PLA wiretaps Bond-like defense contractor in U.S.
Defense Industrial Base // Government (U.S.) // Transportation // United States
QinetiQ, inspiration for Q’s lab in Ian Fleming’s James Bond thrillers, lost to the bad guys. The espionage expertise of the maker of secret satellites, drones, and software used by U.S. special forces in the Middle East didn’t keep Chinese cyber- spies from outwitting the company.
“Comment Crew” hacker team linked to Chinese military compromised most of the research produced by the North American branch of QinetiQ.
“The QinetiQ hack may have compromised information vital to national security, such as the deployment and capabilities of the combat helicopter fleet.”
The company’s vulnerabilities are “documented in hundreds of unvarnished e-mails and dozens of reports that were never meant to be public, part of a cache that was leaked in 2011 by the group Anonymous,” after it hacked HBGary Inc., a security firm assisting QinetiQ.
Hacks began as early as 2007 and by 2009, the attackers had almost complete control over computers at QinetiQ’s Technology Solutions Group. “Over one stretch in 2009, the spies spent 251 days raiding at least 151 machines, including laptops and servers, cataloging TSG’s source code and engineering data. The hackers dribbled data out of the network in small packets to avoid detection, managing to get away with 20 gigabytes before they were finally stopped.”
Another time, the hackers logged on through the company’s remote access system, just like any employee. “It was a trick they were able to use only because QinetiQ didn’t employ two-factor authentication, a simple device that generates a unique code employees enter, along with their usual password, anytime they work from home.”
Security teams found evidence of the hackers inside nearly all of QinetiQ’s U.S. operations, including on the computers of QinetiQ’s chief operating officer, a division vice president and dozens of engineers and software architects, some with classified clearances.
“Among the victims was a specialist in the embedded software on microchips that control the company’s military robots, which would help in China’s own robot-building program. . . The PLA unveiled a bomb disposal robot in April 2012 similar to QinetiQ’s Dragon Runner.”
“’When it comes to cyber security QinetiQ couldn’t grab their ass with both hands, so it cracks me up that they won,’ Bob Slapnik, vice president at HBGary, wrote after QinetiQ received a grant from the Pentagon in 2010 to advise it on ways to counter cyberespionage.”