Chinese Attackers Infiltrate Defense Contractor, Steal Sensitive Military Technology


A defense contractor known for its role in manufacturing military weapons systems and components suffered a data security breach in 2007 and on multiple occasions through 2010 that exposed intellectual property and other data.

McLean, Va.-based QinetiQ (pronounced "kin-EH-tic") reportedly lost documents associated with drones and military robotics systems, some of which are still deployed. The attackers accessed servers containing more than 13,000 employee passwords, giving them unfettered access to the corporate network and the firm's most sensitive systems, according to a Bloomberg analysis of documents and emails it obtained about the breach.

The attackers targeted vulnerabilities at QinetiQ and were persistent, remaining on the systems at one point for 251 days, accessing more than 150 computers and stealing 20 GB of data before they were detected, according to the report. The internal damage assessment obtained by Bloomberg said the stolen cache included sensitive military technology equivalent in size to 1.3 million pages of documents.

[Related: Verizon Analysis: Top 10 Causes Behind Data Breaches]

The report accelerates the discussion about nation-state-driven, targeted attacks aimed at defense contractors and manufacturers up and down the supply chain. Security firm Mandiant issued a report in February linking hundreds of attacks to groups believed to be under the Chinese government's control. The state-sponsored cyberespionage campaign resulted in breaches at as many as 141 organizations and may represent only a small fraction of the cyberespionage that the group has conducted, according to that report.

China and other countries are grappling with how to compete in the global economy and are going after the U.S. manufacturing base, said Jim Butterworth, chief information security officer of security firm HBGary. Butterworth told CRN in a recent interview that while stolen manufacturing documents is a serious breach, the data gleaned from them wouldn't necessarily provide countries with all the information they need to copy technologies.

"They came in early and sucked up all the plans, but they don't have the laboratory or high academic brain trust that we have," Butterworth said. "They stole our recipe books but now have to steal the cooks."

Building perfect copies of separate components and parts involves precision and rigorous testing, Butterworth said. Putting the pieces together to re-create entire weapons systems would be extremely difficult, he said.

"You might know how to put it together, but you wouldn't necessarily know what the stress settings [are]," Butterworth said. "There's a lot of stress testing that gets us to the eventual point of slapping a military standard on something; that means that a lot of smart and highly paid people subjected stuff to rigorous adverse tests."

A few large campaigns were used in the cyberespionage data analyzed in the 2013 Verizon Data Breach Investigations Report. Many incidents are classified, but Verizon investigators were involved in at least one of them, said Chris Porter, managing principal of Verizon's RISK Team and an author of the 2013 Verizon Data Breach Investigations Report. Porter told CRN that much of the data on cyberespionage attacks came from Verizon partners who have identified specific incidents as being affiliated with a state-affiliated espionage actor.

"It's difficult to say in those cases what specific campaigns were involved and the specific actor groups around those campaigns," Porter said. "These guys aren't stealing MP3 files; they're definitely stealing plans and designs."

The Verizon Data Breach Investigations Report analysis of 621 breaches found state-affiliated attacks designed to steal intellectual property comprising about one-fifth of all breaches. About 95 percent of the targeted attacks involved phishing to gain initial access. Then stolen passwords and malware were used to access and steal data from remote servers, the report found.

"I don't think these attacks are a new problem," Porter said. "We don't want to create more alarmist attitudes; we just want to lay out how these campaigns work."

PUBLISHED MAY 3, 2013