Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/18/2014
12:55 PM
50%
50%

US Military In The Dark On Cyberattacks Against Contractors

A lack of communication between military contractors and government agencies about Chinese cyber espionage attacks is revealed in a new Senate report.

Communication is the key to any good relationship. Yet a new report from the US Senate Armed Services Committee shows that a lack of communication has left the US Transportation Command (Transcom) in the dark about threats to cyber security.

The Armed Services Committee report, released Wednesday, contends that hackers tied to the Chinese government successfully penetrated systems belonging to Transcom contractors at least 20 times during a 12-month period beginning June 1, 2012. The report is the culmination of a year-long investigation by the committee, which found that gaps in reporting requirements and a lack of information sharing between government agencies left Transcom largely unaware of the compromises.

Transcom is responsible for the movement of US troops and equipment around the globe. According to the committee, Transcom was aware of only a handful of the attacks, even though contracts mandate that contractors report certain types of incidents to the command. Though more than 80 companies are subject to the clause, the command had received only two reports of cyber intrusions until August 2013.

In addition, the report states that the FBI, the Department of Defense, the Air Force Office of Special Investigations, and the Defense Cyber Crime Center were aware of cyberattacks between June 2012 and June 2013 and failed to share the information with Transcom.

The committee's findings are detailed in a report entitled "Inquiry into Cyber Intrusions Affecting U.S. Transportation Command Contractors." The committee approved the report in the spring and released an unclassified version today.

During the period covered by the report, there were about 50 intrusions or "cyber events" into the computer networks of Transcom contractors.

"These peacetime intrusions into the networks of key defense contractors are more evidence of China’s aggressive actions in cyberspace," Sen. Carl Levin (D-MI), the committee's chairman, said in a committee press release. "Our findings are a warning that we must do much more to protect strategically significant systems from attack and to share information about intrusions when they do occur."

This year, TrapX Security identified malware called Zombie Zero, which was delivered into enterprise shipping and logistics environments from a Chinese manufacturer responsible for selling proprietary hardware for terminal scanners used to inventory items being shipped. The malware was delivered through the Windows embedded XP operating system installed on the hardware at the manufacturer's location in China and could be downloaded from the Chinese manufacturer's support website.

[Zombie Zero is still actively pushing rigged handheld scanning devices, reviving concerns about doing business with Chinese tech companies. Read Chinese Hackers Target Logistics & Shipping Firms With Poisoned Inventory Scanners.]

"It is just as important in today's world to protect our country's critical information systems and infrastructure as it is to protect sea lanes and foreign economic interests," said Carl Wright, general manager of TrapX and former CISO of the US Marine Corps.

Though Transcom attributed all 20 intrusions in the report to China, FireEye researchers Jen Weedon and Kristen Dennesen wrote in a blog post that the Chinese government is not the only player in the game. Suspected Russian attackers have been targeting a defense technology company, and an Iranian group targeted US defense contractors in Operation Saffron Rose.

"Multiple threat groups appear to have a firm understanding of the Aerospace and Defense supply chains, including the relationships between organizations and specific projects in the industry," Weedon and Dennesen wrote. "In multiple instances, cyber espionage groups have targeted information about specific projects across several companies. Similarly, we have observed threat groups target the entire Aerospace and Defense manufacturing production cycle, from research and development through testing and production, all the way to product launch."

"We must ensure that cyber intrusions cannot disrupt our mission readiness" Sen. Jim Inhofe (R-OK), the committee's ranking Republican, said in the release. "It is essential that we put into place a central clearinghouse that makes it easy for critical contractors, particular those that are small businesses, to report suspicious cyber activity without adding a burden to their mission support operations."

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
aws0513
50%
50%
aws0513,
User Rank: Ninja
9/23/2014 | 11:12:58 AM
Re: Huge
I agree that this is a bad situation.

But a small correction for @Robert McDougal...

Transcom is short for USTRANSCOM which is the DoD Command responsible for all tranportation logistics doctrine and management for all DoD organizations.  Transcom is thus a government entity, not a contractor.

The fact that Transcom was not aware of the breaches does not surprise me.  Transcom is basically a large entity that facilitiates and coordinates the contracting for movement of military materiel and personnel.  The intelligence function of Transcom relies on DIA and other government intelligence functions to provide information on threats to their contractor pool. 

I believe that the bigger problem is that contractors are not generally required to report security incidents unless the incident will directly impact delivery of logistics services.  Most of these hacks look to be information gathering thus having very little impact on service delivery.  Unlike the health industry, there is no legal requirement for private entities in the defense industry to report any compromises unless dictated by contractual agreement.

Counterintelligence is generally perceived as the realm of the USGov intelligence community, not the logistics community.  If the intelligence community notified Transcom of such activity, odds are it would have acted on the information.

I am certain that Transcom is currently in the immediate remediation of the causes for this situation.  If there is one thing that the DoD is good at, is adapting to security threats that make the headlines.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
9/18/2014 | 2:56:26 PM
Huge
"Transcom is responsible for the movement of US troops and equipment around the globe."

The organization responsible for our troop movements was left in the dark on cyber intelligence? This is unacceptable, of all the contractors that should be aware of threats to intelligence theft you would think Trascom would be a top priority. I guess nothing surprises me anymore.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.