Hackers Turned Defense Contractor QinetiQ Into Intelligence Playground

For more than three years, hackers linked to China thoroughly compromised U.K.-based QinetiQ, a firm that bills itself as "a world leading defense technology and security company," to steal intellectual property and sensitive defense information, according to reports of the incident.
The long-running breach resulted in numerous visits from federal investigators from December 2007 until late 2010, according to Bloomberg News, which first reported the massive compromise. The incident, spelled out in emails leaked from security firm HBGary in 2011, resulted in large swaths of data on sensitive technologies--such as drones and military helicopters—getting transmitted overseas. "The scary part of this particular type of intrusion is you are no longer talking about business interests and intellectual property, but about national security, and that raises the stakes quite a bit," said Alex Cox, principal research analyst for RSA's FirstWatch incident response group. The report is the latest evidence linking compromises at defense and critical-infrastructure companies to a Chinese group known as the "Comment Crew." In February, incident response firm Mandiant released a report identifying the group as the source of more than 140 incidents of espionage investigated by the firm since 2006. The group is a part of the People's Liberation Army known as Unit 61398, Mandiant said.

The widespread attacks on sensitive corporate and government organizations had top U.S. cyber-officials ranking the threat above terrorism, in terms the threat posed to U.S. interests. In March, the director of National Intelligence and the head of the U.S. Cyber Command both warned of the danger of the ongoing espionage.
In the recently reported incident, QinetiQ suffered a number of attacks over three years. A July 2010 report, leaked from security firm HBGary by hacktivists linked to Anonymous, discussed two of the attacks that resulted in the compromise of at least 71 systems—about 3.5 percent of systems investigated. Among the tools used by the hackers to control compromised systems was a remote access Trojan (RAT) known as "lprinp.dll," the report stated. "It is a well known and used variety of malware that is customized and built from source code (that is, not an attack toolkit/generator)," the report stated. "HBGary believes this malware strain to be tightly coupled to a Chinese hacking group that targets the DoD and its contractors. HBGary has code-named this threat group as 'Soysauce.' This group is also known as 'Comment Crew' by some." The chain of compromises of QinetiQ’s network stretched back to December 2007, when the Naval Criminal Investigative Service contacted the company and notified them that two of their employees had lost information to hackers, according to the Bloomberg article. Over the next three year, the company called in a succession of security contractors but limited their investigations and failed to take adequate steps to stop the attacks, the report stated