back to article 'Chinese' attack sucks secrets from US defence contractor

Just when it looked like US-China relations couldn’t get any more frosty, news has emerged that defence contractor QinetiQ suffered a massive breach of classified data over three years which may have leaked advanced military secrets to the infamous PLA-linked hacking gang Comment Crew. Bloomberg spoke to Verizon’s Terremark …

COMMENTS

This topic is closed for new posts.
  1. Voland's right hand Silver badge
    Devil

    What do you expect

    Nothing in this report surprises me in the slightest. At all.

    Welcome to the world of corporate IT in the 21st century. Underresourced, Outsourced, Undecompetent, Outstretched and so on...

    1. LarsG
      Meh

      Re: What do you expect

      I agree, and the only way to recent the hacking..... Get rid of the computers and go back to pen and paper.

    2. Anonymous Coward
      Anonymous Coward

      Re: What do you expect

      They were the over-resourced, led by the corrupt and incompetent, to do the unnecessary for the blindly oblivious

      or something like that.....

      Doesn't surprise me either. But if anything, HB Gary were given carte blanche by their political and corporate sponsors. And yet somehow, they ended up completely pwned as they proceeded to f*k up their mission.

      The Feds and Banksters would have been better off trying to recruit anonymous members directly.

      Amazing how such people can even be considered for security work or counter-intel.

      Team USA really needs to sharpen up its tools before engaging in cyber warfare with the like of the PLA or the russkies, me thinks. Bloody embarassing

  2. John Smith 19 Gold badge
    Unhappy

    Government con-tractor IT

    Much like every other kind of corporate IT except taxpayers pay for it and more people could end up dead as a result of the leak.

  3. minky

    go home china drone clone

  4. Anonymous Coward
    Anonymous Coward

    I am not shocked they are hacking the US, and if they were not trying i would be more worried!

    I hope the UK is also hacking the US systems on a daily basis, the USA is not to be trusted, they break promises & agreements after they get what they want...

  5. Siberian Hamster

    I don't need no steenkin' title!

    Qinetiq is actually a British company formed from the sale of the old DERA to some of its bosses, though they have been buying up smaller US defence firms for a while.

    The question is were all the hacks confined solely to US operations or were they company-wide?

    1. nuked
      Boffin

      Re: I don't need no steenkin' title!

      No, the question is what was stolen.

      There is a little thing called counter-espionage too.

      1. Pascal Monett Silver badge

        And the answer is, apparently, everything.

        QinetiQ : a study in failure.

        If only it were the only one.

  6. Anonymous Coward
    Anonymous Coward

    Tip of the Iceberg

    How many companies are currently compromised and don't know it.

    How many more have been compromised, but for fear of reputational and financial loss won't disclose it's happened.

    Unless this involves some leak it's happened, or bragging rights by the hackers, very few of these ever come to light.

    However - let them be a lesson to anyone or any corporation that taking security and data protection is a serious, time-consuming, expensive and specialised business.

    1. Anonymous Coward
      Anonymous Coward

      Re: Tip of the Iceberg

      "However - let them be a lesson to anyone or any corporation that taking security and data protection is a serious, time-consuming, expensive and specialised business."

      And doomed to failure when these machines are connected to the internet. Air gapping has its limitations, but its a damned good start, as is separate systems within the company for separate functions.

  7. amanfromMars 1 Silver badge

    Blaming someone else for one's own lack of ability is a recipe for disaster at an increasing pace

    It may very well be the actuality and reality that the West is no longer top dog in the intelligence gathering/phishing/phorming world. Get used to it ...... for whenever it be true, would an arrogant denial be even more damaging to western national and international security interests, and thus is it to be avoided at any and all cost.

  8. Stevie

    Bah!

    Well, incompetent and corrupt maybe, but the thing about the secretary's PC made me wonder if this wasn't "just" another aspect of the self-jamming bomber radar fiasco from the 1980s, which was engineered purely from the rather extreme rules on compartmentalization that prevent people from different parts of a large project talking to each other, even the military liaisons assigned to the civilian teams.

    Everyone has worked on a project in which different teams did not communicate properly. Now imagine that project if the different teams were prevented form any contact whatsoever other than the original design spec. Now add in modular scope creep and rethinks and stir until there's a loud *snap!* and the smell of frying insulation.

  9. Yet Another Anonymous coward Silver badge

    Congratualtions

    On getting any useful information out of qinetiq - we never managed to while working on a joint project with them.

    Not that we wanted to work with them, but anybody doing any sort of high-tech defence project in the UK is 'encouraged' to partner with them. It's fantastic, all the red tape and inefficiency of Soviet era bureaucracy but you get to pay them lots of money.

    1. gollux
      Mushroom

      Re: Congratualtions

      In other words, it may have actually been a partner trying to expedite getting the job done.

      Easiest way, hack QinetiQ.

  10. Jim O'Reilly

    Idiots in charge of security

    I assume the idiots in charge were fired

  11. Anonymous Coward
    Anonymous Coward

    Facebook graph search. Thousands upon thousands upon thousands of people publicly list their employment position when such position implies access to sensitive data and probably a TS-SCI clearance. It's not hard for the Chinese to friend some of these people, build minimal trust, then get them to click a link to stealthy unpatched 0-day. A fully patched OS won't matter much.

    As far as how sloppy/lazy/unenforced security controls are, this video is depressing...

    DEFCON 20: An Inside Look Into Defense Industrial Base (DIB) Technical Security Controls

    http://www.youtube.com/watch?v=huM2IrobNg4

    1. Anonymous Coward
      Anonymous Coward

      Situation likely has not changed much either....

      NIST Issues Major Revision of Core Computer Security Guide: SP 800-53 (April 30, 2013)

      http://www.nist.gov/itl/csd/201304_sp80053.cfm

      Things will still go unenforced and people will still be lazy.

  12. Keith Glass
    FAIL

    Gang, I kind of doubt. . .

    . . . .much access to classified nets was had: they're air-gapped. Now. . . . sensitive stuff being sneakernetted over to the "low" side by the vegetables-that-walk-like-men, that I can see (and DID see. . . ) all the time.

    Besides, you don't NEED classified info to get the "merely" sensitive stuff. As noted by others, the state of security on the vast majority of corp nets is a sad, sad joke. ESPECIALLY when Senior Manglement DEMANDS holes in firewalls for preferred apps, admin access on their own boxes. etc. . . We don't NEED the BOFH. . . we have the lusers. . .

    1. Anonymous Coward
      Anonymous Coward

      Re: Gang, I kind of doubt. . .

      Worked in a similar government lab. There were two complete networks, one for normal, one for restricted stuff.

      A few scientists and managers naturally needed access to both so their machines got two network cards (this was the 90s)

      Then the purchasing system was moved to the 'restricted' net for security reasons, which meant every admin/shipping/stores PC needed a connection to both networks - the result was a super restricted network with 500 bridges to the public network

  13. Anonymous Coward
    Anonymous Coward

    HB Gary?

    Seriously, they hired THOSE fools to deal with security? Do they not remember how incompetent they were proven to be? Do they not have Google? Did they also hire Fox, Inc. to deal with security for Henhouse & Co.?

    Yeah, not surprised, just wondering why the idiots at QinetQ who make decisions like this should be trusted with secrets more readily than the Chinese, Mossad or Al Qaeda?

This topic is closed for new posts.