by MATT GALLAGHER, Red Herring journalist
A US military contractor, whose UK parent is a spinoff of the actual government lab that inspired Q in James Bond thrillers, has been the source of a massive Chinese hack, Bloomberg reported.
Bloomberg reports that QinetiQ’s North American division’s systems have been hacked by Comment Crew, a team of Chinese bloggers possibly working for the Chinese government that was outed by Mandiant last February, since as early as 2007. The extent of the hack was so great that all of the contractor’s “code and trade secrets are gone,” Phil Wallisch, senior security engineer at HBGary, a company that assisted in the investigation of the breach, wrote in an internal email. The hack provided totally unrestricted and extensive access to high level, classified military technology, including military robotics and drone programs.
Bloomberg examined internal QinetiQ emails as revealed by Anonymous’ hack on HBGary, which assisted in the investigation of the intrusions along with security firms Terremark and Mandiant.
The extent of the cyber theft was so astounding that “there was virtually no place we looked where we didn’t find (hacks),” Christopher Day, a security’s expert hired twice by QinetiQ to investigate the break-ins, told Bloomberg.
In the multi-year hack attack, spies stole several terabytes, equal to hundreds of millions of pages, “dwarfing in sheer quantity any theft of Cold War secrets,” Bloomberg noted.
Aside from the sheer embarrassment for both the contractor and the US government, the hack has serious implications on the future security of a vast amount of US military technology.
“God forbid we get into a conflict with China but if we did we could face a major embarrassment, where we try out all these sophisticated weapons systems and they don’t work,” said Richard Clarke, former special adviser to President George W. Bush on cyber security, told Bloomberg.
Perhaps even more astounding than the hacks themselves is the sheer level of ineptitude that allowed the cybercrime wave to continue as long and as deep as it did.
A forensics expert hired by QinetiQ was given only four days to conduct his investigation, despite his warning that QinetiQ “is likely not seeing the full extent” of the breach. As late as 2010, the hackers accessed the system through a simple hole caused by the fact that the contractor failed to deploy even a simple two-factor authentication, a precaution of generating a unique code employees enter along with password information whenever accessing the system remotely.
QinetiQ employees actually deleted HBGary security software during the investigation because of its drain on bandwidth at the permission of IT staff.
One particular email summed up the extent of the damage. “Oh yeah…they are f’d,” Phil Wallisch, HBGary’s principal investigator on the project, wrote to Greg Hoglund, the head of HBGary, in September.
Leave it to the federal government to top the ineptitude of the private sector. Despite the attacks, as late as May of 2012, QinetiQ received a $4.7 million cyber-security contract from the U.S. Transportation Department that included the protection of the nation’s vulnerable transport infrastructure.
“When it comes to cyber security QinetiQ couldn’t grab their ass with both hands, so it cracks me up that they won,” Bob Slapnik, vice president at HBGary, wrote in an email following QinetiQ’s award of a 2010 Pentagon grant to advise the military on ways to counter cyber espionage.
And even though the State Department has the right to revoke the contractor’s charter in the event of negligence, it has yet to take any action against the company.
The government’s inaction stands in stark contrast to US Defense Secretary Leon Panetta’s warning last October of a potential “cyber-Pearl Harbor that would cause physical destruction and the loss of life, an attack that would paralyze and shock the nation and create a profound new sense of vulnerability.”