Hackers raided Israeli contractors that built Iron Dome missile shield
Credential-stealing malware; Cyber espionage; Network intrusion; Spearphishing; Unauthorized use of system administrator privileges
The attackers, suspected to be based in China, also copied pages of details on U.S. missile technology from the foreign defense firms.
Three Israeli contractors that architected the “Iron Dome” anti-missile system, which is currently protecting Israel from rocket strikes, were robbed of huge quantities of sensitive documents pertaining to the shield technology.
Maryland-based threat intelligence firm Cyber Engineering Services Inc. asserts the hackers infiltrated the networks of Elisra Group, Israel Aerospace Industries, and Rafael Advanced Defense Systems. The incidents occurred between 2011 and 2012
Among the data taken from IAI is a 900-page document that provides schematics and specifications for the Arrow 3 missile. “Most of the technology in the Arrow 3 wasn’t designed by Israel, but by Boeing and other U.S. defense contractors,” said Joseph Drissel, CyberESI’s founder and chief executive. “We transferred this technology to them, and they coughed it all up. In the process, they essentially gave up a bunch of stuff that’s probably being used in our systems as well.”
Much of the information purloined from the contractors was intellectual property involving the Arrow III, drones, ballistic rockets and other technical documents in the same fields of study.
IAI was initially breached by a series of specially crafted email phishing campaigns. “The attacks bore all of the hallmarks of the ‘Comment Crew,’ a prolific and state-sponsored hacking group associated with the Chinese People’s Liberation Army (PLA) and credited with stealing terabytes of data from defense contractors and U.S. corporations,” Krebs writes.
Once inside, Comment Crew members spent the next four months using their access to install various tools and trojan horse programs on systems throughout company’s network and expanding their access to sensitive files.
“The intellectual property was in the form of Word documents, PowerPoint presentations, spread sheets, email messages, files in portable document format (PDF), scripts, and binary executable files,” CyberESI wrote in a lengthy report produced about the breaches.
“Once the actors established a foothold in the victim’s network, they are usually able to compromise local and domain privileged accounts, which then allow them to move laterally on the network and infect additional systems,” the report continues. “The actors acquire the credentials of the local administrator accounts by using hash dumping tools. They can also use common local administrator account credentials to infect other systems with Trojans. They may also run hash dumping tools on Domain Controllers, which compromises most if not all of the password hashes being used in the network. The actors can also deploy keystroke loggers on user systems, which captured passwords to other non-Windows devices on the network.”
The hackers followed a similar strategy to penetrate Elisra. CyberESI said the attackers stole the emails for many of Elisra’s top executives, including the CEO, the chief technology officer and multiple vice presidents within the company. It’s likely that the attackers were targeting people with access to sensitive information within Elisra, and/or were gathering would be targets for future spearphishing campaigns.
Defense Industrial Base
July 28, 2014
Krebs on Security
Link to report
location of breach
location of perpetrators
date breach occurred
between Oct. 10, 2011 and August 13, 2012
date breach detected