* National Foreign Trade Council may have been main target
* U.S. officials see alleged Indian role less likely
* Pinpointing source of cyber-attacks can be difficult
(Adds comment from security expert)
By Mark Hosenball
WASHINGTON, Jan 18 Suspicion is growing
that operatives in China, rather than India, were behind the
hacking of emails of an official U.S. commission that monitors
relations between the United States and China, U.S. officials
News of the hacking of the U.S.-China Economic and Security
Review Commission surfaced earlier this month when an amateur
"hacktivist" group purporting to operate in India published what
it said was a memo from an Indian Military Intelligence unit to
which extracts from commission emails were attached.
But U.S. officials who spoke to Reuters on condition of
anonymity said the roundabout way the commission's emails were
obtained strongly suggests the intrusion originated in China,
possibly by amateurs, and not from India's spy service.
A large cache of raw email data from the security breach,
reviewed by Reuters, indicates that the principal target of the
intruders was not the commission, but instead a Washington-based
non-governmental pro-trade group called the National Foreign
Trade Council (NFTC).
The trade council is headed by William Reinsch, a former top
U.S. Commerce Department official who until recently served as
the U.S.-China Commission's chairman.
A large proportion of the raw email traffic downloaded by
the hackers consists of messages to and from Reinsch at his NFTC
email address. Many of the emails were spam, but some related to
the work of the commission, which was set up by Congress to take
a critical look at a wide range of U.S. dealings with China.
Reinsch told Reuters that the NFTC first became aware in
November that large quantities of its message traffic had been
hacked. He said that law enforcement authorities, including the
FBI, had been quickly notified. The FBI has declined comment.
Reinsch said he could think of "no particular reason" why
the Indian government or Indian hackers would be interested in
him. By contrast, he and several other U.S. officials said that
Chinese hackers, whether amateur or directly affiliated with
Chinese government, would have great interest in the U.S.-China
Commission's activities, both public and private.
Sources familiar with the hacking and the related
investigation said they draw two inferences from the fact that
the principal target of the hack appears to have been Reinsch's
email account at NFTC.
First, the sources said they found it difficult to believe
anyone connected with India would have taken the time or effort
to track down Reinsch or his NFTC account, whereas his
chairmanship of the U.S.-China Commission made him a potential
major target for Chinese hackers.
Secondly, said the sources, the fact that Reinsch's NFTC
emails were the principal target suggests that whoever hacked
them was hunting for a soft target with poor cyber-security.
That fits a pattern of what is known as a blended
attack: sophisticated hackers often plan attacks in multiple
stages, targetting the systems of government officials and
corporate executives by first breaching less-secure systems of
people with whom they regularly communicate.
"It's all about trust relationships and getting inside
the trust ecosystems -- whether they be digital ecosystems or
interpersonal relationships," said Tom Kellermann, a cyber
security expert who has served as a policy advisor to the Obama
"Individuals many times are targeted not just for the
network of computers to which they have access, but to the
network of individuals to which they have access," said
Kellermann, chief technology officer of a company known as
Pinning down the origin and perpetrator of a particular
cyber-intrusion can be very difficult, if not impossible, as
hackers frequently take steps to mask their identity or appear
that they are from a third country.
One official familiar with the matter said that it was
possible that all the hacked email traffic, including messages
related to the U.S.-China Commission, originated with the NFTC.
Under this scenario, the reason commission traffic was
included in the hacked material was that it consisted of copies
of commission messages which were sent to Reinsch at his NFTC
But other officials said it was also still possible some
emails were stolen directly from the commission or private email
accounts of other commissioners.
A person familiar with details of the incident and related
investigation said the hacked emails spanned a six-month period
from late March to late October last year. The source said that
about 85 percent of the traffic consisted of emails incoming at
the NFTC, with the other 15 percent being outgoing messages from
The source said that there were significant gaps in the
hacked traffic, covering both day-long and week-long periods,
bolstering the notion the hacking was done by amateurs.
Investigators are still trying to determine if the hacker
successfully targeted NFTC's local network or a network which
fed messages to a mobile device used by Reinsch.
The purported Indian intelligence memo implied that the
commission emails had somehow been hacked using know-how
supplied to the Indian government by mobile phone companies who,
as payback, were afforded greater access to the Indian market.
One of the mobile phone manufactures named in the purported
memo, Apple, denied giving the Indian government backdoor access
to its products. A second, Research in Motion, said the company
does not typically comment on rumor or speculation, and a third
manufacturer, Nokia, declined to comment.
Indian government officials and agencies declined repeated
requests for comment on the alleged government document,
although some former Indian officials labelled the memo a
Two U.S. officials familiar with the hacking incident said
they were puzzled why India would go to the trouble of hacking
emails related to the U.S.-China Commission, since its work had
little if anything to do with India, and Indian officials and
diplomats had never showed much interest in its activities.
By contrast, the commission has been a regular target for
what officials describe as persistent attempted hacking
intrusions, many through the technique of "phishing," which
involves sending bogus but convincing emails which purport to
come from insiders but contain malicious code. Investigators
strongly suspect these intrusions were launched by people from,
or operating on behalf of, China.
A large proportion of the hacked traffic examined by Reuters
appeared to be what could be categorized as spam, including
summaries of news articles and political fundraising pitches.
Some hacked traffic from the U.S.-China Commission had
potentially sensitive implications, however, including messages
in which commission personnel discuss matters under deliberation
by the organization. These issues included the commission's
attitude toward alleged Chinese theft of intellectual property
and congressional deliberations about alleged Chinese currency
U.S. officials said there was no indication hackers managed
to gain access to electronic files related to the commission's
most sensitive project - a classified version of its annual
public report. Electronic materials related to this project are
kept on classified servers, isolated from the Internet, which
are operated by agencies other than the commission itself, one
(Additional reporting by Jim Finkle; Editing by Eric Beech and