Risk
5/2/2013
01:02 PM
50%
50%

China Tied To 3-Year Hack Of Defense Contractor

U.S. defense contractor QinetiQ ignored persistent attack warning signs, lost terabytes of secret information, say investigators.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
For three years, boutique defense contractor QinetiQ was compromised by an advanced persistent threat (APT) attack group operating from China. During that time, attackers accessed information about cutting-edge U.S. military drone and robot weapons systems and brought competing products to market.

Those allegations surfaced against QinetiQ North America Wednesday in a report from Bloomberg, which cited investigators hired by QinetiQ -- as well as HBGary emails that were stolen and leaked by Anonymous -- as sources. HBGary was one of several firms hired by the defense contractor to investigate apparent intrusions.

Investigators told Bloomberg that the ongoing attacks against QinetiQ (pronounced "kinetic") were launched by the Shanghai-based Comment Crew. Earlier this year, a report from security firm Mandiant tied the group -- which it dubbed APT1 -- to attacks that compromised 141 businesses, none of which it named, across 20 industries. According to Mandiant, the attackers weren't just supported by China, but actually part of the People's Liberation Army (PLA) Unit 61398, which is an elite military hacking unit. Chinese officials denied those allegations.

[ How should your business react to the Chinese allegations? Read China Hack Attacks: Play Offense Or Defense? ]

Investigators hired by QinetiQ said that despite ongoing warnings from numerous organizations, including NASA and the Naval Criminal Investigative Unit, that the defense contractor's networks had been compromised, QinetiQ officials failed to realize that attackers were maintaining a persistent presence in their network and react accordingly.

"We found traces of the intruders in many of their divisions and across most of their product lines," Christopher Day -- until February, a senior VP at Verizon’s Terremark security division, which QinetiQ twice hired to investigate apparent intrusions -- told Bloomberg. "There was virtually no place we looked where we didn't find them."

As a result, investigators said that terabytes of data, including classified information relating to military robotics, drones and the Army's helicopter fleet, including PIN codes that could now be used to identify helicopters' deployment and combat-readiness, were stolen.

A QinetiQ spokesman didn't immediately respond to an emailed request for comment on the report, or what information security changes the business might have made as a result.

Attacks that aim to steal military secrets from defense contractors and their subcontractors are nothing new. A 2010 report from the Defense Security Service branch of the Department of Defense warned that "the United States' technical lead, competitive edge, and strategic military advantage are at risk; and our national security interests could be compromised" by what it said were an escalating number of "pervasive, relentless, and unfortunately, at times, successful" information security attacks against defense contractors.

But many reported incidents, such as the theft of information relating to the advanced Lockheed Martin F-35 stealth fighter jet in 2009, have been far more extensive than public accounts have suggested. Interestingly, China conducted the first test flight of its own stealth fighter in November 2012. Meanwhile, Bloomberg reported that the theft of information relating to the Lockheed Martin F-22 Raptor lead some intelligence officials to suggest that it might be unsuitable for combat because stolen information might be used to compromise critical systems.

The QinetiQ hack attack campaign recalls the 10-year breach of Nortel, during which time attackers maintained a persistent presence inside the company's network. Attackers stole numerous telecommunications and networking secrets, despite persistent signs that the Nortel network had been compromised.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7896
Published: 2015-03-03
Multiple cross-site scripting (XSS) vulnerabilities in HP XP P9000 Command View Advanced Edition Software Online Help, as used in HP Device Manager 6.x through 8.x before 8.1.2-00, HP XP P9000 Tiered Storage Manager 6.x through 8.x before 8.1.2-00, HP XP P9000 Replication Manager 6.x and 7.x before ...

CVE-2014-9283
Published: 2015-03-03
The BestWebSoft Captcha plugin before 4.0.7 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors.

CVE-2014-9683
Published: 2015-03-03
Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.

CVE-2015-0656
Published: 2015-03-03
Cross-site scripting (XSS) vulnerability in the login page in Cisco Network Analysis Module (NAM) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug ID CSCum81269.

CVE-2015-0890
Published: 2015-03-03
The BestWebSoft Google Captcha (aka reCAPTCHA) plugin before 1.13 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.