Months before its technology became the centerpiece of Samsung’s new mobile payment system, LoopPay, a small Massachusetts subsidiary of the South Korean electronics giant, was the target of a sophisticated attack by a group of government-affiliated Chinese hackers.
As early as March, the hackers — alternatively known as the Codoso Group or Sunshock Group by those who track them — had breached the computer network of LoopPay, a start-up in Burlington, Mass., that was acquired by Samsung in February for more than $250 million, according to several people briefed on the still-unfolding investigation, as well as Samsung and LoopPay executives.
LoopPay executives said the Codoso hackers appeared to have been after the company’s technology, known as magnetic secure transmission, or MST, which is a key part of the Samsung Pay mobile payment wallet that made its public debut in the United States last week.
Like similar mobile payment systems from Apple and Google, Samsung Pay allows consumers to pay for goods using their Samsung smartphones with so-called near-field communications technology, which uses a wireless signal to send payment information from a phone to newer cash registers. But LoopPay’s MST technology has an advantage: It also works with older payment systems by emulating a commonly used magnetic stripe card.
The attackers are believed to have broken into LoopPay’s corporate network, but not the production system that helps manage payments, said Will Graylin, LoopPay’s chief executive and co-general manager of Samsung Pay. Mr. Graylin said that security experts were still looking through LoopPay’s systems, but that there had been no indication that the hackers infiltrated Samsung’s systems or that consumer data had been exposed.
LoopPay did not learn of the breach until late August, when an organization came across LoopPay’s data while tracking the Codoso Group in a separate investigation.
Both LoopPay and Samsung executives said they were confident that they had removed infected machines, and that customer payment information and personal devices were not affected. They added that there was no need to delay the introduction of Samsung Pay, which had its debut in the United States last week after executing more than $30 million worth of purchases in South Korea.
“Samsung Pay was not impacted and at no point was any personal payment information at risk,” Darlene Cedres, Samsung’s chief privacy officer, said in a statement. “This was an isolated incident that targeted the LoopPay corporate network, which is a physically separate network. The LoopPay corporate network issue was resolved immediately and had nothing to do with Samsung Pay.”
But two people briefed on the investigation, as well as security experts who have been tracking the Codoso hackers as they have targeted hundreds of victims around the world, said it would be premature to say what the hackers did and did not accomplish since they were discovered in August.
To start, the hackers were inside LoopPay’s network for five months before they were discovered. And the Codoso Group is known for maintaining a hidden foothold in its victims’ systems. Security experts say the group’s modus operandi is to plant hidden back doors across victims’ systems so that they continue to infiltrate their networks long after the initial breach.
In a multistage Codoso attack of Forbes in February, for example, the group infected the website of Forbes.com with malicious code that infected the site’s visitors. But that was just the start. From there, other members of the group used that foothold in visitors’ machines to search for valuable targets in the defense sector.
After a similar attack by another Chinese state-affiliated hacking group on the U.S. Chamber of Commerce in 2011, the chamber believed it had rid hackers from its network only to discover months later that an office printer and even a thermometer in one of its corporate apartments were still sending information back to computers in China.
Samsung introduced Samsung Pay in the United States just 38 days after LoopPay learned it had been breached. On average, it takes 46 days before an attack by hackers can be fully resolved, according to the Ponemon Institute, a nonprofit that tracks breaches. But the time to fix the damage is typically much longer in cases of sophisticated Chinese hackings like the one at LoopPay.
“Once Codoso compromises their targets — which range from dissidents to C-level executives in the U.S. — they tend to stay there for quite a long time, building out their access points so they can easily get back in,” said John Hultquist, the head of intelligence on cyberespionage at iSight Partners, a security firm. “They’ll come back to a previous organization of interest again and again.”
LoopPay hired two private forensics teams to investigate the breach on Aug. 21, just a month before it was set to bring Samsung Pay to the United States, according to Mr. Graylin. Both are still working the case.
But the investigation has been unusual from the start. LoopPay told the teams to look at different portions of its network. One of the firms, Sotoria, which is based in Charleston, S.C., was given a backup of LoopPay’s data and asked to leave the company’s headquarters after just three days.
Mr. Graylin said that was because the team was looking at LoopPay systems that he said fell outside the scope of the initial contract, in what Mr. Graylin described as an attempt to extract more fees. Even so, he said, LoopPay was still working with the company to resolve the breach.
Sotoria executives said they could not comment on the investigation. Mr. Graylin would not name the second computer forensics firm looking into the attack.
LoopPay has not notified law enforcement about the breach, Mr. Graylin said, because his firm believed no customer data or financial information had been stolen.
He also played down concerns that hackers might try to use the information they stole about his company’s technology in order to infiltrate Samsung Pay or create a copycat product. He said if such a thing emerged, LoopPay could file a patent lawsuit. What’s more, he said, it would be viable only if major banks, credit card companies and carriers were willing to team up with the copycat.
News of the breach at LoopPay comes at a particularly inopportune time for Samsung, which is locked in a bitter war for smartphone supremacy against Apple and its immensely popular iPhone, as well as a newer crop of less expensive devices from manufacturers like China’s Xiaomi.