Hackers from the Chinese Ministry of State Security who broke into the systems of a contractor working for the US Naval Undersea Warfare Center stole 614GB of sensitive information, including plans for a supersonic anti-ship missile to be launched from a submarine.
The hacks, which occurred in January and February, according to a report in the Washington Post, yielded details on the Sea Dragon missile programme, which was created in 2012 to adapt existing military technology to new uses.
“We saw a similar attack when the Dragonfly group gained direct access to the US power grid through a vulnerable third party. That makes two significant, successful breaches targeting highly sensitive materials that have occurred through third parties,” said Fred Kneip, CEO, CyberGRX. “It's an effective approach because large organisations have thousands of contractors, vendors and suppliers that they interact with – and any one of them could be the way in.”
The breach demonstrates that “even an entity as highly regulated and classified as the federal government is not immune from the danger posed by third-party vulnerabilities,” said Ruchika Mishra, director of product marketing for Balbix, who concurred that since hackers commonly use third parties as entry points, “it makes sense that similar patterns would hold true for nation-states looking to breach their adversaries' cyber-defences.”
The Pentagon and the FBI are investigating the breach.
“There are measures in place that require companies to notify the government when a ‘cyber-incident' has occurred that has actual or potential adverse effects on their networks that contain controlled unclassified information,” the Post quoted Navy spokesman Commander Bill Speaks as saying. “It would be inappropriate to discuss further details at this time.”
Kneip noted that “the same methods hackers are using to access classified military information are being used every day to access commercial assets – and the only way to prevent it is through a more collaborative approach to understanding risk exposure.”
Mishra said security pros at any organisation “must be absolutely clear about the relative values of all its assets and, with that context, implement solutions that enable it to prioritise its defences and proactively address vulnerabilities that would put them at risk before they become entry points for attackers.”