Intelligence and cybersecurity sources say the data breach that exposed the records of up to 500 million customers at the Marriott-owned Starwood hotel chain shows signs of being the work of a hostile foreign intelligence service.
Much of the compromised data is typical of corporate breaches, such as names and emails, but other types of data unique to this hack — including where people traveled to and when — can be mined and used to launch targeted email campaigns and recruit sources in the cloak-and-dagger world of espionage, as well as glean insights about their rivals’ interests and operations.
One U.S. intelligence official, who asked not to be identified because the official was not authorized to speak publicly, told NBC News that the hack "fits the pattern” of China’s state-sponsored cyberattacks.
"Personal data … they eat that stuff up,” the official said.
No specific evidence has been publicized that would indicate China was behind the attack, but Reuters has reported that sources familiar with the investigation into the breach said the intruders used tools, techniques and procedures previously found in attacks attributed to hackers working for China’s government, but cautioned that other entities had access to the same tools.
The investigation into the hotel’s data breach is continuing and no official attribution has been made. The FBI said it was tracking the situation as appropriate, and Marriott said it did not know who was behind the hack.
“We have no information about the cause of this incident, and we have not speculated about the identity of the attacker,” Marriott spokesman Jeff Flaherty told NBC News.
Flaherty said the hotel chains’ internal and external teams had been working “nonstop” on the “painstaking” forensic investigation, in coordination with law enforcement.
“We hope to have more information in the coming weeks,” he said.
A key clue may be the type of data accessed, which aside from basic personal details and credit card numbers also included passport numbers and hotel arrivals and departures.
John Schindler, a former analyst for the National Security Agency, said that kind of information was uniquely valuable to state-based intelligence operations.
"Who other than a hostile intelligence service wants passport info?" Schindler said.
The State Department told NBC News passports have numerous counterfeit-defeating measures and only an original and physical version of a passport book or card can be used for international travel on a U.S. identity, not a passport number alone.
Nation-backed data breaches
The Starwood breach lasted four years before it was discovered, a period known in the cybersecurity realm as "dwell time." The lengthy duration of the hack could be another indication of a more sophisticated actor, said Jonathan Cran, head of research at cybersecurity firm Kenna Security.
The median dwell time in a cybersecurity incident is 101 days, according to a report by cybersecurity firm FireEye. The length of time also means the intrusion evaded detection during any auditing Marriott did prior to its acquisition of Starwood in 2016, as well as during subsequent mandatory compliance audits.
Also notable is how long it took from the breach’s detection in September to its announcement, Cran said.
"There's something going on with Marriott," he said. "It does take time to detect scope, but three months is a long time.”
It may be too early to claim with certainty who authored the attack, but nation-states in the past have both breached systems to acquire data and purchased data that has been stolen.
"There's less than zero doubt that that's happening," said Mark Weatherford, former deputy under secretary for cybersecurity at the U.S. Department of Homeland Security. "We know that other nation-states are compromising wherever they can."
In 2015, a hack of the U.S. Office of Personnel Management, attributed to China, resulted in the theft of records on more than 21 million current and former government employees, including answers to a security clearance questionnaire detailing mental illnesses, drug and alcohol use, as well as past arrests, bankruptcies and more. A 2017 Equifax breach of data on 150 million Americans left clues possibly implicating a state actor, Bloomberg reported at the time.
In 2017, the FBI indicted four people, including two Russian spies, for the breach of 500 million Yahoo accounts in order to spy on the emails of targets including White House and government officials, bank and airline executives, and Russian government and business employees.
The value of customers’ financial information to cyberthieves has a shelf life, as credit card numbers are changed or canceled, but information such as where people traveled to and when can be valuable in perpetuity for intelligence purposes.
“Simply identifying large influxes of visiting government employees based on their guest data could give an idea about the nature of government interests and operations, especially if the access was real time,” said Thomas Moore, security architect at Signal Hill Technologies, a cybersecurity contractor in Northern Virginia. “It could also be correlated with other data to unmask those operating with ‘cover.’”
From data landfill to intel goldmine
Modern data analysis has shown that seemingly innocuous data can be used to detect patterns and make educated guesses about everything from whether an individual or group is likely to default on a credit card, have a baby, or engage in human trafficking.
That capability has been available for years in the commercial world through businesses such as Equifax and Acxiom, and the software of companies including Palantir, which has worked with commercial firms and government investigative agencies.
“Anything that's doable off-the-shelf, we have to assume that adversarial nation-states are capable of doing as well,” Weatherford said.
"Standing on its own, little pieces of discrete data may be completely meaningless,” Weatherford added. “When you start aggregating data, that's when you start getting intelligence value.”
For instance, an analyst could see a target was constantly opening new credit accounts and deduce they're having financial troubles, or examine police records and credit card expenses and determine the target had drug or alcohol problems.
"Once you find weakness, that's when you start exploiting," Weatherford said. "You become a potential intelligence asset."
An intelligence service could combine travel data from the Starwood breach with earlier hacks and ask the database to find contractors with high-level security access, debt problems, and who were in same place and time as certain officials.
And new technologies such has machine learning and predictive algorithms give clandestine services more power to turn a landfill of data into a goldmine of intelligence.
Similar to Facebook's "people you may know" feature, advanced programs can take lists of people and their behavior and start to figure out what connections they might have with each other and other people using social network analysis. Techniques like these could be useful to get to closer to the ultimate intended target, like a defense contractor or a network operator on the electrical grid.
“They're interested in everything… more and more data,” Noam Jolles-Ichner, senior intelligence specialist at the Israel-based Diskin Advanced Technologies, said. “You can do something with everything.”