Hackers spent a month logging commercially sensitive information before they were detected in a 2009 cyber-attack on Coca-Cola.
At the time, Atlantic Industries, a wholly owned subsidiary of Coca-Cola, was looking to buy the China Huiyuan Juice Group for about $2.4bn, which would have been the largest foreign takeover of a Chinese company up to that time. The BBC reported that according to Bloomberg, "the deal collapsed three days after the cyber-attack, citing internal sources."[BBC]
Established in 1992 and headquartered in Beijing, Huiyuan is the largest privately owned juice producer in China. It's engaged in the manufacture and sales of juice and other beverage products, including fruit juice and vegetable juice, nectars, bottled water, tea, and dairy drinks. On 17 March, it was reported that Coca Cola was considering abandoning the deal, as Chinese authorities insisted on relinquishing the Huiyuan brand name after acquisition. On 18 March, the [Chinese] Ministry of Commerce disallowed the bid, citing market competition concerns.[Wikipedia]
The one discrepancy between the Bloomberg accounts and a report by the Mandiant Corporation, a cybersecurity firm, was why ultimately the company’s acquisition fell apart. According to Bloomberg, Coca-Cola’s takeover attempt of China Huiyuan Juice Group was thwarted because China’s Ministry of Commerce rejected it for antitrust reasons. Mandiant’s report offered a different take:
The 2010 case study published by Mandiant may offer further details. The study, which does not mention Coca-Cola specifically, details a 2009 breach of a “Fortune 500 Manufacturer” that aligns almost perfectly with Bloomberg’s account of Coca-Cola’s breach.[ibid.]
If Mandiant’s study is, in fact, based on Coca-Cola, then it offers new insights into the breach. According to the study, once in, hackers used password-stealing software to gain access to other systems on the company’s network. They also used the compromised executive’s account to launch what is known as an SQL server attack, in which hackers exploit a software vulnerability and enter commands that cause databases to produce their contents.[ibid.]
The infiltration was, according to internal documents seen by Bloomberg, blamed on state-backed Chinese attackers.[GuruFocus]
According to Bloomberg, an e-mail containing the subject line: “Save power is save money! (from CEO)” was sent to the e-mail account of Bernhard Goepelt, Coca-Cola’s current general counsel. The e-mail contained a malicious link that, once clicked, downloaded malware that gave the attackers full access to Coca-Cola’s network. The authentic appearing email contained malware which was clicked on, allowing the installation of key loggers and other malware which allowed the hackers to steal emails and passwords. With the passwords, the hackers were able to freely navigate on the company's network, stealing documents and sensitive information.[NY Times]
According to Bloomberg, the email was "spoofed," meaning it was forged to look like a legitimate email from a Coca-Cola email account. When ordinary email servers receive an email message, there's no reliable way for them to assure that the email actually came from the individual listed as the sender. As long as the email passes spam filters, it gets delivered into the recipient's inbox. The recipient, believing that the email is legitimate, clicks on the attachment, and the malware is installed, often stealthily so that the recipient is unaware that his computer has been compromised.
Czar Mail members have to present ID before they can get a mailbox, and criminals won't do that because their identity would be known. When spammers send spoofed emails to Czar Mail's open port, they are immediately rejected: they're never delivered to the recipient's inbox. Legitimate Czar Mail members log onto Czar Mail's secure port with a password (which is done automatically by their email client software), so their identity is verified. Spammers can't spoof Czar Mail members because they don't know the forged sender's password.