A wide range of small businesses and institutions -- from pizza restaurants and medical clinics to synagogues and universities -- have been both victims and unwitting accomplices in sophisticated cyber espionage campaigns being carried out by hackers in China, security researchers told The Huffington Post.
For years, Chinese cyberspies have been quietly hacking computers at such places, but not to steal their data, researchers say. Rather, they have taken over their PCs and used them to disguise attacks against other companies.
By camouflaging their activity, the hackers are able to bypass security software that blocks suspicious Internet addresses in China from connecting to a company's network. It also confuses investigators who trace the source of cyber attacks to seemingly benign locations, including a church computer in Florida, according to Kevin Albano, a researcher at the computer security firm Mandiant.
“Think of it like someone hiding behind a parked car in a gunfight," Albano said. "You know they’re shooting at you, but you don’t know where they’re coming from."
Since 2006, cyberspies have used PCs at dozens of apparently innocent places -- including a college in Missouri and a small Internet provider in California -- to cloak attacks that steal intellectual property from American companies, Albano said.
But their technique was not widely understood until earlier this year when Mandiant issued a detailed report about a hacking group based in Shanghai with ties to the Chinese military.
The group frequently routed their hacking through third-party computers so "they almost never connect to a victim network directly from their systems in Shanghai,” the report found.
“These systems belong to third-party victims who are compromised for access to infrastructure, as opposed to direct victims who are compromised for their data and intellectual property," the study said.
One such third-party victim was a community mental health clinic in California. In an interview, the clinic's owner said he was unaware his computers were being used by hackers to carry out attacks until two FBI agents arrived at his doorstep in 2010.
"It freaked my wife out. She was like 'What the [hell] is going on?" said the clinic owner, who asked that he and his clinic not be named to protect his reputation.
He said the FBI agents told him they were investigating a cyber attack against another company that appeared to originate from an IP address registered to the clinic. But they quickly realized the clinic's owner was not responsible.
“I’m a doctor, not an IT person,” the clinic owner told HuffPost. “If anyone investigated me, they’d realize 'This guy doesn’t know what the hell he is doing.'”
Instead, hackers based in China had compromised the clinic's computers and used them to steal files from the network of a major U.S. defense contractor, according to Albano, the Mandiant researcher. Mandiant helped investigate the case.
The hackers find computer systems to take over by using tools that scan the web for Internet-connected PCs with software vulnerabilities they can exploit. Small businesses are popular targets because they often have lax security.
The hackers then use those computers to carry out attacks against their real targets: U.S. companies with intellectual property that could give Chinese businesses a market advantage, according to Adam Meyers, vice president of intelligence at CrowdStrike, an American computer security firm.
“Anybody who has a merger and acquisition deal or a clean energy company with new technology” is in the crosshairs of Chinese hackers, he said.
Cyberspies might, for example, control malware that steals files by hiding commands inside the code of a pizza restaurant website, Meyers said.
“It becomes a 'dead drop,'” Meyers said, referring to the espionage strategy of using a location to exchange information so two people never have to meet. “The malware talks to the pizza place and the Chinese talk to the pizza place, but the Chinese don’t talk directly to the malware.”
The hackers' method of disguise has often thwarted investigators because they trace the theft to a small business that does not keep records of its Internet traffic, so investigators can't determine where the attack originated.
“It leaves investigators at a dead end,” Albano said.
For their part, most small businesses and institutions are unaware their computers have been used in this way because cyberspies in China typically operate while victims are asleep, he said.
But the mental health clinic in California knew something was wrong. For several months in 2010, the clinic’s website crashed almost daily, preventing patients from ordering their prescriptions online, according to the clinic's owner.
“We had no idea what was going on," he said. "It was huge problem that was very time-consuming in terms of patient care.”
Investigators later determined the hackers' activity on the clinic's server was the reason the website crashed, Albano said. No patient data was stolen, the clinic's owner said.
Albano said it can be difficult to explain to a small business owner that, through his own computers, he is unknowingly assisting hackers.
"It takes a bit for them to understand what transpired," he said. "They don't want their computers to hurt or harm other systems. They just want to make it go away."