Chinese 'Comment Crew' hackers emptied QinetiQ of top-secret military data
US firm complacent about serious breaches, Bloomberg alleges
One of the US’s critical military and espionage contractors QinetiQ North America (QNA) was successfully pillaged for huge amounts of top-secret know-how by the infamous Chinese ‘Comment Crew’ or PLA 61398 hacking group in a campaign stretching over years, Bloomberg has reported.
Reports and accusations of Chinese hacking are now ten-a-penny but what has been reconstructed by Bloomberg’s journalists after talking to investigators tells a story that will be as embarrassing as it is depressing for both QNA and the US defence establishment.
The hacking was so extensive that external consultants ended up more or less working permanently inside the firm to root out malicious software and compromises on an ongoing basis.
Related Articles on Techworld
It’s already established that Chinese hackers (including probably PLA 61398 outed earlier this year by Mandiant) started targeting US defence contractors as far back as 2007, but the role of QNA in events has not until now been full explained despite fragments of the story turning up in emails leaked after the 2011 Anonymous Group hack of security firm HBGary.
By late 2007 the Naval Criminal Investigation Service reportedly told QNA that two staff at the firm’s HQ were losing data from laptops, information that the firm allegedly treated as a minor breach when it was later discovered to be anything but.
Through 2008, is said to have treated the continuing pattern of hacks traced to its buildings as “isolated incidents”, including the compromise of 13,000 server passwords that attackers were used to help steal huge amounts of classified military engineering data.
Security deteriorated to such an extent that investigators found that it was possible to access the firm’s network from a car park using an unsecured Wi-Fi connection and that, independently, Russian hackers had set up the compromised PC of a secretary to steal sensitive data at will over a two and a half year period.
“Over one stretch in 2009, the spies spent 251 days raiding at least 151 machines, including laptops and servers, cataloging TSG’s [a QNA division] source code and engineering data,” said Bloomberg.
“The hackers dribbled data out of the network in small packets to avoid detection, managing to get away with 20 gigabytes before they were finally stopped, according to an internal damage assessment.”
Despite another assessment that found that QNA’s lack of two-factor authentication helped a major 2010 raid on the company’s cache of robotics IP, the firm’s managers still did not address the need for security fixes recommended by consultant Mandiant.
By 2010, QNA believed it had cleaned up the last remnants of a hacking attack that dated back three nearly years only to discover yet more data leaks traced to malicious software that had been operating since 2009.
The damage done by the years-long thefts is harder to assess but must have compromised US military superiority in a range of spheres including helicopters and robotics as well as some of this infomatics systems used by them during a military conflict.
It’s already been noticed how similar some Chinese drone designs are to the US designs on which they were almost certainly based.
Third-party assessments are that QNA was so successfully attacked that there is probably nothing left for the Chinese to steal.
QinetiQ’s story started in contentious fashion after it was hived off at an infamously knock-down price in 2001 from the UK’s Defence Evaluation Research Agency (DERA) with the help of US investor Carlyle Group.
Critics complained that Carlyle had been handed huge amounts of valuable British research IP at a steal. QNA formed its own board in 2004 before the whole group went public in 2006.
As for the other actor in all this, the so-called Chinese Comment Crew hackers, one of the consultants used by QNA, Mandiant, made its global name after a report that not only explored the group’s activities but even identified the building they work from.