Chinese Hackers Breached U.S. Military Contractors 20 Times in One Year


The U.S. Senate Armed Services Committee recently announced that hackers "associated with the Chinese government" successfully breached the computer systems of U.S. Transportation Command (TRANSCOM) contractors at least 20 times in a single year.

In a report entitled "Inquiry into Cyber Intrusions Affecting U.S. Transportation Command Contractors" [PDF], the committee states that TRANSCOM had been aware of only two of those intrusions.

"As to the reasons for TRANSCOM's lack of knowledge regarding these intrusions, the committee found gaps in requirements that result in many cyber intrusions not being reported to the command and a lack of common understanding between TRANSCOM and its contractors as to the scope of cyber intrusions that must be reported," the report states.

TRANSCOM, which is reponsible for managing global movement of U.S. troops and equipment, has the ability to tap civilian air, shipping and other transportation assets to deploy U.S. forces in times of crisis. "Through programs such as the Civil Reserve Air Fleet, commercial transportation companies, some of whom do little or no CRAF-related business in peacetime, become key elements of TRANSCOM's plans for moving troops and equipment around the world," the committee explained in a statement.

The committee found that in the 12 months from June 1, 2012 to May 30, 2013, there were approximately 50 "intrusions or other cyber events" affecting TRANSCOM contractors, of which at least 20 were successful intrusions attributed to China.

"These peacetime intrusions into the networks of key defense contractors are more evidence of China's aggressive actions in cyberspace," committee chairman Carl Levin said in a statement. "Our findings are a warning that we must do much more to protect strategically significant systems from attack and to share information about intrusions when they do occur."

FireEye researchers noted, however, that China isn't the only player in this game. "We have also observed suspected Russia-based actors target a defense technology company, and in Operation Saffron Rose, we saw an Iranian group target U.S. defense contractors in addition to members of the Iranian opposition," researchers Jen Weedon and Kristen Dennesen wrote in a blog post examining the committee's report.

ThreatStream CTO Greg Martin said by email that the report clearly demonstrates that targeted attacks from nation states are an ongoing issue. "The military, oil and gas, aerospace and transportation industries have all been, and continue to be, heavily targeted with these types of cyber campaigns," he said. "This specific actor, referred commonly in the security community as 'Sykipot,' is known to be an Advanced Persistent Threat cyber group with Chinese government ties and has been attacking U.S. government and industry since 2006."

"Organizations can protect themselves by looking at newer generation cyber threat solutions such as threat intelligence platforms and [looking] into collaborating on sharing information with U.S. government and the industry specific ISACs," Martin added.

In response to the TRANSCOM breaches, the committee says it has directed the Secretary of Defense to establish procedures for designating companies as "operationally critical contractors," to tighten the requirements for those contractors to report breaches by known or suspected government actors, and to assist contractors in detecting and mitigating cyber threats.