Chinese hackers breached LoopPay, the company behind Samsung Pay’s secret sauce
Time to put the party hats away.
Samsung, coming off an incredible quarter for earnings, said one of its subsidiaries whose technology handled the transmission of payment data between the company’s smartphones and merchants’ systems recently suffered a computer network breach.
The company said the attack affected LoopPay, the Mass.-based startup purchased by the South Korean electronics giant for a reported $250 million earlier this year. LoopPay developed part of the secret sauce behind Samsung Pay, the company’s mobile payment wallet which debuted in the U.S. last week.
The New York Times first reported that LoopPay’s corporate network had been targeted by a state-sponsored Chinese hacking group—known as the Codoso Group or Sunshock Group among security professionals—on Wednesday, citing people familiar with the breach investigation, as well as executives at LoopPay and parent Samsung (SSNLF).
A Samsung spokesperson confirmed the breach with Fortune via email, passing along a statement from Darlene Cedres, the company’s chief privacy officer. “Samsung Pay was not impacted and at no point was any personal payment information at risk,” the statement read. “This was an isolated incident that targeted the LoopPay corporate network, which is a physically separate network from Samsung Pay. The LoopPay corporate network issue was resolved immediately and had nothing to do with Samsung Pay.”
The hackers may have been seeking information regarding LoopPay’s intellectual property: magnetic secure transmission, tech that enables Samsung Pay to be compatible with older point-of-sale terminals by mimicking the magnetic strips on payment cards. (Samsung Pay, like competitors Apple (AAPL) Pay and Google’s (GOOG) Android Pay, also works with near-field communications technology, which conducts transactions via radio waves.)
LoopPay’s computer network had been breached as early as March, a month after Samsung acquired the firm, the Times reported. The company did not learn of the intrusion until late August, a month prior to Samsung Pay’s U.S. launch, when another organization stumbled across its data during a separate investigation of the Codoso Group, a sophisticated threat actor that has a history of targeting financial firms, military and defense contractors, C-level executives, and Chinese political dissidents.
John Hultquist, head of cyberespionage threat intelligence at the Dallas, Texas-based security firm iSight Partners, shared his thoughts on the hacking unit with Fortune. “They’re one of the better actors we see coming out of that region,” Hultquist said, noting that the China-based group is known for exploiting sophisticated zero-day vulnerabilities—previously unknown computer bugs—to compromise the machines of their victims. “I don’t believe they were there for criminal interests,” he added. “These guys are not really after monetizable commodity data. They’re after intelligence and esoteric information—information only a few types of people can actually make use of.”
In other words, Hulquist said, the Codoso group is motivated by espionage, both political and economic. The Obama administration recently struck an agreement with Chinese President Xi Jinping during his first state visit to the U.S. that prohibits the two nations from conducting economic espionage against one another. Although many commenters question whether the agreement will hold, the hacking at LoopPay seems to have predated the deal.
“These people may have been after cryptographic information,” Hultquist told Fortune, mentioning that the Codoso Group might have had an interest in “unmasking transactions” to keep tabs on the financial activity of targets of interest. “Their intent was probably to stay low and monitor the network in perpetuity,” he said.
“I think when details finally come out we’ll probably learn that it was a spearphishing attack leveraging a user clinking on a link or opening an attachment,” said Anup Ghosh, founder and CEO of the Fairfax, Va.-based security firm Invincea, describing a common vector for cyber espionage. Invincea researchers have observed the Codoso Group using that attack method before, Ghosh said.
“This compromise probably has less to do with trying to steal money and more to do with this particular actor’s systematic compromise of U.S. tech companies,” he added, noting that these are exactly the kinds of attacks the recent agreement between president Barack Obama and Xi is designed to stop.
Will Graylin, chief exec at LoopPay and co-general manager of Samsung Pay, told the Times that his division hired and retained two private forensics teams on Aug. 21, in response to intrusion.
The one named firm named by the Times, “Sotoria” [sic], a Charleston, S.C.-based incident-response business, was apparently dismissed from LoopPay’s premises three days after being called in. The company was, the Times reported Graylin as saying, looking at systems that “fell outside the scope of the initial contract, in what Mr. Graylin described as an attempt to extract more fees.” Nevertheless, the firm continued to work on the investigation, the Times said.
Fortune spoke to Chris O’Rourke, CEO and co-founder of the Charleston, S.C.-based security firm Soteria, about his company’s reported involvement in the investigation. “I don’t have the ability to discuss current or previous investigations at this time,” he said. “I will say,” he added, “there is some commentary in the [Times] article we disagree with.”
LoopPay did not immediately respond to a request for comment. Fortune will update this story with additional information as it comes.
Subscribe to Data Sheet, Fortune’s daily newsletter on the business of technology.
For more on U.S.-China cybersecurity relations, watch this video.