NYT: The Chinese Hackers in the Back Office

Drive past the dairy farms, cornfields and horse pastures here and you will eventually arrive at Cate Machine & Welding, a small-town business run by Gene and Lori Cate and their sons. For 46 years, the Cates have welded many things — fertilizer tanks, jet-fighter parts, cheese molds, even a farmer’s broken glasses.

And like many small businesses, they have a dusty old computer humming away in the back office. On this one, however, an unusual spy-versus-spy battle is playing out: The machine has been taken over by Chinese hackers.

The hackers use it to plan and stage attacks. But unbeknown to them, a Silicon Valley start-up is tracking them here, in real time, watching their every move and, in some cases, blocking their efforts.

“When they first told us, we said, ‘No way,’” Mr. Cate said one afternoon recently over pizza and cheese curds, recalling when he first learned the computer server his family used to manage its welding business had been secretly repurposed. “We were totally freaked out,” Ms. Cate said. “We had no idea we could be used as an infiltration unit for Chinese attacks.”

On a recent Thursday, the hackers’ targets appeared to be a Silicon Valley food delivery start-up, a major Manhattan law firm, one of the world’s biggest airlines, a prominent Southern university and a smattering of targets across Thailand and Malaysia. The New York Times viewed the action on the Cates’ computer on the condition that it not name the targets.

The activity had the hallmarks of Chinese hackers known as the C0d0s0 group, a collection of hackers for hire that the security industry has been tracking for years. Over the years, the group has breached banks, law firms and tech companies, and once hijacked the Forbes website to try to infect visitors’ computers with malware.

There is a murky and much hyped emerging industry in selling intelligence about attack groups like the C0d0s0 group. Until recently, companies typically adopted a defensive strategy of trying to make their networks as impermeable as possible in hopes of repelling attacks. Today, so-called threat intelligence providers sell services that promise to go on the offensive. They track hackers, and for annual fees that can climb into the seven figures, they try to spot and thwart attacks before they happen.

These companies have a mixed record of success. Still, after years of highly publicized incidents, Gartner, a market research company, expects the market for threat intelligence to reach $1 billion next year, up from $255 million in 2013.

Remarkably, many attacks rely on a tangled maze of compromised computers including those mom-and-pop shops like Cate Machine & Welding. The hackers aren’t after the Cates’ data. Rather, they have converted their server, and others like it, into launchpads for their attacks.

These servers offer the perfect cover. They aren’t terribly well protected, and rarely, if ever, do the owners discover that their computers have become conduits for spies and digital thieves. And who would suspect the Cate family?

Two years ago, the Cates received a visit from men informing them that their server had become a conduit for Chinese spies. The Cates asked: “Are you from the N.S.A.?”

One of the men had, in fact, worked at the National Security Agency years before joining a start-up company, Area 1, that focuses on tracking digital attacks against businesses. “It’s like being a priest,” said Blake Darché, Area 1’s chief security officer, of his N.S.A. background. “In other people’s minds, you never quite leave the profession.”

Cate Machine & Welding, a family-run business in rural Wisconsin, is at the center of a spy-versus-spy battle. CreditLauren Justice for The New York Times 

Mr. Darché wanted to add the Cates’ server to Area 1’s network of 50 others that had been co-opted by hackers. Area 1 monitors the activity flowing into and out of these computers to glean insights into attackers’ methods, tools and websites so that it can block them from hitting its clients’ networks, or give them a heads-up days, weeks or even months before they hit.

The Cates called a family meeting. “People work really hard to make products, and they’re getting stolen,” Ms. Cate said. “It seemed like the least we could do.” Area 1 paid for the installation cost, about $150.

Shortly after installing a sensor on the machine, Mr. Darché said his hunch was confirmed: The sensor lit up with attacks. Area 1 began to make out the patterns of a familiar adversary: the C0d0s0 group.

Area 1 was founded by three former N.S.A. analysts, Mr. Darché, Oren Falkowitz and Phil Syme. The three sat side by side at Fort Meade, tracking and, in some cases, penetrating adversaries’ weapons systems for intelligence. A little over two years ago, they decided to start their own company and raised $25.5 million in funding from major venture capitalists and security entrepreneurs in Silicon Valley, including Kleiner Perkins Caulfield & Byers and Cowboy Ventures, and security veterans like Ray Rothrock, the chief executive of RedSeal, and Derek Smith, the chief executive of Shape Security.

Area 1 is a new player in threat intelligence, a nascent subsector of the security business that includes companies like iSight Partners and Recorded Future that track attackers in underground web forums and on social media, gleaning intelligence about them.

Threat intelligence is still more art than science. The jury is still out on whether companies are equipped to use that intelligence to thwart hackers. Area 1 claims that it can head off attacks through the compromised servers it is tracking. It can also use its vantage point to see where attackers are setting up shop on the web and how they plan to target their intended victims.

Read the full article on The New York Times.