Chinese hackers have repeatedly stolen intellectual property and defence information from QinetiQ
A British defence firm has been repeatedly targeted by Chinese hackers, which resulted in large-scale thefts of intellectual property and sensitive defence information from the company.
Indeed, for more than three years, hackers linked to China thoroughly compromised UK-based QinetiQ, according to reports of the attacks.
The long-running breach resulted in numerous visits from federal investigators from December 2007 until late 2010, according to Bloomberg News, which first reported the massive compromise. The incident, spelled out in emails leaked from security firm HBGary in 2011, resulted in large swaths of data on sensitive technologies – such as drones and military helicopters – getting transmitted overseas.
“The scary part of this particular type of intrusion is you are no longer talking about business interests and intellectual property, but about national security, and that raises the stakes quite a bit,” Alex Cox, principal research analyst for RSA’s FirstWatch incident response group.
The report is the latest evidence linking compromises at defence and critical-infrastructure companies to a Chinese group known as the “Comment Crew.” In February, incident response firm Mandiant released a report identifying the group as the source of more than 140 incidents of espionage investigated by the firm since 2006. The group is a part of the People’s Liberation Army known as Unit 61398, Mandiant said.
It’s one of several espionage groups backed by nation-states known within defence and security circles as specialists in advanced persistent threats (APTs). In January, the New York Times and the Wall Street Journal revealed that hackers thought to be from China had compromised their networks.
The widespread attacks on sensitive corporate and government organisations had top US cyber officials ranking the threat above terrorism, in terms the threat posed to US interests. In March, the Director of National Intelligence and the head of the US Cyber Command both warned of the danger of the ongoing espionage.
In the recently reported incident, QinetiQ suffered a number of attacks over three years. A July 2010 report, leaked from security firm HBGary by hacktivists linked to Anonymous, discussed two of the attacks that resulted in the compromise of at least 71 systems – about 3.5 percent of systems investigated.
Among the tools used by the hackers to control compromised systems was a remote access Trojan (RAT) known as “lprinp.dll,” the report stated.
“It is a well known and used variety of malware that is customised and built from source code (that is, not an attack toolkit/generator),” the report stated. “HBGary believes this malware strain to be tightly coupled to a Chinese hacking group that targets the DoD and its contractors. HBGary has code-named this threat group as ‘Soysauce.’ This group is also known as ‘Comment Crew’ by some.”
The chain of compromises of QinetiQ’s network stretched back to December 2007, when the Naval Criminal Investigative Service contacted the company and notified them that two of their employees had lost information to hackers, according to the Bloomberg article. Over the next three year, the company called in a succession of security contractors but limited their investigations and failed to take adequate steps to stop the attacks, the report stated.
How well do you know Internet security? Try our quiz!
Originally published on eWeek.