Feeds

'Chinese' attack sucks secrets from US defence contractor

Comment Crew blamed for three-year attack on QinetiQ

The essential guide to IT transformation

Just when it looked like US-China relations couldn’t get any more frosty, news has emerged that defence contractor QinetiQ suffered a massive breach of classified data over three years which may have leaked advanced military secrets to the infamous PLA-linked hacking gang Comment Crew.

Bloomberg spoke to Verizon’s Terremark security division, HB Gary and Mandiant – all security firms which were hired by QinetiQ to deal with the problem – and sifted through reports and emails made public by the 2011 Anonymous hack of HBGary, in order to get a clear picture of the scale of the breach.

The report reveals poor security practice and misjudgement allowed the hackers to siphon off terabytes of data, potentially compromising national security.

“We found traces of the intruders in many of their divisions and across most of their product lines,” former Terremark SVP Christopher Day told the newswire. “There was virtually no place we looked where we didn’t find them.”

QinetiQ is thought to have been among around 30 defence contractors targeted by hackers in a campaign dating back to 2007, with a group Comment Crew apparently pegged by investigators as the perpetrators – although there’s no explanation for how they arrived at this decision.

The group was famously outed by Mandiant in a high profile report back in February as linked to People’s Liberation Army Unit 61398 and responsible for over 100 other attacks.

QinetiQ was apparently first notified of an intrusion back in 2007, when an agent from the Naval Criminal Investigative Service warned that two employees working at the firm’s US HQ in McLean, Virginia, had their laptops compromised.

The agent had stumbled upon the breach as part of a separate investigation but apparently left out many key details including the fact that other contractors were being hit. QinetiQ limited the following forensic trawl to a few days and mistakenly treated it and several succeeding incidents as unconnected.

Even when NASA warned the firm that it was being attacked by hackers from one of QinetiQ’s computers the firm apparently continued to treat incidents in isolation.

The attackers’ MO appears to have been classic APT-style attack. Once inside the network they appear to have moved laterally to nab internal passwords, allowing them access to highly classified data including source code from the Technology Solutions Group.

Huge amounts of data were apparently smuggled out of the company in small packets to evade detection by traditional filters.

It is claimed that QinetiQ didn’t operate a two-factor authentication system, which could have prevented the hackers logging on with the stolen passwords, and that when Mandiant suggested a simple fix to the problem it was ignored.

Investigators also found in 2008 that QinetiQ’s corporate network could be accessed using unsecured Wi-Fi from a car park outside a facility in Waltham, Massachusetts, the report claimed.

The hackers targeted advanced drone and robotics technology and compromised hundreds of machines in QinetiQ’s facilities all over the US, including St. Louis, Mississippi, Alabama and New Mexico, according to Bloomberg.

Last year China made a splash at the Zuhai air show with a range of drone aircraft similar in design to their US equivalents but pitched at a lower price point.

As if the persistent hacking incursions weren’t enough, investigators brought in to help apparently made matters worse by arguing with each other.

Then software installed by HBGary to monitor for malicious activity wouldn’t function properly and was deleted by many employees because it apparently used too much processing power.

The investigators even found evidence that Russian hackers had been stealing QinetiQ secrets for over two years through a compromised PC belonging to a secretary.

The report comes just a day after news that the Pentagon has leased a Chinese commercial satellite for communications in Africa. It also emerged this week that Comment Crew is very much still operating, despite being named and shamed in the Mandiant report earlier this year. ®

5 things you didn’t know about cloud backup

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
KER-CHING! CryptoWall ransomware scam rakes in $1 MEEELLION
Anatomy of the net's most destructive ransomware threat
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Gartner critical capabilities for enterprise endpoint backup
Learn why inSync received the highest overall rating from Druva and is the top choice for the mobile workforce.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.