Infamous Chinese hacking group the Comment Crew has been pegged for another high profile data grabbing operation, this time targeted at Israeli defense firms which built the country’s highly effective Iron Dome missile shield.
The group, which was outed as PLA Unit 61398 by Mandiant last year and blamed for attacks on US defense firms a few months back, exfiltrated large amounts of data from three top tech companies, according to US threat intelligence firm, Cyber Engineering Services Inc. (CyberESI).
They stole IP related to Arrow III missiles, ballistic rockets, drones and other tech from the firms in question - Elisra Group, Israel Aerospace Industries (IAI), and Rafael Advanced Defense Systems.
CyberESI’s research is not yet online, but CEO Joseph Drissel told KrebsonSecurity that the type of data targeted indicated the hackers wanted IP related to Iron Dome – one of the world’s most effective missile defense systems currently at work destroying incoming Palestinian rockets.
He added that some of the stolen tech secrets were actually transferred to Israel from the US, so the hackers may by now also have intelligence on US military systems.
The attacks took place between 2011-2012 and seem to have followed the usual modus operandi of APT-style hacks.
They started with a malicious, socially engineered spearphishing email and then once inside the targeted network they moved laterally, escalating privileges and infecting other systems until they found what they were looking for.
CyberESI was apparently only able to confirm files totalling 762MB were stolen from IAI, although it admitted this was probably only a tiny proportion of what was actually exfiltrated.
The Comment Crew are one of the most prolific Chinese hacking groups – so much so that in May this year the US government took the unprecedented step of indicting five members of the PLA unit for stealing data from US firms for economic gain.
For its part, the IAI told Krebs that the attacks on its systems were “old news” and that it had since taken “corrective actions” to stop the same happening again.
Update: Israel Aerospace Industries has sent Infosecurity the following statement regarding news stories emanating from the CyberESI research:
"The information reported regarding the leakage of sensitive information is incorrect. The publications refer to an attempt to penetrate the company's civilian non-classified internet network which allegedly occurred several years ago. IAI's cyber security systems operate in accordance with the most rigorous requirements and also in this case were proven to be effective."