Commercial hacker hunters — who refer to the team as the Comment group, for the hidden program code they use known as “comments” — tie it to a multitude of victims that include the the president of the EU Council, major defense contractors and even US President Barack Obama’s 2008 presidential campaign. The group has been linked to the People’s Liberation Army, China’s military, according to leaked classified cables.
The Solid Oak attack is a micro tale of what some of the US and Europe’s largest corporations have experienced, says US Representative Mike Rogers, a Republican who chairs the US House of Representatives Intelligence Committee.
The campaign to steal private files and intellectual property, even to the point of collapsing businesses, amounts to a criminal racket for commercial gain, Rogers says.
“I used to work organized crime in Chicago — I don’t know, but it sure seems like there are a lot of similarities,” says Rogers, a former FBI agent.
Headquartered in a converted Victorian house, Milburn’s small company seems an unlikely candidate to become entangled in an international feud with China, except for one thing: It was a market leader in the US for software that lets parents and schools block objectionable Web content, like pornography and violence.
China was looking for software to do the same thing on a national scale. In May 2009, Chinese officials ordered Web-filtering software called Green Dam Youth Escort installed on every computer sold in the country. They touted the software’s ability to protect young Internet users by filtering pornography. Critics in China, who identified more than 6,000 political keyword filters, branded it an extension of China’s censorship regime.
When University of Michigan researchers examined the program in June 2009 to see how it worked, they discovered that thousands of lines of code directly matched Milburn’s software, which has 1.1 million active users. Included, apparently by mistake, was a CYBERsitter upgrade announcement — the “smoking gun” that the software had been pirated, according to Milburn.
An independent analysis later found that four of the five active filters were copied almost verbatim from CYBERsitter and that Green Dam could not operate correctly when those filters were disabled. It is possible the code was stolen in an earlier hack, but Milburn believes the thieves simply bought a copy and broke the encryption protecting the code.
In interviews with reporters, he said he was considering a lawsuit and vowed to pursue an injunction.
On June 24 — 12 days after Milburn went public with his legal intentions — the hackers made their first appearance. Working from her home office 240km south of Santa Barbara in Orange County, Jenna DiPasquale, 39, who is Milburn’s daughter and Solid Oak’s one-woman marketing department, received a carefully forged e-mail containing hidden spyware.
It looked like a routine message from Milburn, so DiPasquale clicked on the attachment, realizing only later that the e-mail address was a couple of letters off. Solid Oak employees received more bogus e-mails over the next few days, setting off alarm bells.
Milburn contacted Matthew Thomlinson, a Microsoft threat expert for help. Thomlinson found the malware had downloaded software that burrowed into the company’s Microsoft operating system, automatically uploading more tools the hackers could use to control the network remotely. The malware had been created on a Chinese-language computer, he concluded.