But Mr. Ghosn’s name was slightly misspelled, and the attachment, billed as the agenda to a 2008 shareholders’ meeting, actually held a computer virus that allowed Chinese hackers to allegedly steal nearly 3,000 emails, according to a federal indictment unsealed Monday.
The indictment makes the case, with an unusual level of detail, that many foreign cyberattacks often don’t rely on sophisticated hacking technology. Rather, it says, the hackers primarily used an old trick, known as phishing—baiting a user to download malicious code allowing outsiders to spy on the machine. The charges illustrate an age-old security problem for U.S. companies: At least one employee will click on anything.
“It makes it unfair: It only takes one end-user to open the attachment and these guys are in your network,” said Kevin Mandia, head of the Mandiant unit of FireEye Inc., FEYE +3.73% a California cybersecurity company. “It’s really complicated to stay in front of that.”
The people charged Monday, from Unit 61398 of the Chinese army, in 2012 targeted Mr. Mandia’s co-workers by creating an email address in his name at rocketmail.com. “Shall we schedule a time to meet next week? We need to finalize the press release. Details click here,” it read.
In an interview Monday, Mr. Mandia graded the attempt on his company a “B.”
Mr. Mandia detailed the attempt in a 2013 report on the hacking unit mentioned in Monday’s indictment. At the time, China brushed off the report as “irresponsible and unprofessional.”
More sophisticated hackers sometimes have more advanced pieces of software, but the tactic to break in still largely relies on impersonation. In a case this winter, Chinese cyberforces took over the website for the Veterans of Foreign Wars so that when U.S. military personnel visited, their machines contracted a virus that allowed for later snooping, according to FireEye FEYE +3.73% researchers.
Government and corporate investigators say the Chinese army unit has targeted countless U.S. companies using similar tactics. In Monday’s indictment, federal officials detailed how hackers broke into U.S. Steel Corp. X -0.16% machines by posing as the company’s CEO in an email to 20 employees. That email contained a link to malicious software that let hackers break in over the Internet. The subject line: “Meeting Invitation.”
A spokesman for China’s Foreign Ministry said Monday the allegations were groundless and demanded they be withdrawn.
Other, more advanced, Chinese hacking units rely on similar methods but use more sophisticated forged emails, people familiar with their tactics said.
The email purportedly from Mr. Ghosn wasn’t a perfect forgery and was sent to approximately 19 Alcoa employees, according to court documents. It arrived as the U.S.’s largest aluminum company began a partnership with Aluminum Corp. of China to acquire a stake in Anglo-Australian miner Rio Tinto PLC. U.S. officials say this gave the Chinese an incentive to spy on their new U.S. partner.
According to the indictment, the email was crafted by Sun Kailiang, who went by the name “Jack Sun.” After an Alcoa worker opened the email, the attachment installed malicious software on the Alcoa machine. This allowed unnamed hackers to steal emails among Alcoa managers about Rio Tinto, which wasn’t identified in the indictment. Aluminum Corp. of China, which also wasn’t named, faces no accusations of wrongdoing.
The hackers also made off with 863 email attachments, according to the indictment.
The indictment didn’t mention Mr. Ghosn directly, but referred to a then-board member with the initials “C.G.” Mr. Ghosn was the only board member with those initials at that time, according to securities filings.
Representatives for Alcoa and Nissan declined to comment on the board member’s identity.
The Pittsburgh aluminum maker hardly is the only company to fall for such tricks. When CrowdStrike Inc. does cybersecurity consulting for organizations, it usually finds 5% to 10% of employees will click on almost any email, said Dmitri Alperovitch, the firm’s chief technology officer.
There is no sign that’s going to change soon.
After Mr. Mandia detailed Unit 61398’s tactics in a report last year, the hacking team quieted down for a bit, Mr. Mandia said. But months later, it resumed targeting U.S. companies, people familiar with its operations said.