US military secrets leaked to Chinese hackers for three years
QinetiQ North America was attacked by a Shanghai-based hacker
group from 2007 to 2010, Bloomberg reported on Thursday. The
hacking collective has been coined the “Comment Crew” by security
The company is known for its contributions to national security – including software used by US forces in Afghanistan and the Middle East.
Comment Crew’s continuous spying reportedly provided China with a wealth of secret information on QinetiQ’s drones, satellites, military robotics, and the US Army’s combat helicopter fleet. The spies also stole several terabytes – equivalent to hundreds of millions of pages – of documents and data on weapons programs.
China’s military may have also stolen programming code and design details that it could use to disable some of the most sophisticated US weaponry. The situation could have a crippling effect on America’s defense capabilities.
“God forbid we get into a conflict with China but if we did we could face a major embarrassment, where we try out all these sophisticated weapons systems and they don’t work,” said Richard Clarke, former special adviser to President George W. Bush on cyber security.
But the hacking could have been easily prevented, if QinetiQ would have picked up on one of the many warnings it received along the way.
Failing to connect the dots
QinetiQ ignored the first sign of spying in 2007, when an agent
from the Naval Criminal Investigative Service notified the company
that two people were apparently losing classified information on
QinetiQ failed to act with caution, according to Brian Dykstra, a forensics expert hired to conduct the investigation into the lost data.
“They just felt like it was this limited little thing, like they’d picked up some virus,” he said.
Dykstra was given only four days to complete the investigation. He said the company didn’t give him the time or data necessary to determine whether more employees had been successfully targeted. In his report, Dykstra warned that QinetiQ is “likely not seeing the full extent” of the intrusion.
His assumptions were soon proved correct. In 2008, NASA alerted the company that hackers had tried to enter its system from one of QinetiQ’s computers.
But QinetiQ still failed to connect the dots, treating each series of attacks over the next several months as unrelated incidents. The company’s ignorance was welcomed by Comment Crew, who continued to raid servers and gather more than 13,000 internal passwords in the first 2 ½ years.
An easy hack?
In 2010, the hackers logged onto QinetiQ’s system with
incredible ease – through the company’s remote access system, just
like an ordinary employee.
The hack was made easy because of QinetiQ’s failure to use a two-factor authentication, allowing Comment Crew to use the stolen password of a network administrator. But it gets even worse – the company had discovered its own vulnerability months before, but failed to fix it the problem.
Over the course of four days, the hackers attacked at least 14 servers, eventually hitting the jackpot when they discovered an inventory of weapons-systems technology and source code throughout the company.
When QinetiQ finally caught on in 2010 and hired two outside firms to help combat the hackers. It was soon revealed that Comment Crew had established near permanent residence in the company’s computers.
The firms also discovered that the hackers had walked away with information on microchips that control the company’s robots.
The chip architecture could help China test ways to take over or defeat US robots or aerial drones, said Noel Sharkey, a drones and robotics expert at Britain’s Sheffield University.
The hackers also targeted at least 17 employees working on the Condition Based Maintenance program, which collects data on Apache and Blackhawk helicopters deployed around the world.
Thus far, there has been no word from the State Department regarding Comment Crew’s hacks into QinetiQ systems. Washington has the power to revoke the company’s charter to handle military technology if it finds negligence.
However, it appears the US government is doing just the opposite. In May 2012, QinetiQ received a $4.7 million cybersecurity contract from the US Transportation Department.