Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/18/2014
12:55 PM
50%
50%

US Military In The Dark On Cyberattacks Against Contractors

A lack of communication between military contractors and government agencies about Chinese cyber espionage attacks is revealed in a new Senate report.

Communication is the key to any good relationship. Yet a new report from the US Senate Armed Services Committee shows that a lack of communication has left the US Transportation Command (Transcom) in the dark about threats to cyber security.

The Armed Services Committee report, released Wednesday, contends that hackers tied to the Chinese government successfully penetrated systems belonging to Transcom contractors at least 20 times during a 12-month period beginning June 1, 2012. The report is the culmination of a year-long investigation by the committee, which found that gaps in reporting requirements and a lack of information sharing between government agencies left Transcom largely unaware of the compromises.

Transcom is responsible for the movement of US troops and equipment around the globe. According to the committee, Transcom was aware of only a handful of the attacks, even though contracts mandate that contractors report certain types of incidents to the command. Though more than 80 companies are subject to the clause, the command had received only two reports of cyber intrusions until August 2013.

In addition, the report states that the FBI, the Department of Defense, the Air Force Office of Special Investigations, and the Defense Cyber Crime Center were aware of cyberattacks between June 2012 and June 2013 and failed to share the information with Transcom.

The committee's findings are detailed in a report entitled "Inquiry into Cyber Intrusions Affecting U.S. Transportation Command Contractors." The committee approved the report in the spring and released an unclassified version today.

During the period covered by the report, there were about 50 intrusions or "cyber events" into the computer networks of Transcom contractors.

"These peacetime intrusions into the networks of key defense contractors are more evidence of China’s aggressive actions in cyberspace," Sen. Carl Levin (D-MI), the committee's chairman, said in a committee press release. "Our findings are a warning that we must do much more to protect strategically significant systems from attack and to share information about intrusions when they do occur."

This year, TrapX Security identified malware called Zombie Zero, which was delivered into enterprise shipping and logistics environments from a Chinese manufacturer responsible for selling proprietary hardware for terminal scanners used to inventory items being shipped. The malware was delivered through the Windows embedded XP operating system installed on the hardware at the manufacturer's location in China and could be downloaded from the Chinese manufacturer's support website.

[Zombie Zero is still actively pushing rigged handheld scanning devices, reviving concerns about doing business with Chinese tech companies. Read Chinese Hackers Target Logistics & Shipping Firms With Poisoned Inventory Scanners.]

"It is just as important in today's world to protect our country's critical information systems and infrastructure as it is to protect sea lanes and foreign economic interests," said Carl Wright, general manager of TrapX and former CISO of the US Marine Corps.

Though Transcom attributed all 20 intrusions in the report to China, FireEye researchers Jen Weedon and Kristen Dennesen wrote in a blog post that the Chinese government is not the only player in the game. Suspected Russian attackers have been targeting a defense technology company, and an Iranian group targeted US defense contractors in Operation Saffron Rose.

"Multiple threat groups appear to have a firm understanding of the Aerospace and Defense supply chains, including the relationships between organizations and specific projects in the industry," Weedon and Dennesen wrote. "In multiple instances, cyber espionage groups have targeted information about specific projects across several companies. Similarly, we have observed threat groups target the entire Aerospace and Defense manufacturing production cycle, from research and development through testing and production, all the way to product launch."

"We must ensure that cyber intrusions cannot disrupt our mission readiness" Sen. Jim Inhofe (R-OK), the committee's ranking Republican, said in the release. "It is essential that we put into place a central clearinghouse that makes it easy for critical contractors, particular those that are small businesses, to report suspicious cyber activity without adding a burden to their mission support operations."

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
aws0513
50%
50%
aws0513,
User Rank: Ninja
9/23/2014 | 11:12:58 AM
Re: Huge
I agree that this is a bad situation.

But a small correction for @Robert McDougal...

Transcom is short for USTRANSCOM which is the DoD Command responsible for all tranportation logistics doctrine and management for all DoD organizations.  Transcom is thus a government entity, not a contractor.

The fact that Transcom was not aware of the breaches does not surprise me.  Transcom is basically a large entity that facilitiates and coordinates the contracting for movement of military materiel and personnel.  The intelligence function of Transcom relies on DIA and other government intelligence functions to provide information on threats to their contractor pool. 

I believe that the bigger problem is that contractors are not generally required to report security incidents unless the incident will directly impact delivery of logistics services.  Most of these hacks look to be information gathering thus having very little impact on service delivery.  Unlike the health industry, there is no legal requirement for private entities in the defense industry to report any compromises unless dictated by contractual agreement.

Counterintelligence is generally perceived as the realm of the USGov intelligence community, not the logistics community.  If the intelligence community notified Transcom of such activity, odds are it would have acted on the information.

I am certain that Transcom is currently in the immediate remediation of the causes for this situation.  If there is one thing that the DoD is good at, is adapting to security threats that make the headlines.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
9/18/2014 | 2:56:26 PM
Huge
"Transcom is responsible for the movement of US troops and equipment around the globe."

The organization responsible for our troop movements was left in the dark on cyber intelligence? This is unacceptable, of all the contractors that should be aware of threats to intelligence theft you would think Trascom would be a top priority. I guess nothing surprises me anymore.
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
Capital One Breach: What Security Teams Can Do Now
Dr. Richard Gold, Head of Security Engineering at Digital Shadows,  8/23/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15540
PUBLISHED: 2019-08-25
filters/filter-cso/filter-stream.c in the CSO filter in libMirage 3.2.2 in CDemu does not validate the part size, triggering a heap-based buffer overflow that can lead to root access by a local Linux user.
CVE-2019-15538
PUBLISHED: 2019-08-25
An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a ...
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.