US-based threat intelligence firm Cyber Engineering Services (CES) discovered the news after tapping secret communication infrastructure set-up by hackers and told investigative journalist Brian Krebs that China's elite cyber operations group “Comment Crew” – otherwise known as “PLA Unit 61398” – was behind the attack.
Krebs, writing on his KrebsOnSecurity website, says that the group stole “huge quantities of sensitive material” relating to the Arrow III missile interceptor between 2011 and 2012, with most of the 700 (762 MB in size) files containing intellectual property. These documents were largely Word documents, PowerPoint messages, PDFs, emails and spread sheets.
The Arrows III missile interceptor forms part of Israel's US$ 1 billion (£590 million) Iron Dome Missile system, which was developed by the Israeli Defence Forces with Rafael Advanced Defense Systems. It is designed to intercept and destroy short-range rockets and artillery fired from up to 43 miles away and is said to have intercepted a fifth of the 2,000 rockets fired by Palestinian militants during the current conflict.
PLA Unit 61398 is alleged to have pilfered documents on missiles, unmanned aerial vehicles and ballistic rockets by infiltrating the computer systems of contractors Rafael Advanced Defense Systems, Israel Aerospace Industries (IAI) and Elisra Group – all of which have worked on the US-designed Arrow III missile in the past. One of the documents stolen from the IAI was a 900-page report on the schematics and specifications of the missile.
The group apparently breached the IAI on the back of a specially-crafted phishing email, compromised privileged credentials and installed various tools and Trojan horse programs once inside the respective company networks to expand their access to sensitive files.
The news has led some people to speculate that China has plans to develop a missile defence system of its own.
The cyber-crime group has strong links to the Chinese People's Liberation Army and has previously been behind as many as 100 high-profile attacks against American corporations, actions which resulted in FBI indictments against five hackers earlier this year, infiltrating the computer systems at contractors Rafael Advanced Defense systems, Israel Aerospace Industries and Elisra Group.
The PLA Unit 61398 was first identified by security firm Mandiant – now part of FireEye – in February last year.
Independent security consultant Adrian Culley said that the news detailed once again the strength of China's cyber-crime capabilities.
“Unit 61398 of the Chinese PLA have yet again demonstrated both their technical prowess, reach and tenacity, and also the long term view taken by the Chinese Government in intelligence collection plan requirements,” Culley told SCMagazineUK.com.
“It is interesting to note that this unit originated the Titan Rain class of attacks in the late 90s, leading to the US Air Force introducing the term 'Advanced Persistent Threat' as a euphemism for hostile, foreign nation-state cyber threat actors.
“There is no imminent sign that Unit 61398 would shutting up shop. They are only likely to become more active. The role and value of cyber operations in conflict situations is of increasing importance to many, if not most, nation states.”
David Lacey, a security futurologist at IOActive, said that Iron Dome would be a ‘prime target' for the Chinese, considering the country's cyber expertise.
“Iron Dome must be a prime target for a country like China that's good at hacking and keen on military hardware,” Lacey told SC.
“No organisation has perfect security and defence contractors are just as vulnerable as everybody else. The real learning point is that trade secrets are not a great basis for competitive edge in a hyper-connected information age. You need to be bigger, smarter and faster to stay ahead of the pack.”
Jason Steer, director of security strategy at FireEye EMEA, said that his company has seen defence attacks globally under cyber-attack and pointed to Comment Crew as being behind the recent hack on Boeing – which was also one of the US defence contractors to work on Arrows 3. He said that detection must be improved if defence organisations are to get better at detecting breaches.
“The key concern is the vigilance on detection - clearly these defence firms didn't have the right technologies to detect know threat actors on their network,” said Steer, who added that contractors remain an issue as far as information security is concerned.
“The supply chain today remains the easiest and softest route to gain access to sensitive IP today and one that needs to be addressed. I wonder how Boeing feel about their IP being exposed?"
Elisra and Rafael refused to comment to the press while a spokesperson for the IAI told Krebs that the findings were “old news”.