Report: Chinese hackers drained secrets from top US military and spy contractor

The culprit? The well-known hacking collective Comment Crew. The damage? Thus far not fully assessed – but don’t be surprised if US and Chinese military craft start to look suspiciously alike.

Infosecurity reached out to QinetiQ NA for comment, but the company had not responded to the request by press time. Bloomberg, however, said that the saga dates back to 2007, when the Naval Criminal Investigation Service allegedly told QinetiQ NA that data seemed to be disappearing from two staffers’ laptops. Then, those “isolated incidents” continued throughout 2008 and 2009 in dribs and drabs that wouldn’t raise red flags, during which time security protocols at the spy company deteriorated severely.

And then the big one hit. Bloomberg reported that 13,000 server passwords were stolen and used to help steal a motherlode of information: “Over one stretch in 2009, the spies spent 251 days raiding at least 151 machines, including laptops and servers, cataloging TSG’s [a QinetiQ NA division] source code and engineering data,” it said.

The info-heist translated into to 1.3 million pages of documents or more than 3.3 million pages of Microsoft Excel spreadsheets – enough to form the core of the company’s braintrust. “All their code and trade secrets are gone,” Phil Wallisch, senior security engineer at HBGary, told Bloomberg.

Reporters added that otherwise, “The hackers dribbled data out of the network in small packets to avoid detection, managing to get away with 20 gigabytes before they were finally stopped, according to an internal damage assessment.”

Then, in 2010, QinetiQ NA’s lack of two-factor authentication led to a raid on the company’s cache of robotics and drone aircraft IP. Also in that year it discovered malicious software that had been operating in the network since 2009, slowly thieving out secrets along the way. All in all, the Bloomberg report paints a picture of a series of ongoing, persistent hacks, large and small, attacking various aspects of the enterprise in a way that had QinetiQ NA running from incident to incident in clean-up mode, never really able to get ahead of the threats. Absent a holistic security approach, the Chinese attackers simply widened the scope of their efforts.

The worst part about the hacking, if the report is accurate, is the fact that QinetiQ NA hired consultancy Mandiant – the company that recently made headlines by fingering China as a major sponsor of cyber-espionage around the world – to help it beef up security. But then, QinetiQ didn’t take Mandiant's advice.

For instance, in March 2010, Comment Crew hackers logged on through the company’s remote access system, which they were able to do because QinetiQ didn’t employ two-factor authentication. The vulnerability, however, is something that Mandiant spotted months before and recommended a fix for – a fix that was ignored, Bloomberg reported.

The results were notable: “In four days of furious activity, the hackers rifled at least 14 servers, taking particular interest in the company’s Pittsburgh location, which specialized in advanced robotics design.” It also tapped an “inventory of highly sensitive weapons-systems technology and source code throughout the company,” the news service reported.

By the end of 2010, Bloomberg said, the Comment Crew had “gained almost complete control over the company’s network. They had operated unhindered for months-long stretches and they had implanted multiple, hidden communications channels to extract data. Privately, the investigators concluded that the spies had gotten everything they wanted from QinetiQ’s computers.”

The US government didn’t revoke QinetiQ NA’s charter, despite opening up probes via the FBI, Pentagon and Naval Criminal Investigative Service – the results of which are unknown. Just the opposite appears true: In May 2012, QinetiQ received a $4.7 million cybersecurity contract from the US Department of Transportation.

What’s Hot on Infosecurity Magazine?