Chinese 'Comment Crew' hackers emptied QinetiQ of top-secret military data

US firm complacent about serious breaches, Bloomberg alleges

One of the US's critical military and espionage contractors QinetiQ North America (QNA) was successfully pillaged for huge amounts of top-secret know-how by the infamous Chinese 'Comment Crew' or PLA 61398 hacking group in a campaign stretching over years, Bloomberg has reported.

Reports and accusations of Chinese hacking are now ten-a-penny but what has been reconstructed by Bloomberg's journalists after talking to investigators tells a story that will be as embarrassing as it is depressing for both QNA and the US defence establishment.

The hacking was so extensive that external consultants ended up more or less working permanently inside the firm to root out malicious software and compromises on an ongoing basis.

It's already established that Chinese hackers (including probably PLA 61398 outed earlier this year by Mandiant) started targeting US defence contractors as far back as 2007, but the role of QNA in events has not until now been full explained despite fragments of the story turning up in emails leaked after the 2011 Anonymous Group hack of security firm HBGary.

By late 2007 the Naval Criminal Investigation Service reportedly told QNA that two staff at the firm's HQ were losing data from laptops, information that the firm allegedly treated as a minor breach when it was later discovered to be anything but.

Through 2008, is said to have treated the continuing pattern of hacks traced to its buildings as "isolated incidents", including the compromise of 13,000 server passwords that attackers were used to help steal huge amounts of classified military engineering data.

Security deteriorated to such an extent that investigators found that it was possible to access the firm's network from a car park using an unsecured Wi-Fi connection and that, independently, Russian hackers had set up the compromised PC of a secretary to steal sensitive data at will over a two and a half year period.

"Over one stretch in 2009, the spies spent 251 days raiding at least 151 machines, including laptops and servers, cataloging TSG's [a QNA division] source code and engineering data," said Bloomberg.

"The hackers dribbled data out of the network in small packets to avoid detection, managing to get away with 20 gigabytes before they were finally stopped, according to an internal damage assessment."

Despite another assessment that found that QNA's lack of two-factor authentication helped a major 2010 raid on the company's cache of robotics IP, the firm's managers still did not address the need for security fixes recommended by consultant Mandiant.

By 2010, QNA believed it had cleaned up the last remnants of a hacking attack that dated back three nearly years only to discover yet more data leaks traced to malicious software that had been operating since 2009.

The damage done by the years-long thefts is harder to assess but must have compromised US military superiority in a range of spheres including helicopters and robotics as well as some of this infomatics systems used by them during a military conflict.

It's already been noticed how similar some Chinese drone designs are to the US designs on which they were almost certainly based.

Third-party assessments are that QNA was so successfully attacked that there is probably nothing left for the Chinese to steal.

QinetiQ's story started in contentious fashion after it was hived off at an infamously knock-down price in 2001 from the UK's Defence Evaluation Research Agency (DERA) with the help of US investor Carlyle Group.

Critics complained that Carlyle had been handed huge amounts of valuable British research IP at a steal. QNA formed its own board in 2004 before the whole group went public in 2006.

As for the other actor in all this, the so-called Chinese Comment Crew hackers, one of the consultants used by QNA, Mandiant, made its global name after a report that not only explored the group's activities but even identified the building they work from.

Join the CSO newsletter!

Error: Please check your email address.

Tags AnonymousHBGarysecurityMandiantBloomberg

More about BloombergCarlyle GroupTSG

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place