Chinese Spies Reportedly Behind Massive Marriott Hack

An anonymous reader quotes a report from CNET: A Chinese intelligence-gathering effort was behind the massive Marriott hotels data breach that exposed the personal information for up to 500 million people, the New York Times reported Tuesday. The hackers are believed to have been working for China's Ministry of State Security, the Times reported citing sources who had been briefed on the investigation's preliminary results. The revelation emerges as the U.S. Justice Department is preparing to announce new indictments against Chinese hackers working for the intelligence and military services, the Times reported.

The hotel chain revealed last month that it had discovered that hackers had compromised the guest reservation database of its Starwood division, whose brands include Sheraton, W Hotels, Westin, Le Meridien, Four Points by Sheraton, Aloft and St. Regis. Marriott said some of the stolen information also included payment card numbers and expiration dates. Private investigators involved in a probe into the breach had previously discovered hacking tools, techniques and procedures that were used in earlier cyberattacks that have been linked to Chinese hackers.

They must not be very competent...

[gweihir]

I expect professional spies to _not_ get caught or detected when doing such things. Breaking in is something amateurs can do today, but doing it without leaving evidence is something else.

Re:They must not be very competent...

[sd4f]

It would matter if they were to get some sort of punishment for it, but fact of the matter is nothing happens to them. If anything, that might be why they're so sloppy; because there are no detrimental consequences to them for doing it.

Re:

[gweihir]

I fear you are right, because nobody will improve their security as a result of this.

Re:

[Anonymous Coward]

It would matter if they were to get some sort of punishment for it, but fact of the matter is nothing happens to them. If anything, that might be why they're so sloppy; because there are no detrimental consequences to them for doing it.

Leaving evidence of a state-sponsored intelligence operation can also be used to send a message.

Ask Putin about that, with his nerve agent poisonings...

Re:

[gtall]

Putin might have let the toothpaste out of the tube with the nerve agent poisonings. It wouldn't take much for some disgruntled Russians to make him go bye-bye using the same stuff. He's got to be a bit nervous about that, tyrants are always fearful of the ruled, and now the ruled know a very potent weapon exists.

Re:

[DarkOx]

but doing it without leaving evidence is something else

Umm you know they had presence on the network for YEARS right?

That is literally years on a network run by large organization which should have a formal security practice with in it. Conclusion either these guys are pretty good, the IT group within Marriott is deeply incompetent, or some combination thereof.

There is more to espionage than just data gathering. There are psychological and diplomatic aspects too.

Looking at this:
1) No Chinese nationals or Chinese intel assets (known to us anyway) have been grabbed so either they did all this entirely by remote or the people onsite were long gone before this was discovered (presumably as planned)

2) They were in the system long enough to exfil just about all possible information assets, detect trends in behavior by VIP guests etc. They got what they wanted on that score.

3) Letting it eventually be discovered sends a pretty scary message - we can do this do you! - we can get away with it for years. Consider how crippling it might actually be for the CIA to realize that literally every hotel everywhere might have Chinese eyes on it. Obviously covert agents don't exactly check in under their own names but they could still track an identity from place to place; they might using big data be able to pickup on habits, combine with other intel and spot the spy. This creates a whole new worry for that group.

4) This is yet another opportunity to test the readiness and resolve of western governments to react to this type of threat. Its unlikely anyone is going to go nuclear (figuratively speaking) and knee-jerk axe trade deals, close boarders, or seize assets over a hotel chain hack. At the same time the nature response or lack of response will provide Chinese strategists with insight into what they can get away with and what the risks are in going after higher profile/value targets.

Re:

[Errol backfiring]

Breaking in is something amateurs can do today, but doing it without leaving evidence is something else.

On the other hand, building a crappy site is something everyone can do, but only professionals are forced to build crappy sites because of costs and impossible deadlines.

It could just be that the hackers choose quantity over quality. Don't explain capitalism to Chinese. They understand it perfectly. And how to exploit it.

Re:

[Anonymous Coward]

I expect professional spies to _not_ get caught or detected when doing such things.

I'm not sure 'caught' is what I'd say here. At best, 'implicated'.

See, in a world where POTUS deems any facts he doesn't like as 'fake news', and where he seems willing to call neo-Nazi's "good people", and where he will ignore a murdered journalist because that isn't important enough to derail billion dollar arms sales ... everyone just now has free rein to say "who, us?" and act like nothing happened.

Russia and China don't

Re:

[Thelaststraw]

I too was surprised it wasn't mah Russians! For once.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[AHuxley]

China has a CIA problem. The CIA was entering Macau to meet with top officials from China.
The CIA had leverage over the way top official from China where using gov/mil money from China to gamble.
The CIA made offers and thought it then had new gov/mil spies placed deep in China for decades.
Something MI6 and the CIA had failed to do for decades. It was like the results of the CIA Tibetan program https://en.wikipedia.org/wiki/... [wikipedia.org] again but with long holidays.

US spies in the past had unique spending patt

Both russian and china need a time out

[goombah99]

It is hard to sort out who in every case but in aggregate it's safe to say china, N. Korea, and Russia appear to abuse the internet. So affected countries should cut off all access from IPs in those countries on certain days of the week. Say Friday for Russia, thurdsay for china and wednesday for N. Korea. While some people in those countries will manage to use proxies to evade the block it's going to be a grand annoyance and reminder. It will tie bussiness productivity to state policies on both state s

Horrible idea

[bjdevil66]

If you want to make a powerful argument that the USA shouldn't be running the internet, then you do this kind of stunt.

Re:

[Virtucon]

What defines bad behavior? That's what Firewall vendors all make a living on.

Re:

[gweihir]

Naa, they ask some random orange used car salesmen personality who he wants to be blamed...

Re:

[AmiMoJo]

In the past it's been attributed to finding strings in the local language of the hackers. Strings in malware binaries, temporary files/directories used to exfiltrate data etc.

Hopefully it wasn't just an IP address.

Re:Funny how they can "determine" that

[Zocalo]

After all, why spy at governments, branches of military, banks, political organisations, when you can go right for the real stuff and collect two years of past booking information from some hotel?

Remember the OPM hack from a few years ago? All that data on the names of people working for the US Government in the wind? Now, imagine if you could somehow collate that database with another one that contains the travel records of around half a billion people. Unless working under cover they're going to have loyalty programs just like any other frequent traveller, and knowing even partial travel records of potential foreign agents could prove extremely useful if you were, say, trying to confirm which of all those people on OPM's books were just the routine military/contractor chaff vs. the wheat of the real operators and where they've been.

Words of persistent liar

[hackingbear]

Why would you believe a government that scammed you a trillion dollars by falsifying claims of Iraq WMDs [politico.com], that was shown to spying on China, [forbes.com] their own "friends" [theguardian.com], and you [wikipedia.org], and that hijacked a hostage for negotiation [politico.com] just last week?

Re:

[eth1]

Not to mention finding which ones might be engaging in hotel-based extramarital activities that make them ripe for blackmail.

Re:

[sgt_doom]

They can ALREADY CONFIRM it from those security clearance records they stole along with over 25 million personnel records (latest actual number as released from the gov't) and the fingerprint records: those having security clearances --- especially upper-level type clearances --- but no security clearance file at the OPM obviously received theirs with another agency (as in CIA, NSA, DIA, etc.).

Re:

[Errol backfiring]

No, they left a file with Winnie The Pooh jokes. Foreign servers are the only place they can do that without facing the consequences.

i call bullsh1t

[Anonymous Coward]

The CIA can fake the fingerprint origin of a hack to make it look like it came from a foreign agent hacker or country.

Re:

[gweihir]

Not that there is much "fingerprint" to begin with.

State Actor

[ERJ]

I feel like a state actor such as China would have the resources to simply get someone hired into a position at Marriott who could have access to the data.

Re:

[Nidi62]

I feel like a state actor such as China would have the resources to simply get someone hired into a position at Marriott who could have access to the data.

Waste of an agent for what is probably a one-time breach. Don't need an agent in place unless you want/expect long-term dividends. Plus it's just a waste of resources to train an agent only to set them up with a hotel chain. Developing an asset that already works at Marriott would be easier, but asset development is a long, drawn out process. You have to first identify a likely target, figure out their motivation, and then groom them over a decent period of time, all the while risking discovery by local

Pay

[fluffernutter]

This is what happens when you adequately reward your developers. America needs to start paying people just as adequately to fight this.

We need a law

[Anonymous Coward]

If you cannot safeguard customersâ(TM) data, it should be a jailable offense to take, gather, request, or accept, or store customersâ(TM)s data. Itâ(TM)s become abundantly clear that NO ONE can safeguard customer data, therefore it should be regarded as contraband for all businesses. Any business that wants, for example, to issue loyalty cards, should only be allowed to do so provided there is NO connection with the individual with the account. Account username policy would be âoeyour

USA spies already had that info.

[Moskit]

USA (and affiliate) spies must have already had the same information. In a way the Chinese (or whoever really was behind the hack) just equalized the situation.
Likely neither gathered it in a fully legal way (it's not exclusively USA laws that apply worldwide).

Re:

[Anonymous Coward]

Always with this crap.

Why am I saying "crap", and why am I upset?

Because that's like saying "Iran has nukes!", but it's OK because "The US has nukes!".

China is an oppressive, non-democratic, police state. No, the US is not this. No, China isn't just like this US.

There are MASSIVE differences between these two countries. The West and China cannot be compared, and yes -- it is imperative that we gain as much info on "the opponent", which is the Chinese oppressive and non-democratic government, as possible.

Cheap living

[AndyKron]

Camping under a bridge has its perks. Today is/was cleanup day in Everett WA! https://www.youtube.com/watch?... [youtube.com]

Why?

[sabbede]

What does Marriott have that a government would want to steal? They're a hotel chain, not a defence contractor or research company.