Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chinese Hackers Breach US Navy Contractors (wsj.com)

Posted by msmash on from the growing-tension dept.

Chinese hackers are breaching Navy contractors to steal everything from ship-maintenance data to missile plans, triggering a top-to-bottom review of cyber vulnerabilities, WSJ reported Friday, citing officials and experts. From the report: A series of incidents in the past 18 months has pointed out the service's weaknesses, highlighting what some officials have described as some of the most debilitating cyber campaigns linked to Beijing. Cyberattacks affect all branches of the armed forces but contractors for the Navy and the Air Force are viewed as choice targets for hackers seeking advanced military technology, officials said. Navy contractors have suffered especially troubling breaches over the past year, one U.S. official said. The data allegedly stolen from Navy contractors and subcontractors often is highly sensitive, classified information about advanced military technology, according to U.S. officials and security researchers. The victims have included large contractors as well as small ones, some of which are seen as lacking the resources to invest in securing their networks. One major breach of a Navy contractor, reported in June, involved the theft of secret plans to build a supersonic anti-ship missile planned for use by American submarines, according to officials.

61 comments

  1. Contract Requirements by lionchild · · Score: 4, Insightful

    Clearly, contract requirements should also now include proof of engagement in best practices of network and data security.

    --
    Awk! Pieces of eight. Pieces of eight. Pieces of seven... ERROR: General Protection Fault. [Paroty Error.]
    1. Re:Contract Requirements by CaptainDork · · Score: 4, Insightful

      That will not fix the problem.

      Nothing will.

      IT has been recommending best practices for decades and top brass shrug it off.

      A fucking document will not plug the fucking hole. The military contractors are as hardened as Equifax and Yahoo!, right? What's a document going to do?

      When contractors included security as an option in their bids, the Feds said it was too much - get costs under control.

      --
      It little behooves the best of us to comment on the rest of us.
    2. Re:Contract Requirements by Anonymous Coward · · Score: 2

      As long as security is seen as a costly "option" then decision makers will routinely choose the cheaper option. Until security violations start having real consequences for the decision makers who choose to be exposed to them, things will not change.

    3. Re:Contract Requirements by RocketSW · · Score: 2

      This already exists and is managed by the Defense Security Service (DSS) and is mandated by an Executive Order:

      https://www.dss.mil/isp/index....
      https://www.archives.gov/isoo/...

    4. Re:Contract Requirements by Anonymous Coward · · Score: 0

      IT Security is included in contract requirements and has been for years. The government has tomes written on best practices and management practices. Blaming companies or individuals in the face of overwhelming and systemic attacks by Chinese state actors is reckless and irresponsible. It is the job of the government to work with (or against) the Chinese government to put an end to any attacks, sabotage and espionage.

    5. Re:Contract Requirements by CaptainDork · · Score: 1

      I encourage you to consider another career path.

      --
      It little behooves the best of us to comment on the rest of us.
    6. Re:Contract Requirements by Anonymous Coward · · Score: 2, Interesting

      Since December 31, 2017, contract requirements do require showing engagement in best practices of network and data security.

      https://www.nist.gov/mep/cyber...

  2. Security? by Anonymous Coward · · Score: 0

    Looks like another example of standard business practice. Place security near the bottom of list of things you should have. Navy should have a security check of all it's contractors, especially ones involved in top secret work. I mean more rigorous than what they are doing now.

    1. Re:Security? by Anonymous Coward · · Score: 0

      No, when you contract something out you are absolved of all blame when something goes wrong.

  3. hackers! hackers! hackers! by Anonymous Coward · · Score: 0

    The bogeymen of the cyberspaces are on the loose again! State actors too! From the Chinese China Chinese!

    And msmash is still not any cooler. Stil not k-rad. Still not a useful editor.

    NEXT.

    1. Re:hackers! hackers! hackers! by Anonymous Coward · · Score: 0

      shut up apk

    2. Re:hackers! hackers! hackers! by Anonymous Coward · · Score: 0

      exactly - why should we believe this? In whose best interest is this story composed and why would it be delivered so late if it is in our interest? ...and when did I get put on the committee for social outrage or whatever it is? and where the hell is my share of the lobby-cash?!

  4. When the punishment meets the crime... by Lucas123 · · Score: 5, Insightful

    "One major breach of a Navy contractor, reported in June, involved the theft of secret plans to build a supersonic anti-ship missile planned for use by American submarines, according to officials."

    When contractors are held criminally responsible for their poor security resulting in military secrets being stolen by our enemies, then maybe they'll get serious about plugging the holes.

    1. Re:When the punishment meets the crime... by BringsApples · · Score: 1

      Maybe they should be charged with espionage?

      --
      Politics; n. : A religion whereby man is god.
    2. Re:When the punishment meets the crime... by Ken+McE · · Score: 5, Insightful

      When contractors are held criminally responsible for their poor security resulting in military secrets being stolen by our enemies, then maybe they'll get serious about plugging the holes.

      If you hold them responsible for being the victim of a crime, they'll stop reporting crimes.

    3. Re:When the punishment meets the crime... by john.r.strohm · · Score: 4, Insightful

      The problem with your point of view is that the contractors themselves committed a serious Federal crime when they put that classified information onto computers that were accessible from the outside world.

      Someone is going to have to do a lot of explaining on all this.

      Unfortunately, we will probably never hear the full story.

    4. Re:When the punishment meets the crime... by Anonymous Coward · · Score: 0

      If you hold them responsible for being the victim of a crime, they'll stop reporting crimes.

      You know, we're passed the point where "being hacked due to incompetent security" counts as being a victim of a crime, especially when you work on secret military things.

      The victims have included large contractors as well as small ones, some of which are seen as lacking the resources to invest in securing their networks.

      And this does not qualify as a victim ... if you can't secure your network to a high degree, you have no business even being on secret government contracts.

      Lacking the resources to invest in securing your network should pretty much mean you don't get to bid.

    5. Re:When the punishment meets the crime... by fustakrakich · · Score: 1

      "stolen" or sold? A lot of product is moved that way. You put a box out in the middle of the desert (or a small port in Libya), someone comes and picks it up, sometimes in grand fashion with lots of pyrotechnics. Makes the deniability even more plausible.

      --
      “He’s not deformed, he’s just drunk!”
    6. Re:When the punishment meets the crime... by CaptainDork · · Score: 2

      Yes, and they will, instead, produce gibberish-laden compliance letters, as well.

      --
      It little behooves the best of us to comment on the rest of us.
    7. Re:When the punishment meets the crime... by CaptainDork · · Score: 1

      You missed it by that much.

      Contractors are not responsible. They present proposals and the military line-item veto pieces and parts and security is the first to go.

      Contractors cover their asses and have incriminating evidence that will show that security costs were cut to meet budget restrictions.

      --
      It little behooves the best of us to comment on the rest of us.
    8. Re:When the punishment meets the crime... by Anonymous Coward · · Score: 0

      When contractors are held criminally responsible for their poor security resulting in military secrets being stolen by our enemies, then maybe they'll get serious about plugging the holes.

      If you hold them responsible for being the victim of a crime, they'll stop reporting crimes.

      Exactly, might as well throw soldiers in jail if they get shot at by foreign soldiers. Sure we will always need better security, but blaming people for getting targeted for cyber espionage is recklessly dangerous.

    9. Re: When the punishment meets the crime... by Anonymous Coward · · Score: 0

      The Donald loves to plug holes .... then to break the law trying to cover it up.

    10. Re:When the punishment meets the crime... by EvilSS · · Score: 1

      Nah, that won't work. They will just pony up a scapegoat from the company to take the fall. Want to really hurt them? Ban the company, and the executives (so they can't just roll a new corp out under a new name) from government contracts for 5 years for the first incident, 10 years second, forever third. No appeals, no exceptions.

      --
      I browse on +1 so AC's need not respond, I won't see it.
    11. Re:When the punishment meets the crime... by Anonymous Coward · · Score: 0

      Username checks out. You sure you wouldn't rather gas them, fraulein?

  5. Let me guess by OneHundredAndTen · · Score: 2

    Contractors using Windows. After all, the Navy seems to be married to Windows, even when it cripples its battleships.

    1. Re:Let me guess by Seven+Spirals · · Score: 1

      Most of the military uses Windows in one capacity or another. It's horrifying, but true. I just hope really hard they never "upgrade" the USAF Missileers off the ancient IBM systems they use to M$ anything. We'd all get self-nuked about 15 minutes later. Wouldn't even be Skynet either, just a BSOD.

    2. Re:Let me guess by Anonymous Coward · · Score: 0

      The fact that you use "M$" from the days of old, is enough for me to know that you likely know nothing about the newer Windows server options. They are on par with your beloved Unix in most of the necessary ways, and better in others.

    3. Re:Let me guess by Frederic54 · · Score: 1

      Isn't the Navy still using windows XP?

      --
      "Science will win because it works." - Stephen Hawking
  6. Computer security seems an oxy-moron by Seven+Spirals · · Score: 4, Insightful

    I worked for years as a security analyst mainly just developing exploits and pen-test frameworks. I have to say that I'm now completely disillusioned with IT security and it now bores me to tears. The Chinese and/or other state actors have stolen soooooo fucking much from us. The F35, hypersonic missiles, complete lists of government agents/employees from the OMB, the list is very very long. You partisans will probably all assume I am a Trump-lover but I don't like him. I do, however, have to admit that he seems to at least be able to talk about Chinese IP theft unlike 99% of other politicians who just seem so sprung on the globalism gravy train they can't see that these people are behaving like *enemies*. Love or hate Trump, we gotta address this problem. My preference would be to emulate the Skunkworks and be super militant about physical security and just crucify a few people for bringing in USB sticks and smart phones in to flaunt the rules. I'd also force people to stop using computers for things they didn't need them for and just put the data/research at greater risk. Computers don't solve all problems with equal effectiveness, despite some people wanting to use them everywhere. However, I'd also take action against China. I bet if you started de-coupling all their domains from DNS root servers you'd get their attention. If they broke off and formed "Chinanet" then that'd be just fine - fewer hacks on our servers from their dirtbag inhabitants and government. When I geoip block China on my firewalls hack attempts go down by about 90%. They are rarely smart enough to use on-shore machines to hack from (it happens, but rarely, I found some Chinese hosting asshole in LA that had a nest of them once).

    1. Re:Computer security seems an oxy-moron by Anonymous Coward · · Score: 0

      Military planners must assume that China knows every technical and operational detail of all our advanced weapons systems... to rely on technological superiority when your adversary should be presumed to have stolen every technical and even operational secret is pure insanity.

    2. Re:Computer security seems an oxy-moron by Anonymous Coward · · Score: 1

      F-22 also. They managed to steal a treasure trove of data related to that.

      And sensitive data about submarine sensor performance a few years back.

      It's been happening for decades. Clearly, we do not give a shit, or we would be doing something effective about it, rather than hand-waving and cries of how we're "complying with best security blah blah".

      Which means it is really OK for China to do this. They can only do it if we allow them, and we have been allowing them. They win, we lose. If we don't want to lose, we have to play the game differently, and we're not gonna do that because it means we'd need to have security competence.

    3. Re:Computer security seems an oxy-moron by Anonymous Coward · · Score: 0

      I worked for years as a security analyst mainly just developing exploits and pen-test frameworks. I have to say that I'm now completely disillusioned with IT security and it now bores me to tears.

      Took you years to get there?

      I figured it out in about five minutes. It's not like it's hidden or anything. Then again, I never was invested in the whole make-believe theatre for my daily bread.

      My preference would be to emulate the Skunkworks and be super militant about physical security and just crucify a few people for bringing in USB sticks and smart phones in to flaunt the rules.

      Do everything on paper. With slide rules. And NO electronic anything in a ten mile radius. Maybe occasional EMP blasts just to make sure nobody smuggled in a smartphone or something. Upshot: More work getting done for lack of distractions.

      Of course, as soon as you make a big enough prototype and let it outside, some satellite or other will pick it up. So better get the thing from prototype to production in rather less time than they did with the F35 (does that thing even fly yet? helmet stopped breaking necks maybe?), quite a bit less.

      I bet if you started de-coupling all their domains from DNS root servers you'd get their attention. If they broke off and formed "Chinanet" then that'd be just fine

      Yeah, no. Reasons left as an exercise.

    4. Re:Computer security seems an oxy-moron by Anonymous Coward · · Score: 0

      What the heck would decoupling their domains from DNS root servers do? Don't they just use intermediate servers to hop?

    5. Re:Computer security seems an oxy-moron by Fallen+Kell · · Score: 1

      So better get the thing from prototype to production in rather less time than they did with the F35 (does that thing even fly yet? helmet stopped breaking necks maybe?)

      Ummm.... F35 has been in combat sorties and standard rotation since September. So, yes, it flies and blows stuff up too.



      Back to topic, As most people in the security scene know (perhaps they are the only ones who truly do know), the only way to secure a computer is to isolate it in a physical vault with in a faraday cage. Anyone who has physical access to it or any network it is connected to has the ability to breach said computer or network of computers. The problem is that when you tell this to the "business" side, they balk at what that means to operational costs. And wake up if you think the government isn't a business. They bid things out and typically go with the lowest priced bid (without knowing why it is the lowest bid). The companies that are doing decent security get screwed because they can't win bids against the companies that are faking it with lower cost solutions which are breachable. And when the breach later does occur no one does the deep dive to go back all the way to the contract bid process and acceptance/selection committees that allowed it to happen in the first place...

      --
      We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
    6. Re:Computer security seems an oxy-moron by Anonymous Coward · · Score: 0

      You could even cut every single fiber to China, you could turn off every single SATCOM link. China, via the North Korean Long Range Reconnaissance Command (LRRC) have ways to insert themselves into US telecom networks.

      These folks are accustomed to hard work with shovels, but also highly trained to work with the latest technology. They can live off a bottle of water for a week without a problem. They know how to feed themselves inside a forest. Their radios include spread spectrum HF radios which are very hard to intercept.

  7. Why is any of that stuff internet-accessible? by Anonymous Coward · · Score: 0

    Even tangentially (on a LAN)?

    There's tempting fate and then there's blatant irresponsibility.

    1. Re:Why is any of that stuff internet-accessible? by benjfowler · · Score: 1

      We're getting to the point of 'Battlestar Galactica' -- the enemy (Russia and China) is now so good at cyber, anything attached to a network will get compromised.

      Putin certainly understands this. Of the massive damage Snowden's treachery inflicted on us -- the Russians know what we're capable of, and Putin became a "technophobe" -- meaning everything on paper and typewriters, or hardwired secure telephone lines. There is a big black hole in the heart of the enemies' camp.

      The enemy has wised up. Why aren't we?

    2. Re:Why is any of that stuff internet-accessible? by AHuxley · · Score: 1

      So contractors can make money on all kinds of new mil work they can do on a network.
      A large international company can hire a few US lawyers and approved gov/mil staff and use the "internet" to bid for US gov/mil work.
      Using a larger number of low wage staff outside the USA do the work. Low wages and a small "trusted" front company in the USA to win any US mil bid with.

      The NSA likes the wide open "network" too as they can spy back down the "internet" at who is spying so well and deep on the US mil.
      A few NSA people can spy on the world as the spies have to network into the USA.

      The CIA creates fake files and see who they can fool into starting projects in their own nations from "fake" advanced US projects and files.
      Everyone gets their very own version of Operation Merlin https://en.wikipedia.org/wiki/...
      Want some "free" laser isotope separation files?
      Nations waste money and show their own spy networks trying to work on junk US bait projects found deep in US mil networks :)
      A few CIA "projects" found by other nations can set other nations mil spending back decades.

      Th FBI likes the networks as they can detect who is moving large amounts of files around to sell to spies.
      The FBI can stay waiting deep in networks and see who is looking for what files and moves files around using what methods and accounts.
      A few FBI people can track a lot of US contractors all over the world.
      The FBI in an undercover role can ask any contractor to copy files out from a mil network and see if they do that task for money.
      The FBI can then watch such files and see in the contractor reports the "approach" to spy or starts to copy the files.
      The FBI kind of expects spying in the traditional way. A file structure will be searched in real time and the FBI can spy on words/names and terms in real time.
      What the FBI finds is the other nations just copy out the entire US database. No security, no encryptions allows all the US data to walk. The FBI never finds out what was so interesting as all the data is copied out.
      That's why so many US systems are kept wide open - its a trap.. Security wants to see what is getting look for/at/search terms used from what account. The bad nations just copy it all out.
      Spies know they are watched on US networks and dont show what they are looking for on US networks anymore.

      Consider the comfort of staying in the USA. No having to follow the US mil work around the world and do months of security work in person at some cold/hot/dusty/isolated US camp/fort/base/port. For an average wage and then get taxed a lot.
      A wage lost to US taxes and rent in some other nations to work on a US base in person. That can all be done on a network?
      Do US internet security globally for the US mil from some nice US city. Keep the wage and save on rent.

      Nations trusted like the UK and New Zealand can place their own bait "files" deep in wide open US mil networks.
      The CIA and trusted 5 eye workers wait to see who looks for a project in say ~ the UK. MI5 uncovers a real spy network in the UK for free using a fictional file placed as bait in the USA.

      The "internet" was great for everyone around US mil projects.

      Except for the ability to copy out all the US secrets in plain text.

      --
      Domestic spying is now "Benign Information Gathering"
    3. Re:Why is any of that stuff internet-accessible? by Anonymous Coward · · Score: 0

      The soviets had moles inside NSA during the time "Mr Puuutn" was still a toddler. You think this ever stopped ?

      So Snowden just informed the public about what the Russians already knew and worked around.

    4. Re:Why is any of that stuff internet-accessible? by Anonymous Coward · · Score: 0

      You completely overrate the ability of the federalez to detect covert file transfers.

      They are very good at snooping on the general public, the telefone system, WhatsApp, Skype and the like. Not so much Black Swan type of communications which look like one more file transfer into one of 1300000 AWS servers.

      Also, some nations have capabilities which are not know to the general public. Like having a mole building a directional Wifi Antenna and pointing it to a truck outside the perimeter.

  8. what about an code red for the ceo/vp/board? by Joe_Dragon · · Score: 1

    what about an code red for the ceo/vp/board? or maybe an treason trial with death on the table?

  9. The solution is simple... by Anonymous Coward · · Score: 1

    The solution to internet insecurity is simple: stop prioritizing convenience over security. We don't leave the door to our house unlocked because remembering to take the key with you is too inconvenient.

  10. Trump is to blame by Anonymous Coward · · Score: 0

    We have it on good authority here on slashdot, from many posters over the last week, that Chinese hacking everything they can is a myth.

    It's a lie spread by Donald Trump while personally taking Chinese citizens hostage. We see that the Chinese produces more CO2 than the US and EU combined and is growing at a dramatic rate. Those numbers they provide appear lower than satellite data indicates. But as anyone knows, scientific satellite data is only true science when it makes the west look bad and China look good.

    No. This is all a hoax by the bad orange man himself. It's all lies comrade. Keep the faith of hatred and ignorance strong!

  11. Personnel... by mi · · Score: 5, Interesting

    It is a well-known fact, that ethnic Chinese abroad spy for China en-masse. Some willingly, some — under coercion.

    One immediate step a country could take is to treat them with increased suspicion, which in the US is both against the laws and the morals — targeting expats from a particular country is denounced (and even prosecuted) as "racial profiling" — a trait Chinese society itself does not poses.

    Until we overcome this weakness against Chinese — the way we are overcoming it with the Russians, for example, our highest-tech research will remain at risk.

    --
    In Soviet Washington the swamp drains you.
    1. Re:Personnel... by mi · · Score: 1

      All foreign-born are suspect, but expats from hostile countries (which Israel is not) are especially so. And China is in a special class all its own.

      --
      In Soviet Washington the swamp drains you.
  12. Trade War! by Anonymous Coward · · Score: 0

    We must have a trade war with Gina!!!!

    - Trump on the can at 3 AM

  13. Re: But ..But Russia .. by Anonymous Coward · · Score: 0

    Sarah?

  14. How are they getting in? by schwit1 · · Score: 1

    We don't need contractor names but It would be nice to learn from other people's mistakes.

    1. Re:How are they getting in? by mi · · Score: 1

      This article offers some insights.

      --
      In Soviet Washington the swamp drains you.
  15. Easy Countermeasure by Anonymous Coward · · Score: 1

    Seed networks with many bogus strategies, projects, blueprints. Many of these could even be AI-generated. Then see whether they can separate the wheat from the chaff. Sound like the basis for a DARPA proposal from some AI academics.

  16. No reasonable prosecutor by mi · · Score: 2

    a serious Federal crime when they put that classified information onto computers that were accessible from the outside world.

    But, but they had no criminal intent!! So no reasonable prosecutor should ever go after them!

    --
    In Soviet Washington the swamp drains you.
  17. Use the law by Anonymous Coward · · Score: 0

    All we have to is let those contractors obtain patents on their work, for example the components of the F-22's stealth technology. That way the Chinese legally cannot build airplanes using that technology.
    And if they did do that anyway, we could shame them by putting up posters with their pictures an what they did.

  18. Mod this up by CaptainDork · · Score: 1

    This is precisely the cure --- litigation --- and in this case it's the feds.

    Look at Snowden. He's a contractor who walks in and out with the fucking keys to the store. How much has the government learned since then? Apparently, not much. Contractors are not committed military personnel, though that does open the door to criticize the Manning deal where "need to know," was replaced by, "must have Lady Gaga CD."

    Companies are hacked daily and they don't know about it until the data shows up for sale on the Dark Web. Somebody has to tell them. That negligence should have ramifications.

    The basic problem, as I see it, is CaptainDork's 6th Corollary:

    For every motherfucker out there with a computer, there's another motherfucker out there with a computer.

    Sensitive entities should be using different hardware/software using an isolated "Internet."

    --
    It little behooves the best of us to comment on the rest of us.
  19. More treasonous than Snowden by Ogive17 · · Score: 1

    My opinion is this is worse than Snowden.

    --
    "Action without philosophy is a lethal weapon; philosophy without action is worthless."
  20. Unbelievable by benjfowler · · Score: 1

    If our militaries and defence contractors are THIS fucking stupid, maybe we DESERVE to get our arses kicked by Russian and Chinese fascists. We'll then have a LONG time to regret not pulling our heads out of our arses and waking up to the threat, because a world ruled by Russians and Chinese will be a dark, dark place indeed.

    Similar stupidity with the American obsession with aircraft carriers. Each costs upwards of $13b with 6000 sailors on each. China and Russia, when the shooting starts, will send a bunch of them to the sea floor with salvos of high-speed long-range missiles.

    Even so, I doubt our fucking idiot leaders will wake up to themselves. They're all sitting around wanking each other off, playing stupid culture-war games (no doubt egged on by Russian trolls), and figuring out how to enrich themselves and their donors to get a grip on the situation.

    HOW MUCH bad shit will need to happen before we get our act together? Come ON!

    1. Re:Unbelievable by Anonymous Coward · · Score: 0

      It has been Russia who destroyed the peace in Iraq.
      China enabled ISIS.
      Russia destroyed Syria.
      The chaos in Libya was done by China.

      NOT.

      The "dark world" has been brought about by America and its brain, Israel.

  21. Re: But ..But Russia .. by Anonymous Coward · · Score: 0

    Oh no no no, kiddo. I'm out here fucking da bears with a strap-on covered in warm maple syrup, dontchaknow. Dat's someone else dere.

  22. Time for interment camp for chinks? by Anonymous Coward · · Score: 0

    Back in WWII the japs were interned.

    Isn't it time to intern the chinks?

  23. hiii by fbk_csgo.e · · Score: 1

    Can u say something about a https://mrecorder.com/ mobile recorder on Android? How does it work with other applications?