Attack Hits Computers in 196 Countries

Last week brought news of one of the largest and most sophisticated corporate cyber-attacks ever: A massive infiltration of 2,411 companies in 196 countries that began a year and a half ago and is still going.

The Wall Street Journal ($) broke the story about the attack that targeted e-mails, corporate data, credit card transaction information, personal log-ins and intellectual property. It was launched in 2008 and has grown to infect more than 75,000 computer systems, concentrated in the United States, Egypt, Mexico, Saudi Arabia and Turkey.

NetWitness, the Herndon, Va.-based company that provides computer security for government agencies and private firms, said one of its engineers discovered the attack Jan. 26. The company said the intrusion, named the Keber bot, had been launched by hackers in Eastern Europe using 20 “command and control” servers around the world, some of which are in China.

Last month Google divulged that it and about 30 other companies had been targeted by computers in China, where safeguards and scrutiny are often lacking.

The scope of the latest attack, however, demonstrates how vulnerable many companies are, even the ones that are the most tech-savvy.

“The traditional security approaches of intrusion-detection systems and anti-virus software are by definition inadequate for these types of sophisticated threats,” NetWitness CEO Amit Yoran told The Washington Post. “The things that we – industry – have been doing for the past 20 years are ineffective with attacks like this. That's the story.”

How did the hackers do it? In 2008, a server in Germany began targeting corporate employees by getting them to click on fake Web sites, e-mail attachments or ads for anti-virus software. Opening them launched a spyware program called ZeuS, which is available for free in its basic form on the Internet.

The Journal reported that the companies hacked included Merck, Cardinal Health, Paramount Pictures and the software company Juniper Networks. Merck said it had one computer that was infected, but that it had isolated it and no sensitive information had been compromised. Cardinal said it had removed an infected computer from its network.

Hackers also got into the systems of 10 government agencies, but none were national security-related. A username and password of a soldier’s military e-mail account was, nonetheless, obtained.