe spies had complete control over the firm's e-mail system. Thelogs also hold a clue to how the FBI might have decrypted what wasstolen. They show the simple password the hackers used to encryptthe files: 123!@#. Paul Bresson, a spokesman for the FBI inWashington, declined to comment.

In case after case, the hackers' trail crisscrossed withgeopolitical events and global headlines. Last summer, as the newsfocused on Europe's financial crisis, with its import for China'srising economic power, the hackers followed.

The timing coincided with an intense period for EU CouncilPresident Van Rompuy, set off by the failure July 11 of the EUfinance ministers to agree on a second bailout package for Greece.Over the next 10 days, the slight and balding former Belgian primeminister presided over the negotiations, drawing European leaders,including German Chancellor Angela Merkel, to a consensus.

Although the monitoring of Van Rompuy and his staff occurredduring those talks, researchers say that the logs suggest a broadattack that wasn't timed to a specific event. It was the cyberequivalent of a wiretap, they say — an operation aimed at gatheringvast amounts of intelligence over weeks, perhaps months.

'Big Implications'

Richard Falkenrath, former deputy homeland security adviser toPresident George W. Bush, said China has succeeded in integratingdecision-making about foreign economic and investment policy withintelligence collection.

“That has big implications for the rest of the world when itdeals with the country on those terms,” he said.7

Beginning July 8, 2011, the hackers' access already established,they dipped into the council's networks repeatedly over 10 days.The logs suggest an established routine, with the spies alwayschecking in around 9 a.m. local time. They controlled the council'sexchange server, which gave them complete run of the e-mail system,the logs show. From there, the hackers simply opened the accountsof Van Rompuy and the others.

Moving from one victim to the next, the spies grabbed e-mailsand attached documents, encrypted them in compression files andcatalogued the reams of material by date. They grabbed a week'sworth of e-mails each time, appearing to follow a set protocol.Their other targets included then economic adviser and deputy headof cabinet, Odile Renaud-Basso, and the EU's counter-terrorismcoordinator. It's unclear how long the hackers had been in thecouncil's network before the researchers' monitoring began — or howlong it lasted after the end of July last year.

There's no indication the hackers penetrated the council'soffline system for secret documents. “Classified information andother sensitive internal information is handled on separate,dedicated networks,” the council press office said in a statementwhen asked about the hacks. The networks connected to the Internet,which handle e-mail, “are not designed for handling classifiedinformation.”

What the EU did about the breach is unclear. Dirk De Backer, aspokesman for Van Rompuy, declined to comment on the incident, asdid an official from the EU Council's press office. A member of theEU's security team joined the group of researchers in late July,and was provided information that would help identify the hackers'trail, one of the researchers said.

Zoltan Martinusz, then principal adviser on external affairs andone of two victims reached by Bloomberg who would address theissue, said, “I have no knowledge of this.” The other official, whowasn't authorized to discuss internal security and asked not to beidentified, said he was informed last year that his e-mails hadbeen accessed.

The logs show how the hackers consistently applied the same,simple line of attack, the researchers said. Starting with amalware-laden e-mail, they moved rapidly through networks, grabbingencrypted passwords, cracking the coding offline, and thenreturning to mimic the organization's own network administrators.The hackers were able to dip in and out of networks sometimes overmonths.

The approach circumvented the millions of dollars theorganizations collectively spent on protection.

As the spies rifled the network of Business Executives forNational Security Inc., a Washington-based nonprofit whose advisorycouncil includes former Secretary of State Henry Kissinger andformer Treasury Secretary Robert Rubin, the logs show themswitching off the system's Symantec anti-virus software. HenryHinton Jr., the group's chief operations officer, said in June hewas unaware of the hack, confirming the user names of staffcomputers that the logs show were accessed, his among them.

The records show the hackers' mistakes, but also clever tricks.Using network administrator status, they consolidated onto a singlemachine the computer contents of the president and seven otherstaff members of the International Republican Institute, anonprofit group promoting democracy.

220 Documents

With all that data in one place, the hackers on June 29, 2011,selected 220 documents, including PDFs, spreadsheets, photos andthe organization's entire work plan for China. When they were done,the Comment group zipped up the documents into several encryptedfiles, making the data less noticeable as it left the network, thelogs show.

Lisa Gates, a spokeswoman for the IRI, confirmed that herorganization was hacked but declined to comment on the impact onits programs in China because of concern for the safety of staffand people who work with the group. A funding document describesactivities including supporting independent candidates in China,who frequently face harassment by China's authorities.

As a portrait of the hackers at work, the logs also show hownimbly they could respond to events, even when sensitive governmentnetworks were involved. The hackers accessed the network of theImmigration and Refugee Board of Canada July 18 last year,targeting the computer of Leeann King, an immigration adjudicatorin Vancouver.

King had made headlines less than a week earlier when shetemporarily freed Chinese national Lai Changxing in the final daysof a long extradition fight. Chinese authorities had been chasingLai since he fled to Canada in 1999, alleging that he ran asmuggling ring that netted billions of dollars.

Monitoring by Cyber Squared Inc., an Arlington, Virginia-basedcompany that tracks Comment independently and that captured some ofthe same activity as the researchers, recorded the hackers as theyworked rapidly to break into King's account. Beginning only withaccess to computers in Toronto, the hackers grabbed and decrypteduser passwords, gaining access to IRB's network in Vancouver andultimately, the logs show, to King's computer. From start tofinish, the work took just under five hours.

Melissa Anderson, a spokeswoman for the board, said officialshad no comment on the incident other than to say that any suchevent would be fully investigated. Lai was eventually sent back toChina on July 23, 2011 after losing a final appeal. He wasarrested, tried, and in May of this year, a Chinese court sentencedhim to life in prison.

In case after case, the hackers had the run of the networks theywere rifling. It's unclear how many of the organizationsresearchers contacted, but in only one of those cases was thevictim already aware of the intrusion, according to one member ofthe group. Halliburton officials said they were aware of theintrusion and were working with the FBI, one of the researcherssaid.

Marisol Espinosa, a spokeswoman for the publicly traded company,declined to comment on the incident.

The trail last summer led to some unlikely spots, includingPietro's, an Italian restaurant a couple of blocks from GrandCentral station in New York. In business since 1932, guests to thedim, old-fashioned dining room can choose linguine with clam sauce(red or white) for $28. The Comment group stopped using therestaurant's site to communicate with hacked networks sometime lastyear, said FireEye's Lanstein, who discovered that the hackers hadleft footprints there. Traces are still there.

Hidden in the webpage code of the restaurant's site is a singlecommand: ugs12, he said. It's an order to a captive computer onsome victim's network to sleep for 12 minutes, then check back in,he explained. The “ug” stands for “ugly gorilla,” what securityexperts believe is a moniker for a particularly brash member ofComment, a signal for anyone looking that the hackers were there,said Lanstein.

“We're so good even hackers want us!” joked Bill Bruckman, therestaurant's co-owner, when he was told his website had been partof the global infrastructure of a Chinese hacking team. “Hey, putmy name out there — any business is good business,” he said.

Bruckman said he knew nothing about the breach. A few friendsreported trouble accessing the site about six months ago, though hesaid he'd never figured out what the problem was.

Outside a moment later, smoking a cigarette, Bruckman added amore serious note.

“Think of all that effort and information going down the drain.What a waste, you know what I mean?”

Bloomberg News

Copyright 2018 Bloomberg. All rightsreserved. This material may not be published, broadcast, rewritten,or redistributed.