Microsoft Subnet An independent Microsoft community View more

Coca-Cola hacked by Chinese and kept it a secret

Chinese hackers were blamed for infiltrating Coca-Cola systems and rooting around for more than a month to steal sensitive files, but Coke kept the cyberattack a secret.

"I'd like to buy the world a Coke and keep it company"... it's the real thing, according to an old musical slogan, and it was the real thing when Coca-Cola was targeted by Chinese hackers in 2009. Once upon a time, Coca-Cola wanted "perfect harmony" and even cokes for everyone in the world, including polar bears and penguins, but that meant sharing soft drinks and not company secrets. After China infiltrated Coca-Cola systems, the company kept it a secret instead of singing about the breach to the world, according to a Bloomberg report.

Coca-Cola hacked by Chinese Comment hacking group
In 2009, the FBI told Coca-Cola executives that hackers had broken into their computer systems and spent a month "pilfering sensitive files" about Coke's "attempted $2.4 billion acquisition of China Huiyuan Juice Group," Bloomberg reported. The Chinese hackers penetrated the network when the deputy president of Coca-Cola's Pacific Group, Paul Etchells, clicked on a malicious link in a targeted email.

The subject line on the email was "Save power is save money! (from CEO)," but after Etchell clicked the link supposedly from the chief executive officer, "malware was surreptitiously loaded onto his machine." It gave "hackers full access to Etchells's computer via the Internet, according to the internal report. They installed a keystroke logger, which captured everything the executive typed. Once in control of the computer, the hackers installed various other programs, gaining access to the company's corporate network and using Etchells's machine as a staging point to store and download data taken from other computers."

The Coca-Cola report provides a rare and chilling account of the intricate and determined ways that hackers raided its files -- from pilfering internal e-mails to gaining the ability to access almost any Microsoft (MSFT) Windows server, work station or laptop on the network with full remote control.

Other Coca-Cola executives were also targeted with malicious emails that exploited vulnerabilities, such as in Adobe Reader software. The hackers uploaded dozen of tools to help them move freely across the network and steal sensitive information. The Huiyuan Juice Group acquisition fell through.

According to AlienVault, a California-based security firm, an "internal Coke report" stated the "intruders were state-sponsored" and suggested the hackers were "part of a Comment group, one of the most prolific hacking groups based in China."  

Bloomberg also reported that the BG Group, a British energy company, Chesapeake Energy, and the Luxembourg-based steel maker ArcelorMittal suffered cyberattacks, but chose not to publicly disclose the breaches. James Lewis, a senior fellow who studies cybersecurity at the Center for Strategic and International Studies in Washington, told Bloomberg that if a company is "doing business in China or competing against Chinese rivals should expect hackers will go after their most confidential files." Lewis added, "This has been a part of their plan to catch up to the West. You steal their technology, you steal their business secrets."

Last year, the U.S. Securities and Exchange Commission announced that companies are required to report cyber intrusions, the losses from such attacks, and information that "a reasonable investor would consider important" when deciding whether or not to invest.

Coca-Cola in Great Britain was glad to announce a 'Work It Out Calculator' to find out how long it takes to burn off the calories from one Coke. The company also tried to play up the "sweet" side of surveillance as seen through its security cameras, but the world's largest soft-drink maker never uttered a word in public about the cyber intrusion and loss of the Huiyuan information.

Investors kept in the dark about companies being hacked because companies fear it will hurt their precious bottom line are probably no more amused than privacy advocates are by security camera footage being made into a 'Gee, ain't surveillance grand' video.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Insider Shootout: Best security tools for small business
Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies