'Chinese' attack sucks secrets from US defence contractor

Comment Crew blamed for three-year attack on QinetiQ


Just when it looked like US-China relations couldn’t get any more frosty, news has emerged that defence contractor QinetiQ suffered a massive breach of classified data over three years which may have leaked advanced military secrets to the infamous PLA-linked hacking gang Comment Crew.

Bloomberg spoke to Verizon’s Terremark security division, HB Gary and Mandiant – all security firms which were hired by QinetiQ to deal with the problem – and sifted through reports and emails made public by the 2011 Anonymous hack of HBGary, in order to get a clear picture of the scale of the breach.

The report reveals poor security practice and misjudgement allowed the hackers to siphon off terabytes of data, potentially compromising national security.

“We found traces of the intruders in many of their divisions and across most of their product lines,” former Terremark SVP Christopher Day told the newswire. “There was virtually no place we looked where we didn’t find them.”

QinetiQ is thought to have been among around 30 defence contractors targeted by hackers in a campaign dating back to 2007, with a group Comment Crew apparently pegged by investigators as the perpetrators – although there’s no explanation for how they arrived at this decision.

The group was famously outed by Mandiant in a high profile report back in February as linked to People’s Liberation Army Unit 61398 and responsible for over 100 other attacks.

QinetiQ was apparently first notified of an intrusion back in 2007, when an agent from the Naval Criminal Investigative Service warned that two employees working at the firm’s US HQ in McLean, Virginia, had their laptops compromised.

The agent had stumbled upon the breach as part of a separate investigation but apparently left out many key details including the fact that other contractors were being hit. QinetiQ limited the following forensic trawl to a few days and mistakenly treated it and several succeeding incidents as unconnected.

Even when NASA warned the firm that it was being attacked by hackers from one of QinetiQ’s computers the firm apparently continued to treat incidents in isolation.

The attackers’ MO appears to have been classic APT-style attack. Once inside the network they appear to have moved laterally to nab internal passwords, allowing them access to highly classified data including source code from the Technology Solutions Group.

Huge amounts of data were apparently smuggled out of the company in small packets to evade detection by traditional filters.

It is claimed that QinetiQ didn’t operate a two-factor authentication system, which could have prevented the hackers logging on with the stolen passwords, and that when Mandiant suggested a simple fix to the problem it was ignored.

Investigators also found in 2008 that QinetiQ’s corporate network could be accessed using unsecured Wi-Fi from a car park outside a facility in Waltham, Massachusetts, the report claimed.

The hackers targeted advanced drone and robotics technology and compromised hundreds of machines in QinetiQ’s facilities all over the US, including St. Louis, Mississippi, Alabama and New Mexico, according to Bloomberg.

Last year China made a splash at the Zuhai air show with a range of drone aircraft similar in design to their US equivalents but pitched at a lower price point.

As if the persistent hacking incursions weren’t enough, investigators brought in to help apparently made matters worse by arguing with each other.

Then software installed by HBGary to monitor for malicious activity wouldn’t function properly and was deleted by many employees because it apparently used too much processing power.

The investigators even found evidence that Russian hackers had been stealing QinetiQ secrets for over two years through a compromised PC belonging to a secretary.

The report comes just a day after news that the Pentagon has leased a Chinese commercial satellite for communications in Africa. It also emerged this week that Comment Crew is very much still operating, despite being named and shamed in the Mandiant report earlier this year. ®


Other stories you might like

  • You need to RTFM, but feel free to use your brain too
    But I was only following the procedures!

    Who, Me? Monday is here, and with it a warning that steadfast determination to ignore instructions might not be such a silly thing after all. Welcome to Who, Me?

    Today's story comes from a reader Regomized as "Sam" and takes us back to his first proper IT job following his departure from the education system.

    Sam found himself on the mainframe operations team for a telecommunications company. The work was, initially, pretty manual stuff. The telco wasn't silly, and had its new recruits start by performing offline duties, such as gathering tapes and job tickets for batch runs, handling payslips, "basically anything involving a bit of leg work," he told us.

    Continue reading
  • Tropical island paradise ponders tax-free 'Digital Nomad Visa'
    Live and work in Bali, pay tax at home

    The government of Indonesia has once again raised the idea of creating a "digital nomad visa" that would allow foreign workers to live and work in the tropical paradise of Bali, tax free, for five years.

    The idea was raised before the COVID-19 pandemic, but understandably shelved as borders closed and the prospect of any digital nomads showing up dropped to zero.

    But in recent interviews Sandiaga Uno, Indonesia's minister for Tourism and the Creative Economy, said the visa was back on the drawing board.

    Continue reading
  • Small in Japan: Hitachi creates its own (modest) cloud
    VMware-powered sovereign cloud not going to challenge hyperscalers, but probably won't be the last such venture

    Hitachi has taken a modest step towards becoming a public cloud provider, with the launch of a VMware-powered cloud in Japan that The Register understands may not be its only such venture.

    The Japanese giant has styled the service a "sovereign cloud" – a term that VMware introduced to distinguish some of its 4,000-plus partners that operate small clouds and can attest to their operations being subject to privacy laws and governance structures within the nation in which they operate.

    Public cloud heavyweights AWS, Azure, Google, Oracle, IBM, and Alibaba also offer VMware-powered clouds, at hyperscale. But some organizations worry that their US or Chinese roots make them vulnerable to laws that might allow Washington or Beijing to exercise extraterritorial oversight.

    Continue reading
  • Beijing probes security at academic journal database
    It's easy to see why – the question is, why now?

    China's internet regulator has launched an investigation into the security regime protecting academic journal database China National Knowledge Infrastructure (CNKI), citing national security concerns.

    In its announcement of the investigation, the China Cyberspace Administration (CAC) said:

    Continue reading
  • Cerebras sets record for 'largest AI model' on a single chip
    Plus: Yandex releases 100-billion-parameter language model for free, and more

    In brief US hardware startup Cerebras claims to have trained the largest AI model on a single device powered by the world's largest Wafer Scale Engine 2 chip the size of a plate.

    "Using the Cerebras Software Platform (CSoft), our customers can easily train state-of-the-art GPT language models (such as GPT-3 and GPT-J) with up to 20 billion parameters on a single CS-2 system," the company claimed this week. "Running on a single CS-2, these models take minutes to set up and users can quickly move between models with just a few keystrokes."

    The CS-2 packs a whopping 850,000 cores, and has 40GB of on-chip memory capable of reaching 20 PB/sec memory bandwidth. The specs on other types of AI accelerators and GPUs pale in comparison, meaning machine learning engineers have to train huge AI models with billions of parameters across more servers.

    Continue reading
  • Zendesk sold to private investors two weeks after saying it would stay public
    Private offer 34 percent above share price is just the thing to change minds

    Customer service as-a-service vendor Zendesk has announced it will allow itself to be acquired for $10.2 billion by a group of investors led by private equity firm Hellman & Friedman, investment company Permira, and a wholly-owned subsidiary of the Abu Dhabi Investment Authority.

    The decision is a little odd, in light of the company's recent strategic review, announced on June, which saw the board unanimously conclude "that continuing to execute on the Company's strategic plan as an independent, public company is in the best interest of the Company and its stockholders at this time."

    That process saw Zendesk chat to 16 potential strategic partners and ten financial sponsors, including a group of investors who had previously expressed conditional interest in acquiring the company. Zendesk even extended its discussions with some parties but eventually walked away after "no actionable proposals were submitted, with the final bidders citing adverse market conditions and financing difficulties at the end of the process."

    Continue reading

Biting the hand that feeds IT © 1998–2022