Chinese Hackers Breach US Navy Contractors

Chinese hackers are breaching Navy contractors to steal everything from ship-maintenance data to missile plans, triggering a top-to-bottom review of cyber vulnerabilities, WSJ reported Friday, citing officials and experts. From the report: A series of incidents in the past 18 months has pointed out the service's weaknesses, highlighting what some officials have described as some of the most debilitating cyber campaigns linked to Beijing. Cyberattacks affect all branches of the armed forces but contractors for the Navy and the Air Force are viewed as choice targets for hackers seeking advanced military technology, officials said. Navy contractors have suffered especially troubling breaches over the past year, one U.S. official said. The data allegedly stolen from Navy contractors and subcontractors often is highly sensitive, classified information about advanced military technology, according to U.S. officials and security researchers. The victims have included large contractors as well as small ones, some of which are seen as lacking the resources to invest in securing their networks. One major breach of a Navy contractor, reported in June, involved the theft of secret plans to build a supersonic anti-ship missile planned for use by American submarines, according to officials.

Contract Requirements

[lionchild]

Clearly, contract requirements should also now include proof of engagement in best practices of network and data security.

Re:Contract Requirements

[CaptainDork]

That will not fix the problem.

Nothing will.

IT has been recommending best practices for decades and top brass shrug it off.

A fucking document will not plug the fucking hole. The military contractors are as hardened as Equifax and Yahoo!, right? What's a document going to do?

When contractors included security as an option in their bids, the Feds said it was too much - get costs under control.

Re:

[Anonymous Coward]

As long as security is seen as a costly "option" then decision makers will routinely choose the cheaper option. Until security violations start having real consequences for the decision makers who choose to be exposed to them, things will not change.

Mod this up

[CaptainDork]

This is precisely the cure --- litigation --- and in this case it's the feds.

Look at Snowden. He's a contractor who walks in and out with the fucking keys to the store. How much has the government learned since then? Apparently, not much. Contractors are not committed military personnel, though that does open the door to criticize the Manning deal where "need to know," was replaced by, "must have Lady Gaga CD."

Companies are hacked daily and they don't know about it until the data shows up for sale on the Da

Re:

[CaptainDork]

I encourage you to consider another career path.

what about an code red for the ceo/vp/board?

[Joe_Dragon]

what about an code red for the ceo/vp/board? or maybe an treason trial with death on the table?

Re:

[RocketSW]

This already exists and is managed by the Defense Security Service (DSS) and is mandated by an Executive Order:

https://www.dss.mil/isp/index.... [dss.mil]
https://www.archives.gov/isoo/... [archives.gov]

Re:

[Anonymous Coward]

Since December 31, 2017, contract requirements do require showing engagement in best practices of network and data security.

https://www.nist.gov/mep/cyber... [nist.gov]

When the punishment meets the crime...

[Lucas123]

"One major breach of a Navy contractor, reported in June, involved the theft of secret plans to build a supersonic anti-ship missile planned for use by American submarines, according to officials."

When contractors are held criminally responsible for their poor security resulting in military secrets being stolen by our enemies, then maybe they'll get serious about plugging the holes.

Re:

[BringsApples]

Maybe they should be charged with espionage?

Re:When the punishment meets the crime...

[Ken McE]

When contractors are held criminally responsible for their poor security resulting in military secrets being stolen by our enemies, then maybe they'll get serious about plugging the holes.

If you hold them responsible for being the victim of a crime, they'll stop reporting crimes.

Re:When the punishment meets the crime...

[john.r.strohm]

The problem with your point of view is that the contractors themselves committed a serious Federal crime when they put that classified information onto computers that were accessible from the outside world.

Someone is going to have to do a lot of explaining on all this.

Unfortunately, we will probably never hear the full story.

No reasonable prosecutor

[mi]

a serious Federal crime when they put that classified information onto computers that were accessible from the outside world.

But, but they had no criminal intent!! So no reasonable prosecutor should ever go after them [cnbc.com]!

Re:

[CaptainDork]

Yes, and they will, instead, produce gibberish-laden compliance letters, as well.

Re:

[fustakrakich]

"stolen" or sold? A lot of product is moved that way. You put a box out in the middle of the desert (or a small port in Libya), someone comes and picks it up, sometimes in grand fashion with lots of pyrotechnics. Makes the deniability even more plausible.

Re:

[CaptainDork]

You missed it by that much.

Contractors are not responsible. They present proposals and the military line-item veto pieces and parts and security is the first to go.

Contractors cover their asses and have incriminating evidence that will show that security costs were cut to meet budget restrictions.

Re:

[EvilSS]

Nah, that won't work. They will just pony up a scapegoat from the company to take the fall. Want to really hurt them? Ban the company, and the executives (so they can't just roll a new corp out under a new name) from government contracts for 5 years for the first incident, 10 years second, forever third. No appeals, no exceptions.

Let me guess

[OneHundredAndTen]

Contractors using Windows. After all, the Navy seems to be married to Windows, even when it cripples its battleships.

Re:

[Seven Spirals]

Most of the military uses Windows in one capacity or another. It's horrifying, but true. I just hope really hard they never "upgrade" the USAF Missileers off the ancient IBM systems they use to M$ anything. We'd all get self-nuked about 15 minutes later. Wouldn't even be Skynet either, just a BSOD.

Re:

[Frederic54]

Isn't the Navy still using windows XP?

Computer security seems an oxy-moron

[Seven Spirals]

I worked for years as a security analyst mainly just developing exploits and pen-test frameworks. I have to say that I'm now completely disillusioned with IT security and it now bores me to tears. The Chinese and/or other state actors have stolen soooooo fucking much from us. The F35, hypersonic missiles, complete lists of government agents/employees from the OMB, the list is very very long. You partisans will probably all assume I am a Trump-lover but I don't like him. I do, however, have to admit that he seems to at least be able to talk about Chinese IP theft unlike 99% of other politicians who just seem so sprung on the globalism gravy train they can't see that these people are behaving like *enemies*. Love or hate Trump, we gotta address this problem. My preference would be to emulate the Skunkworks and be super militant about physical security and just crucify a few people for bringing in USB sticks and smart phones in to flaunt the rules. I'd also force people to stop using computers for things they didn't need them for and just put the data/research at greater risk. Computers don't solve all problems with equal effectiveness, despite some people wanting to use them everywhere. However, I'd also take action against China. I bet if you started de-coupling all their domains from DNS root servers you'd get their attention. If they broke off and formed "Chinanet" then that'd be just fine - fewer hacks on our servers from their dirtbag inhabitants and government. When I geoip block China on my firewalls hack attempts go down by about 90%. They are rarely smart enough to use on-shore machines to hack from (it happens, but rarely, I found some Chinese hosting asshole in LA that had a nest of them once).

Re:

[Anonymous Coward]

F-22 also. They managed to steal a treasure trove of data related to that.

And sensitive data about submarine sensor performance a few years back.

It's been happening for decades. Clearly, we do not give a shit, or we would be doing something effective about it, rather than hand-waving and cries of how we're "complying with best security blah blah".

Which means it is really OK for China to do this. They can only do it if we allow them, and we have been allowing them. They win, we lose. If we don't want to

Re:

[Fallen Kell]

So better get the thing from prototype to production in rather less time than they did with the F35 (does that thing even fly yet? helmet stopped breaking necks maybe?)

Ummm.... F35 has been in combat sorties and standard rotation since September. So, yes, it flies and blows stuff up too.



Back to topic, As most people in the security scene know (perhaps they are the only ones who truly do know), the only way to secure a computer is to isolate it in a physical vault with in a faraday cage. Anyone who has physical access to it or any network it is connected to has the ability to breach said computer or network of computers. The problem is that when you tell this to the "bu

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[AHuxley]

So contractors can make money on all kinds of new mil work they can do on a network.
A large international company can hire a few US lawyers and approved gov/mil staff and use the "internet" to bid for US gov/mil work.
Using a larger number of low wage staff outside the USA do the work. Low wages and a small "trusted" front company in the USA to win any US mil bid with.

The NSA likes the wide open "network" too as they can spy back down the "internet" at who is spying so well and deep on the US mil.
A few

The solution is simple...

[Anonymous Coward]

The solution to internet insecurity is simple: stop prioritizing convenience over security. We don't leave the door to our house unlocked because remembering to take the key with you is too inconvenient.

Personnel...

[mi]

It is a well-known fact [businessinsider.com], that ethnic Chinese [wired.com] abroad spy for China en-masse. Some willingly, some — under coercion [rfa.org].

One immediate step a country could take is to treat them with increased suspicion, which in the US is both against the laws and the morals — targeting expats from a particular country is denounced (and even prosecuted) as "racial profiling" — a trait Chinese society itself does not poses [observer.com].

Until we overcome this weakness against Chinese — the way we are overcoming it with the Russians, for example, our highest-tech research will remain at risk.

Re:

[mi]

All foreign-born are suspect, but expats from hostile countries (which Israel is not) are especially so. And China is in a special class all its own.

How are they getting in?

[schwit1]

We don't need contractor names but It would be nice to learn from other people's mistakes.

Re:

[mi]

This article [observer.com] offers some insights.

Easy Countermeasure

[Anonymous Coward]

Seed networks with many bogus strategies, projects, blueprints. Many of these could even be AI-generated. Then see whether they can separate the wheat from the chaff. Sound like the basis for a DARPA proposal from some AI academics.

More treasonous than Snowden

[Ogive17]

My opinion is this is worse than Snowden.

Re:

[account_deleted]

Comment removed based on user account deletion

hiii

[Евген Ткач]

Can u say something about a https://mrecorder.com/ [mrecorder.com] mobile recorder on Android? How does it work with other applications?