Nicole Perlroth and Mike Isaac report:
Months before its technology became the centerpiece of Samsung’s new mobile payment system, LoopPay, a small Massachusetts subsidiary of the South Korean electronics giant, was the target of a sophisticated attack by a group of government-affiliated Chinese hackers.
As early as March, the hackers — alternatively known as the Codoso Group or Sunshock Group by those who track them — had breached the computer network of LoopPay, a start-up in Burlington, Mass., that was acquired by Samsung in February for more than $250 million, according to several people briefed on the still-unfolding investigation, as well as Samsung and LoopPay executives.
Read more on New York Times.
In response to the NY Times’ article, Samsung responded with a statement:
Today, the New York Times reported on an incident that targeted LoopPay’s office network.
The article raised questions as to the effect of this on the recently launched Samsung Pay service. The first thing to know is that Samsung Pay was not impacted and at no point was any personal payment information at risk. This was an isolated incident that targeted the LoopPay office network, which is a physically separate network from Samsung Pay. The LoopPay incident was resolved and had nothing to do with Samsung Pay.
It’s worth reiterating that the reported incident was related to LoopPay’s office network which handles email, file servers and printing within the company. This network is physically separate from the production network that handles payment transactions and run by Samsung.
The incident involved three servers on LoopPay’s internal office network.
As soon as the incident was discovered, LoopPay followed their standard incident response procedures and acted immediately and comprehensively. LoopPay brought in two independent professional security teams. LoopPay immediately identified and quarantined the targeted devices, conducted a thorough and extensive sweep of LoopPay’s entire system, and put additional safeguards in place.
Again, Samsung, Samsung Pay, and Samsung users were not affected.
We’re confident that Samsung Pay is safe and secure. Each transaction uses a digital token to replace a card number. The encrypted token combined with certificate information can only be used once to make a payment. Merchants and retailers can’t see or store the actual card data.
[…]
But what were the hacker’s intentions? Stephen Lawson of IDG suggests that it might not be identity theft:
However, if the breach was carried out by the notorious Codoso Group in China, as The New York Times reported, it probably wasn’t intended to steal consumer data for sale, said Ken Westin, a senior security analyst at threat-detection software company TripWire.
The Codoso Group has been linked to large-scale attacks on major defense, finance and other organizations, including websites related to the Uyghur minority in China. It allegedly is affiliated with the government of China.
The hackers probably wanted access to LoopPay’s code, possibly to develop the capability to collect information on individuals, Westin said.
Alex Holden, CEO of the consultancy Hold Security, agreed. Codoso may have ultimately wanted to know “who bought what, when,” he said. For example, if an important individual made a purchase at a coffee shop in Los Angeles, an infiltrator could learn something about that person’s travels.
And while LoopPay may have worked out the details of this particular breach, it’s probably facing what security researchers call an advanced persistent threat, he said. That kind of attacker keeps coming back and probing different parts of a company’s infrastructure looking for weaknesses and laying the groundwork for future infiltrations. Samsung should be worried, Westin said.
Read more on Computerworld.