Sophisticated Beijing-backed hackers raided civilian organisations responsible for the movements of US troops and equipment 20 times in one year of which only two were detected by the responsible agency, an audit report has found.
Contractors underneath the US Transportation Command (TRANSCOM) agency were hacked a total of 50 times, which included less sophisticated attacks made by actors not identified by the US Government as being on China's payroll.
The audit was conducted in the 12 months to June 2013 based on information provided by the Federal Bureau of Investigations, Defense Security Services, Defense Cyber Crime Centre, and the US Air Force and 11 contractors.
TRANSCOM was responsible for tapping civil transport organisations for wartime operations described as "key" in the report Inquiry into Cyber Intrusions Affecting U.S. Transportation Command Contractors [pdf] declassified overnight.
Senate Armed Services Committee members said the intrusions were unacceptable and a sign of aggression on the part of Beijing.
"These peacetime intrusions into the networks of key defense contractors are more evidence of China's aggressive actions in cyberspace," committee chairman Senator Carl Levin said.
"Our findings are a warning that we must do much more to protect strategically significant systems from attack and to share information about intrusions when they do occur."
Ranking member Senator Jim Inhofe called for a "central clearinghouse" for critical contractors to report possible hacks.
The audit found intrusions including the compromise or theft of email accounts, documents, passwords and code.
It also revealed a Civil Reserve Air Fleet contractor lost flight details, credentials and its email encryption key while systems on a TRANSCOM contractor ship were hacked multiple times.
The committee behind the report said TRANSCOM and its contractors lack a universal definition of what constituted a compromise.
It further criticised the reporting structure and said the FBI and Department of Defence knew but did not tell the Pentagon of nine separate intrusions of TRANSCOM contractors.
The committee updated its version of the National Defense Authorisation Act for Fiscal Year 2015 to direct the Secretary of Defense to designate operationally critical contractors and impose tighter reporting requirements for breaches suspected to be pulled off by nation-states.
The audit findings follow the naming by the US Government of five members of the Chinese People's Liberation Army it claimed were behind an eight-year hacking campaign against some American companies to steal commercially sensitive information. ®