back to article Real deal: Hackers steal steelmaker trade secrets

German steel maker ThyssenKrupp AG on Thursday said trade secrets were stolen in a cyber-attack earlier this year. The company characterized the incursion in a statement as "a professional attack, apparently from the Southeast Asian region." The attackers sought to steal technological and research data related to ThyssenKrupp …

  1. BillG
    Mushroom

    Trade Secret Wars

    In 2011 Chinese government hackers got into U.S. Steel's computer systems and stole trade secrets related to a new, lightweight, high strength steel process for automobiles, military vehicles, and ships. Chinese steel makers copied these techniques and started producing identical lightweight steel products. U.S. Steel lost contracts, market share, and jobs.

    The U.S. government did nothing. Let's hope the German government takes stronger action.

    1. Mark 85

      Re: Trade Secret Wars

      Follow the money.. probably the buyers of the steel shook their heads "no" at the possibility of an investigation.

      I'm still surprised that there's any steel-making industry here in the States at all. The Japanese certainly killed off lots of US Steel making starting back in the '70's.

      1. Destroy All Monsters Silver badge
        Paris Hilton

        Re: Trade Secret Wars

        > The Japanese certainly killed off lots of US Steel making starting back in the '70's.

        I need an explanation of that.

        There is scant iron ore, coal, place or energy in Japan. How is that supposed to work, then?

        1. a_yank_lurker

          Re: Trade Secret Wars

          The US steel industry from about the mid 60's refused to modernize their facilities. When Japan rebuilt they had newer foundries and mills that were more efficient and produced at a lower cost. At one point, the US steel industry was so badly managed that British Steel (pre Thatcher) built a plant the could sell higher quality steel at a nice profit significantly cheaper than most US mills could.

          1. Destroy All Monsters Silver badge
            Windows

            Re: Trade Secret Wars

            Thanks yank.

            But the US steel industry then only got itself to blame.

            Japan loses the war, the mills, the personnel, the skills, the investment money and a good chunk of the support infrastructure and still comes out ahead?

            That's damning for US entrepreneurship.

            Also, "mythical katana" fags around here? In El Reg? FAIL.

            1. Charles 9

              Re: Trade Secret Wars

              The Japanese never lost the knowledge. They just had to teach new people; nothing fancy. And it helps to have to start from scratch. No aging infrastructure to deal with. The same thing happened in much of Europe after the war: a lot of opportunities to start fresh meant it was easier to modernize.

              As for why their katanas have such praise, they've been carefully analyzed. A combination of factors help it. One is the taper on the edge which is wider than is the norm in the west. Since katanas are primarily meant for swinging, this helps spread the material as you cut, while a curved blade allows you to better pull it as you swing, creating a sawing action. Both make it easier to cut through. The forging techniques used also carefully balance the use of flexible and inflexible metals, optimizing both aspects.

              1. Destroy All Monsters Silver badge
                Windows

                Re: Trade Secret Wars

                And it helps to have to start from scratch. No aging infrastructure to deal with. The same thing happened in much of Europe after the war: a lot of opportunities to start fresh meant it was easier to modernize.

                Isn't that the broken window fallacy right there

                One would think the only way blocking rebuilding would be unions, property lawyers, NIMBYs and crazy legislation. Bombing the factory and killing the employees to break the logjam? Well, why the hell not!!

    2. a_yank_lurker

      Re: Trade Secret Wars

      Other than some specific alloys and their characteristics there are no real trade secrets in steel making. It is made essentially the same way it was done 50 or even 100 years with some improved controls and automation. (Trained metallurgist). The key to making good steel is understanding the effects of alloying elements and composition on the mechanical properties and corrosion resistance. The basic techniques have not changed much because chemistry has not changed.

      So my question is what were the Chinese trying to steal?

      1. Paul Crawford Silver badge

        Re: Trade Secret Wars

        Probably pricing information and profit margins, that is the sort of thing that wins business deals.

      2. Aodhhan

        Re: Trade Secret Wars

        I love it when some idiot can't take 5 minutes to do research... and instead spouts off like they're an expert in metallurgy. There is a huge difference in the way steel is processed, and there are many different types of steel and alloys for the different type of steel. The technology has changed a lot in just the past 10 years. So NO; steel manufacturing hasn't been done the same way for the past 100 years... or past 5 years.

        Some of the most sought for alloys are difficult and expensive to process. Methods have come a long way to make it easier and less expensive. Just get 1.5% carbon wrong in steel while adding [choose your metal] into the mix, and it's been a waste of money, as the alloy will not pass strength, flexibility or weight requirements.

        It's not just about chemistry, there are methods of aligning molecules in certain patterns as well. Something not done 100 years ago. So... next time, just keep your mouth shut... you may just learn something.

        1. Destroy All Monsters Silver badge

          Re: Trade Secret Wars

          And this is why a katana made from chinese steel is better one hand-forged by a skilled smith in the japanese mountains ...

  2. swschrad

    does EVERYTHING need to be on The Connected Internet? Really?

    common problem, easy fix. sales engineer gets a question, say, and delves deep into the inner workings to look for an answer. same computer, often out in the field. why? save half an hour? is it going to crash a corporation client if the answer comes in an email from the home office half an hour later? nobody's government is going to fix that, and asking them to is going to cramp your gizzards ten ways from Sunday if they try.

    1. Anonymous Coward
      Anonymous Coward

      Re: does EVERYTHING need to be on The Connected Internet? Really?

      "sales engineer gets a question, say, and delves deep into the inner workings to look for an answer. same computer, often out in the field. why? save half an hour? is it going to crash a corporation client if the answer comes in an email from the home office half an hour later?"

      Time could be critical. It could mean the difference between a lucrative contract and going home empty-handed. Things can be THAT DAMN sensitive, especially with competition.

      As for the "nothing they could do," that's probably business-speak for an insider. And there really is nothing you can do versus a well-heeled insider.

      1. Halfmad

        Re: does EVERYTHING need to be on The Connected Internet? Really?

        Time is never that critical and it's easy to have a workstation on segregated network that has no external egress/ingress nearby.

        I was an engineer during the 90s and early 2000s before moving into IT. we had such a setup for our clients with high security buildings, draughtsmen were not permitted to transfer files onto any PC on our (then coaxial cable based) network which had a PC connected to the internet. My boss and founder of the company was a little paranoid, think he'd seen "Sneakers".

        This was prior to e-mail etc really kicking off and any transfer would have required someone to install a floppy disk drive on their desktop PC anyway, so it was physically impossible for them to do it covertly.

        We had 5 CAD workstations on a little LAN connected to an NT server which stored the files for hospitals, airports etc. Everything else was plotted onto vellum and stored in cabinets.

        If anyone needed and answer our guys would pull the vellum first and give an answer within seconds as the latest version was always there. These days this would be just as quick by accessing a workstation, it's possible, just not as convenient for staff - and that's a decision which requires backing from the very top of the company.

        1. Anonymous Coward
          Anonymous Coward

          Re: does EVERYTHING need to be on The Connected Internet? Really?

          "Time is never that critical and it's easy to have a workstation on segregated network that has no external egress/ingress nearby."

          REALLY? Maybe back then, but in THIS day and age, seconds or less can AND WILL count.

    2. Kevin McMurtrie Silver badge

      Re: does EVERYTHING need to be on The Connected Internet? Really?

      Why do you think it was bad security? Big companies suffer from hacks that start from the inside.

  3. Anonymous Coward
    Anonymous Coward

    Say this 10x fast

    steal steel secrets slowly, serve stolen saves, send Southeast

    It's on my To-Do list already!

  4. Anonymous Coward
    Anonymous Coward

    Why exactly is a blast furnace online?

    Hey, here's an idea, how about not hooking up your blast furnace to the internet? :P

    1. Ole Juul

      Re: Why exactly is a blast furnace online?

      To save money on proprietary updates from the software vendor. It's how the world works. Companies buy services from other companies and when it comes to software that needs to be updated daily to take market conditions into account, it's not in-house resources. So, the bottom line is that a blast furnace needs to be directly responsive to sales and market conditions. A blast furnace has a huge lag time in response so it's not like operating many other machines. I hope that answers you question.

      1. frank ly

        Re: Why exactly is a blast furnace online?

        "... a blast furnace needs to be directly responsive to sales and market conditions."

        " A blast furnace has a huge lag time in response ..."

        Those two are mutually exclusive and neither of them will be solved/met by allowing your control system supplier to update the controller software over the internet.

        The only time you need any of your installed software to be updated in a hurry is for functional shortfalls or for security holes. Everything else can wait.

        1. Anonymous Coward
          Anonymous Coward

          Re: Why exactly is a blast furnace online?

          They're not. Markets move at breakneck speed in this day and age, and things can change on a moment's notice. So the furnace's conditions are constantly changing, too, in response to market conditions (which can at least be plotted out in reaction to those conditions—short-term changes can effect longer-term changes).

  5. Anonymous Coward
    Anonymous Coward

    "Experts say that in the complex IT landscapes of large companies, it is currently virtually impossible to provide viable protection against organized, highly professional hacking attacks," the company said.

    You can drop professional. As with many others, not just the professionals, I watch the march of security vulnerabilities day by day. There's no way you can patch systems in a responsible fashion immediately so you will have holes in your systems. Time it right and you can waltz right on through. Minimization is the only practical defense.

    1. Anonymous Coward
      Anonymous Coward

      Which then becomes IMpractical because of necessary complexities. So what do you do if you CAN'T minimize?

      1. Destroy All Monsters Silver badge

        Move to the Moon!

  6. Anonymous Coward
    Anonymous Coward

    ThyssenKrupp said the attack was not attributable to security failings

    Yes, it was.

    1. Charles 9

      Re: ThyssenKrupp said the attack was not attributable to security failings

      But some security failings can never be effectively policed, like moles. Is it really a security failing if it's one beyond anyone's ability to secure? Just like is it really anyone's fault if someone gets killed by a bolt out of the blue?

      1. Anonymous Coward
        Anonymous Coward

        Re: ThyssenKrupp said the attack was not attributable to security failings

        @Charles9

        I agree that someone will always be able to get through your defenses at some point.

        I think this scenario fits your "bolt out of the blue description": Bad actors find a new exploit and breach your network before the fault is publicly identified and a fix available. Probably neither of us would describe that as a security failing on the victim's part.

        Purely subjective, but for me the company's statement just seemed to document a total lack of accountability. I wonder if anyone else read it the same way?

      2. Christian Berger

        Re: ThyssenKrupp said the attack was not attributable to security failings

        "But some security failings can never be effectively policed, like moles."

        No, but according to the accounts of people who worked there, they had extremely bad security.

        https://www.heise.de/forum/heise-online/News-Kommentare/Massiver-Hacker-Angriff-auf-Thyssenkrupp/ThyssenKrupp-und-das-Maerchen-aus-der-Pressemitteilung/posting-29614397/show/

        They didn't update their firewalls, they still used DES for their VPNs, they didn't separate their production LAN from their office LAN, etc...

        "Is it really a security failing if it's one beyond anyone's ability to secure?"

        You could as well ask if someone who hasn't learned to drive is responsible for the accidents they made. If you are unable to do something, maybe you should not do it... particularly not at such a company.

        "Just like is it really anyone's fault if someone gets killed by a bolt out of the blue?"

        No, but this is more like having your car unlocked and parked at a busy parking lot... and then complaining about it being stolen.

  7. tiggity Silver badge

    Mismatch

    Surely a mismatch between:

    "ThyssenKrupp said the attack was not attributable to security failings or to human error. It went to far as to claim that it couldn't have mounted a successful defense against skilled attackers."

    and..

    "ThyssenKrupp said affected IT systems have been updated and are now subject to ongoing monitoring to detect subsequent attacks"

    As an example, surely introducing "ongoing monitoring to detect" attacks implies this was not previously done and so is an example of a security failing.

    Yes, I know total security is impossible, but a big wealthy company should already be following best practices including basics such as monitoring for suspect activity.

    1. Charles 9

      Re: Mismatch

      "Yes, I know total security is impossible, but a big wealthy company should already be following best practices including basics such as monitoring for suspect activity."

      But as you shut doors, edge cases stop being edge cases. And one of the biggest problems is also probably the toughest to stop: moles.

      1. Destroy All Monsters Silver badge
        Windows

        Re: Mismatch

        Especially nowadays as employees' faces change on a day-to-day basis.

        Really, who is that guy in the next cubicle? Never seen him before.

        Maybe we have to go back to slower processes.

  8. Anonymous Coward
    Anonymous Coward

    So...

    Almost certainly US state sponsored then.

  9. Palpy

    It seems to me that metallurgical formulae and --

    -- research into cutting-edge (pun intended) metallurgy surely must involve many scientists and technicians in various labs, universities, and R&D departments. If a company were to isolate its metallurgists and technicians behind a no-access firewall, it would tend to slow and even cripple the communication necessary to the enterprise. They need to exchange detailed information about formulations and techniques, outside and inside research, and experimentation, and do it quickly and efficiently.

    Yes, you can isolate an industrial automation system, if you take a reasonable penalty in accessibility (your managers will not be monitoring from their internet-connected networks). The blast-furnace hack could have been mitigated, at a cost.

    But I don't think you can isolate an R&D department in the same way. Let alone the engineers and salesmen who will need to understand the product they're specifying.

    Just my opinion, though. I'm not inside any such operation. Tell me if I'm wrong.

  10. Destroy All Monsters Silver badge
    Trollface

    Kinda tangential, but lulzy

    Haaretz writes:

    In response to a question from Haaretz, ThyssenKrupp said that the cyberattack did not affect any of its naval projects, including those linked to Israel.

    The company, which owns the shipyards now building new warships for Israel, has been in the center of a scandal in recent weeks involving Netanyahu's personal lawyer and the role he might have played in Israel's deal to buy the submarines.

  11. torchy663

    ThyssenKrupp said affected IT systems have been updated and are now subject to ongoing monitoring to detect subsequent attacks. It also stressed that IT systems for its submarine business and for its blast furnaces and power plants in Duisburg were not affected.

    so not impossible to defend against then........

    1. Destroy All Monsters Silver badge

      Hindsight is cool.

      But there sure still are open avenues.

      (Next: someone drives drone into your office to nick stuff from your desk...)

      1. Anonymous Coward
        Anonymous Coward

        someone drives drone into your office to nick stuff from your desk

        HR says we are not allowed to refer to the cleaning staff as drones.

  12. Hargrove

    An old man's perspective

    "Experts say that in the complex IT landscapes of large companies, it is currently virtually impossible to provide viable protection against organized, highly professional hacking attacks,"

    For transparency: I'm old; I'm slow; and the last time I programmed anything that mattered I did it by punching indicator/switches on the from panel of something the size of a refrigerator. (It did use transistors). I have to keep things simple.

    As systems exist today, they are impossible to secure. Everything connected, including the human user interfaces and the users, are part of the system. In the case of US government IT systems, users are required to accept and install downloads to maintain certification. Ordinary consumers are forced to do the same to maintain functionality. (What the updates do to functionality is another can of worms entirely.)

    The configuration and state of the system are unknown and unknowable.

    The bits of operating system and application codes are all metaphorically moving parts of an integrated system, being constantly dicked with, in splendid ignorance of their unintended consequences. The details and functionality of the different pieces are unknown and unknowable to anyone.

    An analogy is trying to secure a castle with literally thousands of doors to the outside, where we've distributed keys to an unknown number of workers and service people. We give them permission to come in and change things without our knowledge. In the process we also open the castle to cutpurses, thieves, mountebanks, traveling salesmen and other sociopaths.

    Governments (predominately the US/UK) have bought hook, line, and sinker into "cloud computing"--a term so nebulous as to be meaningless. In the meantime, vendors are pushing the "internet of things", in splendid denial of the fact that each new device adds another potential vulnerability that the "system". The system, which again includes every functional element connected, including owners of internetworked "things", was never designed to deal with the threat environment. .

    The reality is that the internetworked system we are all now dependent on was never actually designed at all. It just grew like Topsy to extract the maximum profit from the latest hot market item.

    ThyssenKrupp has it almost right. It is impossible to secure; there is no "virtually" about it.

    For what it's worth.

    Hargrove

    P.S. Late-breaking news. President-elect Trump has announced that he is going to build a wall around the global IT infrastructure, and make the hackers pay for it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like