WASHINGTON — Months before its technology became the centerpiece of Samsung’s new mobile payment system, LoopPay, a small Burlington, Mass., subsidiary of the South Korean electronics giant, was the target of a sophisticated attack by a group of government-affiliated Chinese hackers.
As early as March, the hackers — known as the Codoso Group or Sunshock Group by those who track them — had breached the computer network of LoopPay, a startup that was acquired by Samsung in February for more than $250 million, according to several people briefed on the still-unfolding investigation.
LoopPay executives said the hackers appeared to have been after the company’s technology, known as magnetic secure transmission, or MST, which is a key part of the Samsung Pay mobile wallet, which debuted in the United States last week. Like mobile payment systems from Apple and Google, Samsung Pay allows consumers to pay for goods using their Samsung smartphones with so-called near-field communications technology, which uses a wireless signal to send payment information from a phone to newer cash registers. But LoopPay’s MST technology has an advantage: It also works with older payment systems by emulating a commonly used magnetic stripe card.
The attackers are believed to have broken into LoopPay’s corporate network, but not the system that helps manage payments, said Will Graylin, LoopPay’s chief executive and co-general manager of Samsung Pay. Graylin said security specialists were still looking through LoopPay’s systems, but there had been no indication the hackers infiltrated Samsung’s systems or that consumer data had been exposed.
LoopPay did not learn of the breach until late August, when an organization came across LoopPay’s data while tracking the Codoso Group in a separate investigation.
Both LoopPay and Samsung executives said they were confident they had removed infected machines and that customer information and personal devices were not affected. They said there was no need to delay the introduction of Samsung Pay, which had its US debut after executing more than $30 million worth of purchases in South Korea.
But two people briefed on the investigation, and security specialists who have been tracking the Codoso hackers, said it would be premature to say what the hackers did and did not accomplish.
The hackers were inside LoopPay’s network for five months before they were discovered. And the Codoso Group is known for maintaining a hidden foothold in its victims’ systems. Security specialists say the group plants hidden back doors so that they continue to infiltrate networks long after an initial breach.
In a multistage Codoso attack of Forbes in February, for example, the group infected the website of Forbes.com with malicious code that infected the site’s visitors. But that was just the start. From there, other members of the group used that foothold in visitors’ machines to search for valuable targets in the defense sector.
After a similar attack by another Chinese state-affiliated hacking group on the US Chamber of Commerce in 2011, the chamber believed it had rid hackers from its network, only to discover months later that an office printer and even a thermometer in one of its corporate apartments were still sending information to China.
Samsung introduced Samsung Pay in the United States 38 days after LoopPay learned it had been breached. On average, it takes 46 days before an attack by hackers can be fully resolved, according to the Ponemon Institute, a nonprofit that tracks breaches. But the time to fix the damage is typically much longer.