Hundreds of computers must be replaced to cleanse the agency of malicious code, including rootkits and spyware.
An attack against computers of the Bureau of Industry and Security (BIS) -- the branch of Commerce responsible for overseeing U.S. exports which have both commercial and military applications -- forced BIS to turn off Internet access in early September.
An August e-mail from acting Undersecretary of Commerce Mark Foulon quoted by the Washington Post said that BIS "had identified several successful attempts to attack unattended BIS workstations during the overnight hours." Last month, reported the Post, Foulon wrote: "It has become clear that Internet access in itself is a vulnerability that we cannot mitigate. We have tried incremental steps and they have proven insufficient."
"BIS discovered evidence of a targeted attack to access user accounts," confirmed Richard Mills, a Commerce Department spokesman. "But there is no evidence that any BIS data has been compromised."
This is the second major attack originating in China that's been acknowledged by the federal government since July. Then, the State Department said that Chinese attackers had broken into its systems overseas and in Washington. And last year, Britain's National Infrastructure Security Co-ordination Center (NISCC) claimed that Chinese hackers had attacked more than 300 government agencies and private companies in the U.K.
"This [Commerce attack] is the third or fourth battle that we've lost to China," said Richard Stiennon, principal analyst with security consultancy IT-Harvest. "It's not a digital Pearl Harbor, not yet, but it's getting closer."
Although Stiennon said he doesn't have any inside information on the most recent attack, the evidence points to state-sponsored hacking. "The continuous nature of these attacks means there is a link to a state source," Stiennon said. "The Chinese are waging very effectual intellectual warfare."
An unnamed senior Commerce official also said the department has decided it could not trust the computers -- which were infected with rootkits -- and will replace them rather than try to clean them. In the meantime, BIS workers have been hampered by the inability to easily communicate with other federal and state agencies, or with the companies applying for export licenses.
"They're obviously questioning what's where in those systems," said Stiennon, who added that in some cases, even reformatting the disk drive and reinstalling software can't guarantee that all malicious code has been removed. "We don't know if the attackers have greater technology than we do," he argued. "Replacing systems is pretty draconian, but it really indicates that Commerce is very concerned."
One possible infection technique that could survive a reformat would be to store malicious code in the PC's BIOS flash memory. In January, a security researcher at the Black Hat conference demonstrated how the BIOS could be used by attackers.
In May, Congress criticized State Department plans to use Chinese-made PCs in high-security settings because it feared the machines' BIOS could be pre-infected with spyware.
"These reports read like accounts from a battlefield," said Stiennon. And the Chinese, he argued, are winning. "They've made this department less efficient for at least a month."
The official also confirmed that BIS has limited Internet access to stand-alone workstations that are not connected to the bureau's internal network.