Drive past the dairy farms, cornfields and horse pastures in Belleville, Wisconsin, and you eventually arrive at Cate Machine and Welding, a small-town business run by Gene and Lori Cate and their sons. For 46 years, the Cates have welded many things — fertilizer tanks, fighter jet parts, cheese molds, even a farmer’s broken glasses.
And like many small businesses, they have a dusty old computer humming away in the back office. However, on this one, an unusual spy-versus-spy battle is playing out: The machine has been taken over by Chinese hackers.
The hackers use it to plan and stage attacks, but unbeknown to them, a Silicon Valley start-up is tracking them, in real time, watching their every move and, in some cases, blocking their efforts.
IIlustration: Mountain People
“When they first told us, we said, ‘No way,’” Gene Cate said one afternoon over pizza and cheese curds, recalling when he first learned that the computer server his family used to manage its welding business had been secretly repurposed.
“We were totally freaked out,” Lori Cate said. “We had no idea we could be used as an infiltration unit for Chinese attacks.”
On a recent Thursday, the hackers’ targets appeared to be a Silicon Valley food delivery start-up, a major Manhattan law firm, one of the world’s biggest airlines, a prominent university in the southern US and a smattering of targets across Thailand and Malaysia. The New York Times viewed the action on the Cates’ computer on the condition that it not name the targets.
The activity had the hallmarks of Chinese hackers known as the C0d0s0 Group, a collection of hackers for hire that the security industry has been tracking for years. The group has breached banks, law firms and tech companies, and once hijacked the Forbes Web site to try to infect visitors’ computers with malware.
There is a murky and much hyped emerging industry in selling intelligence about attack groups like the C0d0s0 Group. Until recently, companies typically adopted a defensive strategy of trying to make their networks as impermeable as possible in hopes of repelling attacks. Today, so-called threat intelligence providers sell services that promise to go on the offensive. They track hackers, and for annual fees — that can climb into the millions of US dollars — they try to spot and thwart attacks before they happen.
These companies have a mixed record of success. Still, after years of highly publicized incidents, Gartner, a market research company, expects the market for threat intelligence to reach US$1 billion next year, up from US$255 million in 2013.
Remarkably, many attacks rely on a tangled maze of compromised computers including those mom-and-pop shops like Cate Machine and Welding. The hackers are not after the Cates’ data. Rather, they have converted their server, and others like it, into launchpads for their attacks.
These servers offer the perfect cover. They are not terribly well protected, and rarely, if ever, do the owners discover that their computers have become conduits for spies and digital thieves. And who would suspect the Cate family?
Two years ago, the Cates received a visit from men informing them that their server had become a conduit for Chinese spies.
The Cates asked: “Are you from the NSA [National Security Agency]?”
One of the men had, in fact, worked at the NSA years before joining a start-up company, Area 1, that focuses on tracking digital attacks against businesses.
“It’s like being a priest,” Area 1’s chief security officer Blake Darche said of his NSA background. “In other people’s minds, you never quite leave the profession.”
Darche wanted to add the Cates’ server to Area 1’s network of 50 others that had been co-opted by hackers. Area 1 monitors the activity flowing into and out of these computers to glean insights into attackers’ methods, tools and Web sites so that it can block them from hitting its clients’ networks or give the clients a heads-up days, weeks or even months before they hit.
The Cates called a family meeting.
“People work really hard to make products, and they’re getting stolen,” Lori Cate said. “It seemed like the least we could do.”
Area 1 paid for the installation cost, about US$150.
Shortly after installing a sensor on the machine, Darche said, his hunch was confirmed: The sensor lit up with attacks. Area 1 began to make out the patterns of a familiar adversary: the C0d0s0 Group.
Area 1 was founded by three former NSA analysts, Darche, Oren Falkowitz and Phil Syme. The three sat side-by-side at Fort Meade, tracking and, in some cases, penetrating adversaries’ weapons systems for intelligence.
A little more than two years ago, they decided to start their own company and raised US$25.5 million in funding from major venture capitalists and security entrepreneurs in Silicon Valley, including Kleiner Perkins Caulfield and Byers and Cowboy Ventures, and security veterans like RedSeal chief executive Ray Rothrock, and Shape Security chief executive Derek Smith.
Area 1 is a new player in threat intelligence, a nascent subsector of the security business that includes companies like iSight Partners and Recorded Future that track attackers in underground Web forums and on social media, gleaning intelligence about them.
Threat intelligence is still more art than science. The jury is still out on whether companies are equipped to use that intelligence to thwart hackers. Area 1 claims it can head off attacks through the compromised servers it is tracking. It can also use its vantage point to see where attackers are setting up shop on the Web and how they plan to target their intended victims.
A handful of Area 1 customers confirmed that its technology had helped head off attackers.
One client, a chief information security officer at a large healthcare provider, said the healthcare sector had been slammed by digital criminals and governments in recent years. He asked that the company not be named, to avoid becoming a more visible target.
He credited Area 1’s sensors with blocking several attacks on his network, helping his company avoid the fates of health insurer Anthem, which was breached by Chinese hackers last year, and a growing number of hospitals hit by attacks that have forced them to pay a ransom to get important information back.
Smith said Area 1 warned his company of three attacks before they happened, providing time to block them.
Smith said he was impressed enough that he made a small investment in Area 1.
“Many of these mom-and-pop shops are ambivalent because the attacks don’t directly impact their business and revenue,” he said. “Meanwhile, they unwittingly operate this attack infrastructure.”
However, Area 1’s business model can pose ethical dilemmas. What does the company do when it sees attacks against prominent companies and government agencies who are not Area 1 customers?
“We think of ourselves as a bodyguard, not a police force that runs around telling everyone they’re a victim,” company chief executive Falkowitz said. “We’re in the business of pre-emption.”
They do warn some victims, he said.
For instance, they tipped off a law firm, a manufacturer, a financial services firm and an electronics company that were attacked via the Cates’ server after they saw the C0d0s0 hackers make off with their intellectual property. Some of those victims, including the law firm, later signed up for Area 1 services.
Not all companies heed the warning.
A security consultant for one victim, who spoke on the condition of anonymity because of nondisclosure agreements, said his client chose not to act on a tip from Area 1 last year out of concern that a scandal over a successful online attack against the company would jeopardize its recent acquisition. It figured its acquirer would not have been thrilled to learn that the start-up’s proprietary technology was now in Chinese hackers’ hands.
Posted on the wall of Area 1’s headquarters in a historic house in Redwood City, California, is a list titled “45 Things That Are Harder Than Cybersecurity.” It includes flight, solar power, the flu vaccine, brain surgery, the Internet, heart transplants, skyscrapers, the Thermos and the Q-tip.
Falkowitz disagrees with a growing concern that it is too difficult or impossible to stop online attacks. As attackers have grown more sophisticated, many security companies have stopped believing they can block attacks with traditional defenses like anti-virus software. Instead, many focus on trying to detect an intrusion “in real time,” to catch hackers before they steal too much.
Eighty percent of the time, victims learn they have been breached only when law enforcement or someone else shows up with their stolen data, according to Verizon, which tracks breach data.
At the NSA, Falkowitz had worked with teams that detected North Korean missile launches. Much of that early work was done with satellites that would look for sudden heat blasts.
Eventually, Falkowitz’s team tried a more proactive approach. If they could hack the computers that controlled the missile launch systems, they could glean launch schedules. Area 1 is now taking a similar approach to digital attacks, tapping into the attackers’ launchpads, as it were, rather than waiting for them to attack.
Hackers do not just press a big red “attack” button one day. They do reconnaissance, scout out employees on LinkedIn and draft carefully worded e-mails to trick unsuspecting employees to open them and click on links or e-mail attachments that will try to launch malicious attacks.
Once they persuade a target to click — and 91 percent of attacks start this way, according to security firm Trend Micro — it takes time to crawl through a victim’s network to find something worth taking. Then they have to pull that data off the network. The process can take weeks, months, even years and leaves a digital trail.
Area 1 watches for this kind of activity and then teams up with firms like Blue Coat, a Web security company, to build what it has learned into security software that can try to block attacks when they come.
The owners of Cate Machine and Welding say that living with Chinese attackers in your office can be a strange feeling.
Recently, Area 1 executives visited the shop and showed them some of what they had learned from watching their computer. The C0d0s0 Group had used their server to pilfer a law firm’s due diligence on an impending acquisition, a financial services firm’s confidential trading plans, a mobile payment start-up’s proprietary source code, some blueprints and loan applications at a mortgage company.
Hearing that, Gene Cate expressed pride — and maybe even a hint of schadenfreude. For years, the welding business that is his family’s bread and butter has been migrating to China. Now his family is helping US businesses fight back.
“We want to do the right thing for these businesses,” he said. “For our country.”
Saudi Arabian largesse is flooding Egypt’s cultural scene, but the reception is mixed. Some welcome new “cooperation” between two regional powerhouses, while others fear a hostile takeover by Riyadh. In Cairo, historically the cultural capital of the Arab world, Egyptian Minister of Culture Nevine al-Kilany recently hosted Saudi Arabian General Entertainment Authority chairman Turki al-Sheikh. The deep-pocketed al-Sheikh has emerged as a Medici-like patron for Egypt’s cultural elite, courted by Cairo’s top talent to produce a slew of forthcoming films. A new three-way agreement between al-Sheikh, Kilany and United Media Services — a multi-media conglomerate linked to state intelligence that owns much of
The US and other countries should take concrete steps to confront the threats from Beijing to avoid war, US Representative Mario Diaz-Balart said in an interview with Voice of America on March 13. The US should use “every diplomatic economic tool at our disposal to treat China as what it is... to avoid war,” Diaz-Balart said. Giving an example of what the US could do, he said that it has to be more aggressive in its military sales to Taiwan. Actions by cross-party US lawmakers in the past few years such as meeting with Taiwanese officials in Washington and Taipei, and
Denmark’s “one China” policy more and more resembles Beijing’s “one China” principle. At least, this is how things appear. In recent interactions with the Danish state, such as applying for residency permits, a Taiwanese’s nationality would be listed as “China.” That designation occurs for a Taiwanese student coming to Denmark or a Danish citizen arriving in Denmark with, for example, their Taiwanese partner. Details of this were published on Sunday in an article in the Danish daily Berlingske written by Alexander Sjoberg and Tobias Reinwald. The pretext for this new practice is that Denmark does not recognize Taiwan as a state under
The Republic of China (ROC) on Taiwan has no official diplomatic allies in the EU. With the exception of the Vatican, it has no official allies in Europe at all. This does not prevent the ROC — Taiwan — from having close relations with EU member states and other European countries. The exact nature of the relationship does bear revisiting, if only to clarify what is a very complicated and sensitive idea, the details of which leave considerable room for misunderstanding, misrepresentation and disagreement. Only this week, President Tsai Ing-wen (蔡英文) received members of the European Parliament’s Delegation for Relations