A Senate committee has reported that Chinese hackers have heavily targeted contractors servicing US military logistics body Transcom over the past few years, highlighting a worrying lack of information sharing between government agencies.
The year-long probe by the Senate Armed Services Committee focused in particular on US Transportation Command (Transcom)’s ability to call upon civilian “transportation assets” by land, sea and air during times of crisis.
This requires the help of civilian companies, many of which may have cyber defense capabilities well below that of the military and are therefore an attractive target for nation state hackers.
The report concluded that over a 12-month period from 1 June 2012, there were 50 “intrusions or other cyber events” into the networks of Transcom contractors, 20 of which were APTs attributable to Chinese attackers.
Among the findings were a “Chinese military” intrusion into a contractor between 2008-10 which compromised emails, documents, user passwords and computer code; and another in which documents, flight details, credentials and passwords for encrypted email were stolen from a Civil Reserve Air Fleet (CRAF) contractor.
“These peacetime intrusions into the networks of key defense contractors are more evidence of China’s aggressive actions in cyberspace,” said committee chairman Carl Levin, in a statement.
“Our findings are a warning that we must do much more to protect strategically significant systems from attack and to share information about intrusions when they do occur.”
Committee co-chair, Jim Inhofe, added that the development of a “central clearinghouse” was necessary to ensure that contractors could report suspicious online activity “without adding a burden to their mission support operations."
The report uncovered a worrying lack of information sharing which left the military in the dark about many of the attacks. Transcom was only aware of two of the 20 APTs discovered by the FBI, Department of Defense and other bodies, for example.
It added:
"That gap was in part a result of contractors and TRANSCOM lacking a common understanding of what intrusions ought to be reported to TRANSCOM. Also, DoD agencies lack a clear understanding as to what information about cyber intrusions can and should be shared with TRANSCOM and other agencies within the Department."
The committee has now advised the Department of Defense to give more help to contractors on cyber security, close reporting gaps and improve the way it disseminates information on intrusions.
APT-prevention firm FireEye cautioned that China is not the only nation state which poses a threat from cyber space, with Russian and Iranian cyber espionage operatives also active.
“Of the 11 contractors impacted, eight said they were not aware of any threat activity occurring during the period in question. This hearkens back to a mantra we have at FireEye: it is not a matter of if an enterprise will be breached, but when,” it added in a blog post.
“It is therefore critical that organizations prepare for the inevitable breach by monitoring for signs of an intrusion, sharing intelligence with industry peers, and having a strong incident response plan in place. In addition, intel sharing—more freely among government entities, as well as the threat intelligence community writ large—and contribute to better preparedness and a more effective defense against cyber threats.”
Lior Arbel, CTO of security vendor Performanta, argued that communications from less secure partners and contractors present a "perfect conduit" for cyber security threats.
"Information sharing is essential to counter-cyber security threats but what needs to be emphasized is that the system is only truly effective if all the companies participating have a high level of cyber-security protection," he told Infosecurity.
"If companies do not have this base level prepared then the information they might receive from a partnership cannot be used effectively and the vulnerabilities will continue."