Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/18/2014
12:55 PM
50%
50%

US Military In The Dark On Cyberattacks Against Contractors

A lack of communication between military contractors and government agencies about Chinese cyber espionage attacks is revealed in a new Senate report.

Communication is the key to any good relationship. Yet a new report from the US Senate Armed Services Committee shows that a lack of communication has left the US Transportation Command (Transcom) in the dark about threats to cyber security.

The Armed Services Committee report, released Wednesday, contends that hackers tied to the Chinese government successfully penetrated systems belonging to Transcom contractors at least 20 times during a 12-month period beginning June 1, 2012. The report is the culmination of a year-long investigation by the committee, which found that gaps in reporting requirements and a lack of information sharing between government agencies left Transcom largely unaware of the compromises.

Transcom is responsible for the movement of US troops and equipment around the globe. According to the committee, Transcom was aware of only a handful of the attacks, even though contracts mandate that contractors report certain types of incidents to the command. Though more than 80 companies are subject to the clause, the command had received only two reports of cyber intrusions until August 2013.

In addition, the report states that the FBI, the Department of Defense, the Air Force Office of Special Investigations, and the Defense Cyber Crime Center were aware of cyberattacks between June 2012 and June 2013 and failed to share the information with Transcom.

The committee's findings are detailed in a report entitled "Inquiry into Cyber Intrusions Affecting U.S. Transportation Command Contractors." The committee approved the report in the spring and released an unclassified version today.

During the period covered by the report, there were about 50 intrusions or "cyber events" into the computer networks of Transcom contractors.

"These peacetime intrusions into the networks of key defense contractors are more evidence of China’s aggressive actions in cyberspace," Sen. Carl Levin (D-MI), the committee's chairman, said in a committee press release. "Our findings are a warning that we must do much more to protect strategically significant systems from attack and to share information about intrusions when they do occur."

This year, TrapX Security identified malware called Zombie Zero, which was delivered into enterprise shipping and logistics environments from a Chinese manufacturer responsible for selling proprietary hardware for terminal scanners used to inventory items being shipped. The malware was delivered through the Windows embedded XP operating system installed on the hardware at the manufacturer's location in China and could be downloaded from the Chinese manufacturer's support website.

[Zombie Zero is still actively pushing rigged handheld scanning devices, reviving concerns about doing business with Chinese tech companies. Read Chinese Hackers Target Logistics & Shipping Firms With Poisoned Inventory Scanners.]

"It is just as important in today's world to protect our country's critical information systems and infrastructure as it is to protect sea lanes and foreign economic interests," said Carl Wright, general manager of TrapX and former CISO of the US Marine Corps.

Though Transcom attributed all 20 intrusions in the report to China, FireEye researchers Jen Weedon and Kristen Dennesen wrote in a blog post that the Chinese government is not the only player in the game. Suspected Russian attackers have been targeting a defense technology company, and an Iranian group targeted US defense contractors in Operation Saffron Rose.

"Multiple threat groups appear to have a firm understanding of the Aerospace and Defense supply chains, including the relationships between organizations and specific projects in the industry," Weedon and Dennesen wrote. "In multiple instances, cyber espionage groups have targeted information about specific projects across several companies. Similarly, we have observed threat groups target the entire Aerospace and Defense manufacturing production cycle, from research and development through testing and production, all the way to product launch."

"We must ensure that cyber intrusions cannot disrupt our mission readiness" Sen. Jim Inhofe (R-OK), the committee's ranking Republican, said in the release. "It is essential that we put into place a central clearinghouse that makes it easy for critical contractors, particular those that are small businesses, to report suspicious cyber activity without adding a burden to their mission support operations."

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
aws0513
50%
50%
aws0513,
User Rank: Ninja
9/23/2014 | 11:12:58 AM
Re: Huge
I agree that this is a bad situation.

But a small correction for @Robert McDougal...

Transcom is short for USTRANSCOM which is the DoD Command responsible for all tranportation logistics doctrine and management for all DoD organizations.  Transcom is thus a government entity, not a contractor.

The fact that Transcom was not aware of the breaches does not surprise me.  Transcom is basically a large entity that facilitiates and coordinates the contracting for movement of military materiel and personnel.  The intelligence function of Transcom relies on DIA and other government intelligence functions to provide information on threats to their contractor pool. 

I believe that the bigger problem is that contractors are not generally required to report security incidents unless the incident will directly impact delivery of logistics services.  Most of these hacks look to be information gathering thus having very little impact on service delivery.  Unlike the health industry, there is no legal requirement for private entities in the defense industry to report any compromises unless dictated by contractual agreement.

Counterintelligence is generally perceived as the realm of the USGov intelligence community, not the logistics community.  If the intelligence community notified Transcom of such activity, odds are it would have acted on the information.

I am certain that Transcom is currently in the immediate remediation of the causes for this situation.  If there is one thing that the DoD is good at, is adapting to security threats that make the headlines.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
9/18/2014 | 2:56:26 PM
Huge
"Transcom is responsible for the movement of US troops and equipment around the globe."

The organization responsible for our troop movements was left in the dark on cyber intelligence? This is unacceptable, of all the contractors that should be aware of threats to intelligence theft you would think Trascom would be a top priority. I guess nothing surprises me anymore.
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.