U.S. Markets open in 5 hrs 18 mins

US Hacking Victims Are Sometimes Their Own Worst Enemies

Jack Gillum and Eric Tucker, Associated Press.

The hacking techniques the U.S. government says China used against American companies turned out to be disappointingly mundane, tricking employees into opening email attachments or clicking on innocent-looking website links.

The scariest part might be how successfully the ruses worked. With a mouse click or two, employees at big-name American makers of nuclear and solar technology gave away the keys to their computer networks.

In a 31-count indictment on Monday the Justice Department said five Chinese military officials operating under hacker aliases such as "Ugly Gorilla," "KandyGoo" and "Jack Sun" stole confidential business information, sensitive trade secrets and internal communications for competitive advantage. The U.S. identified the alleged victims as Alcoa World Alumina, Westinghouse, Allegheny Technologies, U.S. Steel, United Steelworkers Union and SolarWorld.

China denied it all on Tuesday.

The hackers are said to have created a fake email account under the misspelled name of a then-Alcoa director and fooled an employee into opening an email attachment called "agenda.zip," billed as the agenda to a 2008 shareholders' meeting. It exposed the company's network. At another time, a hacker allegedly emailed company employees with a link to what appeared to be a report about industry observations, but the link instead installed malicious software that created a back door into the company's network.

Other security layers failed in the hackings blamed on China, too. More-effective antivirus or security software could have blocked the malicious attachments or prevented users from visiting risky web links. Back-end server filters could have prevented dangerous emails from reaching employees. Intrusion-detection systems on corporate networks could have more quickly raised red flags internally after a successful break-in.

Even worse: Employees, by their nature, are socially conditioned to want to open and respond to an email that purports to be from the boss - never mind that the message may actually be a trick.

The interactive graphic below explain one of the tactics Chinese military officers relied upon to break into major American companies: