“I was out on the golf course on a Saturday in May 2013 when my CEO called. This was everyone’s worst nightmare. He told me he was having trouble with the company’s email system and asked me to check it out. I looked at email on my phone and sure enough, we had problems. It was the canary in the coal mine because our email server had its own private network to the Internet. That network was being saturated with data leaving the building.
“We didn’t know what was going on for a couple of days until we looked at where the traffic was going. All of it was going to one location in Shanghai and we didn’t have any customers or operations there. The information being targeted was export control documents we had filed with the U.S. government to export equipment to the UK, India and Spain. But it seemed like the real target was the U.S. Navy because what we were exporting was similar to what we make for the Navy. Whoever was doing this wanted to take an easy route to help their own Navy.
“With help from FireEye, we discovered they had been on our systems for two months before we found them. The forensics work showed that they did a lot of poking around and knew what they were looking for. They had set up a process for getting the data out by compressing the files so they could be exfiltrated. “We stopped them manually in mid-exfiltration and they couldn’t get back in. Which meant they did not have time to clean up and cover their tracks. We could see all the trails they had left. Our whole directory of emails and passwords had been compromised. They had taken a lot of documents and RFPs, but they had not yet taken our drawings, which are the secret sauce. If they had gone for the drawings first, it would have been better for them.
“The Mandiant people at FireEye told us that the attack was similar to other attacks by a unit of the People’s Liberation Army called simply Unit 61398. They had been tracking these guys and knew their patterns. This unit represented what they called an Advanced Persistent Threat (APT.)
“After we stopped them, we went into a remediation. We had to do things like check all the software on our servers to make sure we had current versions and therefore there no vulnerabilities. We had eight different locations in the world where we had a connection to the Internet. Think of that like having eight doors into your house that someone could get in through. I consolidated that to one door and put new technology into that one system. That was better than having cheaper equipment in eight locations.
“We also had to change everybody’s passwords. We figured out that the attack started out from a phishing email. They got somebody to click on something that created a beachhead into our network. “How did I keep my job? It wasn’t like we were completely unprepared.
We had a firewall and virus protection. But realistically, if someone is good and they want to target you, they are going to get in. There is no way to stop it. The key question is how fast can you limit it. Unfortunately, we didn’t have intrusion detection software.
“I was lucky that we had several people on our board who had gone through different kinds of attacks and they supported me as I put together a remediation program and made a presentation to the board. When I explained what I needed to prevent this from happening again, they supported me. I would not have gotten the money if I hadn’t been attacked.
“The Chinese tried three more times after that to get back in, but they couldn’t. After a while, this sort of thing starts to piss you off.”