Malware-infected scanners sold by a Chinese manufacturer led to the theft of sensitive financial and operational data from at least a half-dozen U.S. and European logistics and shipping companies.
The malware was also found in software available for download on the manufacturer's Website, security vendor TrapX reported Thursday. The malicious app was the first stage of a three-stage attack dubbed Zombie Zero that compromised business software and sent data back to facilities linked to the Chinese military.
Confidentiality agreements prevented the vendor from identifying the victims. TrapX also declined to name the manufacturer to avoid a possible lawsuit.
"We're only a startup and we don't have a war chest that could handle any type of legal situation," Carl Wright, general manager of North America for TrapX, said.
The manufacturer was notified, but denied any wrongdoing, Wright said.
The U.S. Department of Homeland Security declined comment, but experts warned that the incident demonstrates that companies can no longer afford to buy equipment without vetting the manufacturer.
The scanners were used to capture the origin, destination, contents and other data from goods moving between ships, trucks and planes.
The scanned data was then transmitted wirelessly to corporate enterprise resource planning (ERP) systems, which manages financial data, tracks inventory, manages shipping and performs a host of other businesses processes.
Once the scanner was connected to the network, the malware would first find a way through the firewall and then look for, and compromise, servers with the word "finance" in their host name. This was done until the malware infected the ERP server.
Stage two of the attack involved the download of stand-by malware in the scanner that established a connection between the ERP server and a Chinese command-and-control botnet traced to the Lanxiang Vocational School located in Shandong Province, China.
The school, located blocks away from the manufacturer, trains computer scientists for the Chinese military. In 2010, it was linked to cyberattacks, dubbed Operation Aurora, against dozens of organizations, including Google, Yahoo, Northrop Grumman, Morgan Stanley and Dow Chemical.
Stage three of the attack involved installing additional malware from the botnet that established a more sophisticated connection with a second botnet that ended at an undetermined location in Beijing.
The data siphoned from the systems provided the attackers with "complete situational awareness and visibility into the logistic/shipping company's worldwide operations," the TrapX report said.
TrapX confirmed that at least six companies had malware planted in their ERP systems.
"In every single case the malware compromised the ERP system," Wright said. "This was a very, very targeted attack."
Since then, TrapX has found variants of the Zombie Zero malware in two manufacturers' industrial control systems, Wright said. No damage was done and he declined to discuss a possible motive or provide any other details.
"It's very early and we're just beginning our investigation," he said.
The infected scanners demonstrate how companies holding valuable intellectual property and data can no longer assume the equipment they buy is safe, experts say. Manufacturers' supply chains stretch across countries, providing many opportunities for the insertion of malware-infected components.
Because of a paucity of equipment made and assembled solely in the U.S., companies need to adopt a strategy of minimizing risk by vetting suppliers and knowing the security measures they take, Paul Rosenzweig, homeland security consultant and founder of Red Branch Consulting, said.
In addition, purchased equipment should be randomly selected and then checked for infection, Rosenzweig said. Also, equipment from suppliers that have not been fully vetted should never go into critical systems.
While steps can be taken to reduce risk, there is no "silver bullet," Rosenzweig said.
"It's a risk management proposition that means there will be failures," he said. "It's not a risk elimination."
In time, many manufacturers will likely have to produce documentation stating their products are safe.
"Private businesses will increasingly demand that hardware and software manufacturers obtain third-party certifications asserting the security of their products," Jacob Olcott, head of the cybersecurity practice at Good Harbor Consulting, said.