Hackers were able to mount a lateral attack after compromising the networks of a Navy contractor working for the Naval Undersea Warfare Center in Rhode Island, according to a Washington Post report, citing American officials.
The result? “Massive amounts of highly sensitive data” flowed into the hands of China, unnamed officials told the paper, including “secret plans to develop a supersonic anti-ship missile for use on U.S. submarines by 2020.”
The incident happened January and February, the sources said, and resulted in 614 gigabytes of data, most of it highly sensitive info related to American offensive and defensive systems, including cryptography systems for secure communication, signals and sensor data, and the Navy’s electronic submarine warfare library, which contains information about adversary radar platforms.
Also among the stolen materials is information on a $300 million secret project codenamed Sea Dragon. The Pentagon vaguely characterizes it as the development of “disruptive offensive capability” by “integrating an existing weapon system with an existing Navy platform.” It’s been underway since 2015.
The officials said that the Navy and the FBI are spearheading an investigation into the breach, but neither has publicly commented on the situation with any detail, beyond confirming that it happened. Sources also said that the civilian counterintelligence agency known as the Chinese Ministry of State Security was behind the attack.
“In the first half of 2018, we’ve seen several Chinese cyber espionage groups re-emerge from apparent hiatuses, possibly due to diminished public attention or completion of a bureaucratic reorganization which may have led to a centralization of cyber operations from China,” Cristiana Brafman Kittner, principal analyst at FireEye, told Threatpost. “Moreover, some of our observations suggest that China is increasing the scope and scale of campaigns and showing an increased focus on maritime interests with multiple clusters of Chinese APTs targeting entities associated with maritime defense and research initiatives.”
As for what went wrong, it comes down to basic security hygiene: The data, despite comprising what can be seen as classified military secrets, was housed on the contractor’s unclassified network, sources said.
“We saw a similar attack when the Dragonfly group gained direct access to the US power grid through a vulnerable third party,” said Fred Kneip, CEO at CyberGRX, via email. “It’s an effective approach because large organizations have thousands of contractors, vendors and suppliers that they interact with – and any one of them could be the way in. Learning which third parties pose the greatest risk to your network doesn’t have to be like finding a needle in a haystack, but that’s the way it works too often. The same methods hackers are using to access classified military information are being used every day to access commercial assets – and the only way to prevent it is through a more collaborative approach to understanding risk exposure.”
Defense Secretary Jim Mattis meanwhile asked the Pentagon inspector general’s office on Friday to review contractor cybersecurity practices, the Post reported.
The attack falls in line with China’s ongoing efforts to develop advanced weapons capability, often on the back of stolen mechanical and software systems plans. In February, Director of National Intelligence Daniel Coats testified that Chinese cyber-spying efforts have mainly focused on infiltrating defense contractors and other third parties before pivoting to government networks, both here in the U.S. and abroad (as a recent incident in the U.K. demonstrates).
At the same time, China has been signing anti-hacking pacts regarding commercial sectors: In September 2015, Chinese President Xi Jinping inked a pledge with former President Barack Obama that China would refrain from cyberespionage against private-sector companies in the United States. That deal was reaffirmed last fall, although researchers say there’s provisional evidence that attacks are continuing, most notably in the 2017 CCleaner attacks. Nonetheless, a similar deal was signed by Canadian Prime Minister Justin Trudeau and Chinese Premier Li Keqiang last year, and China and Russia also have also had a deal in place since 2015.
In addition to the data exfiltration. Martin McKeay, global security advocate at Akamai, noted that this might only be part of the hackers’ end game.
“Gathering data on your enemy is only half of information warfare; spreading false and misleading information is the other,” he told Threatpost. “Any time an organization reports a breach by this level of adversary, the stolen data is only part of the problem. Any adversary who has the access required to steal this data is likely to also have the ability to modify existing plans and software to introduce errors or even potentially back doors for future compromises in the finished product. Every image and line of code that makes up the plans the contractor is using have to be examined in detail to guarantee no modifications have been made, a costly and time consuming process.”
Image courtesy of the U.S. Navy.