Feeds

'Chinese' attack sucks secrets from US defence contractor

Comment Crew blamed for three-year attack on QinetiQ

SANS - Survey on application security programs

Just when it looked like US-China relations couldn’t get any more frosty, news has emerged that defence contractor QinetiQ suffered a massive breach of classified data over three years which may have leaked advanced military secrets to the infamous PLA-linked hacking gang Comment Crew.

Bloomberg spoke to Verizon’s Terremark security division, HB Gary and Mandiant – all security firms which were hired by QinetiQ to deal with the problem – and sifted through reports and emails made public by the 2011 Anonymous hack of HBGary, in order to get a clear picture of the scale of the breach.

The report reveals poor security practice and misjudgement allowed the hackers to siphon off terabytes of data, potentially compromising national security.

“We found traces of the intruders in many of their divisions and across most of their product lines,” former Terremark SVP Christopher Day told the newswire. “There was virtually no place we looked where we didn’t find them.”

QinetiQ is thought to have been among around 30 defence contractors targeted by hackers in a campaign dating back to 2007, with a group Comment Crew apparently pegged by investigators as the perpetrators – although there’s no explanation for how they arrived at this decision.

The group was famously outed by Mandiant in a high profile report back in February as linked to People’s Liberation Army Unit 61398 and responsible for over 100 other attacks.

QinetiQ was apparently first notified of an intrusion back in 2007, when an agent from the Naval Criminal Investigative Service warned that two employees working at the firm’s US HQ in McLean, Virginia, had their laptops compromised.

The agent had stumbled upon the breach as part of a separate investigation but apparently left out many key details including the fact that other contractors were being hit. QinetiQ limited the following forensic trawl to a few days and mistakenly treated it and several succeeding incidents as unconnected.

Even when NASA warned the firm that it was being attacked by hackers from one of QinetiQ’s computers the firm apparently continued to treat incidents in isolation.

The attackers’ MO appears to have been classic APT-style attack. Once inside the network they appear to have moved laterally to nab internal passwords, allowing them access to highly classified data including source code from the Technology Solutions Group.

Huge amounts of data were apparently smuggled out of the company in small packets to evade detection by traditional filters.

It is claimed that QinetiQ didn’t operate a two-factor authentication system, which could have prevented the hackers logging on with the stolen passwords, and that when Mandiant suggested a simple fix to the problem it was ignored.

Investigators also found in 2008 that QinetiQ’s corporate network could be accessed using unsecured Wi-Fi from a car park outside a facility in Waltham, Massachusetts, the report claimed.

The hackers targeted advanced drone and robotics technology and compromised hundreds of machines in QinetiQ’s facilities all over the US, including St. Louis, Mississippi, Alabama and New Mexico, according to Bloomberg.

Last year China made a splash at the Zuhai air show with a range of drone aircraft similar in design to their US equivalents but pitched at a lower price point.

As if the persistent hacking incursions weren’t enough, investigators brought in to help apparently made matters worse by arguing with each other.

Then software installed by HBGary to monitor for malicious activity wouldn’t function properly and was deleted by many employees because it apparently used too much processing power.

The investigators even found evidence that Russian hackers had been stealing QinetiQ secrets for over two years through a compromised PC belonging to a secretary.

The report comes just a day after news that the Pentagon has leased a Chinese commercial satellite for communications in Africa. It also emerged this week that Comment Crew is very much still operating, despite being named and shamed in the Mandiant report earlier this year. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.