US Defense Contractors and Universities Targeted In Cyberattacks

Trailrunner7 writes, quoting Threatpost: "Researchers have identified an ongoing series of attacks, possibly emanating from China, that are targeting a number of high-profile organizations, including SCADA security companies, universities and defense contractors. The attacks are using highly customized malicious files to entice targeted users into opening them and starting the compromise. The attack campaign is using a series of hacked servers as command-and-control points and researchers say that the tactics and tools used by the attackers indicates that they may be located in China. The first evidence of the campaign was an attack on Digitalbond, a company that provides security services for ICS systems. ... In addition to the attack on Digitalbond, researchers have found that the campaign also has hit users at Carnegie Mellon University, Purdue University and the University of Rhode Island."

Re:

[fluffythedestroyer]

That was meant to be funny you idiot

This is news?

[Anonymous Coward]

This is absolutely nothing new

Re:This is news?

[s.petry]

That is correct. 5 years ago I worked at a Defense contractor and we had a carefully crafted spear phishing attack. The hackers learned that Company "doe" did the support for IT for most of their IT. The group created a "doesupport.com" domain, and stole company logos from "doe.com". A fake site was crafted, and honestly looked pretty legit. They even had someone that knew English do the wording. The problem was, with all that work they had a username and password dialogue box on the site, and our users were warned about this type of attack every day. We had 1 user out of about 6800 log in to the site, and more than 2800 tickets from users reporting the suspected site.

The site was in the US, but traced it's roots to China. Interesting how fast this gets found out when Government is involved.

Obviously "doe" is a fictional name to protect both the contractor and support people.

Defense contractor and phishing attack ..

[dgharmon]

"5 years ago I worked at a Defense contractor and we had a carefully crafted spear phishing attack .. A fake site was crafted"

A Defense contractor that can be compromised by a click-and-download-this-executable hack shouldn't be in the defense industry.

Re:

[s.petry]

I'm not sure you understand the complex nature of these attacks. These are not simply fire and forget executable files, like you see in your email constantly from script kiddies. There are few, if any, executable files involved initially. They are more after usernames, passwords, and network information. From their, they can launch more sophisticated attacks trying to gain access to network components, etc... and do more targeted phishing and attempt to send files.

When files are sent, these again are no

Re:

[FhnuZoag]

My suspicion is that this is basically observation bias in action. Every public system on the internet in every country is subject to a constant barrage of low level email driven malware, these days. We only hear the reports of the universities, IT security companies, and government services, because these are the only folks with enough security consciousness and enough to lose to notice it, and who are worth writing news articles about. This doesn't mean a particular attack is targetted, or trying to accom

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[s.petry]

You forgot to mention Vietnam in that. Estimates put the Chinese casualties at far greater numbers than North Vietnamese troops.

Re:China

[C_amiga_fan]

Not really the same government.

The China of the 50s and 60s was hardline communist (and killed ~60 million of their own people). Since that time China has experienced the Tienamen Square uprising & moved towards European-style socialism (free market capitalism + government safety nets). No longer following the same policies as the 50s/60s-era government.

Besides: It is not to their advantage to start killing their customers.

Re:China

[s.petry]

You are making a massive leap in logic. If we opened a war with North Korea for example, I think you would find that even if it did not do so openly, China would be sending in lots of troops. The regime is not the only difference between now and the Vietnam/NK war times. There is also no open war in the area, which makes probably more difference than who is currently in power.

Re:China

[s.petry]

Since we have such a closed government now, and many other countries are following the same exact tight lipped policies let me ask a few questions.

Syria, how many foreigners are involved? We simply don't know, and obviously we won't know. I think we both know that the US, China, and Russia are all involved right? Just how much and who becomes the question. Is Russia simply supplying arms? Or are they also manning gunships in "Police" action? (Just like the US does mind you)

How many Iranians are involved in the constant fights still going on in Iraq and Afghanistan? Pakistanis? Again, we don't know.

These are small conflicts at this point, the US made sure that the actual war was over very quickly. If this was a longer war, would more troops from more countries be involved? Historically the answer is a resounding "FUCK YEAH!"

The more open the conflict, the more apt there will be for people to send in soldiers. It's a simple game in politics that is universally played. Everyone want's their interests interjected on the other side. If that was not true, why would we have wars in the first place?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[C_amiga_fan]

Are you saying Pakistan is a "bad friend" and proof of China's shittiness? Well WE are friends with Pakistan. What's that say about us?

Americans have killed more people in the last decade than any other country. 300,000 dead and about 2 million casualties with permanent disabilities (blown off arms, jaws, legs). What does THAT say about us? Speaking strictly as an observer I'd say China, the EU, even Russia look better.

Re:

[FhnuZoag]

If you paid attention to the news, the doctor was charged with treason for providing medical assistance to radical islamists.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[shentino]

How many people were killed per capita by the chinese?
By the chinese government?

ditto for america and iran.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[BlackSnake112]

How many Chinese people come to the US as students and do not want to go back?

Odd thing is out of the Chinese students that I know about 99% of the women want to stay. It is a little over 50% for the men. Small sample about 140 (90 men 50 women) people but still odd to me.

Re:

[Anonymous Coward]

The unofficial estimate for Tibet is about half a million deaths. But since no visitors are allowed in, I guess you can easily claim that's a lie. The difference I see is that the US publicly faces the suffering it has caused, and its people are forced to consider their country's actions. While China, with its government restricting the movement of even its own citizens, and disallowing any reporting contrary to their narrative, has perpetuated a society without a sense of introspection. What this tells me

Re:China

[MrLizard]

How many Chinese have been killed by other Chinese? (Google "Great Leap Forward" and "Cultural Revolution")

(Of course, you can point out that Americans kill Americans in mass numbers -- the Civil War,and, of course, the entire process of claiming the continent from the natives.. but then you can also compare Chinese civil wars and various ethnic clashes at those points in history, as well. Pick a century, and line 'em up, and see who is more brutal. (Answer: Probably no one to any meaningful degree, because we're all human, and thus, we all pretty much behave the same way over a span of time. You can always cherry-pick a decade or two where one culture was unusually peaceful, or pick a small or isolated subculture, but the longer you stretch the timescale or widen the definition of 'culture', the more it becomes obvious that we're not a peaceful species.))

Re:

[readin]

How many Americans have been killed by Chinese?

About the same as the number of Americans killed by the Japanese in 1940.
Or the number of Jews killed by the Germans in 1935.
Or the number of Chinese killed by the Japanese in 1930.

A belief in racial superiority.
A belief that their finally taking their rightful place as a world power.
A resentful belief that the race had been held down due to malevolent forces (Jews, Colonialism).
A stated aim to "unify" with others of the same race (whether those others want to unify or not).

All they need now is a b

Re:

[FhnuZoag]

The western right wing has the exact same beliefs.

Re:

[readin]

There are a few fringe groups in the west with the belief in racial superiorty. However they don't have the other beliefs.
What is the western equivalent of Wang Leehom's "Descendants of the Dragon"? - a hit song by a famous singer celebrating a particular race? What is the western equivalent of China's desire to annex Taiwan - by blood and death if necessary?

Re:

[FhnuZoag]

1. A belief in racial superiority.

Numerous studies have shown a sizeable minority to potentially a majority of the US Right is categorically racist. It's completely mainstream to hold that the US is superior to the arab, and to the african. Notice the prevalence of the 'they are outbreeding us' argument, which outlines clearly the racial eugenics tinge to that whole belief.

Moreover, race isn't the only thing that creates aggressive jingoistic nationalism. Religion is pretty good too.

2. A belief that their f

it's time to start subsidizing chip makers

[Anonymous Coward]

... if we aren't making our chips here, how can we ever expect to be able to secure our milatary secerets? I hate how goverment subsidies to an industry are pretty much impossible to repeal after they are created, but national security should genereally take front stage.

Re:

[BlackSnake112]

IBM.

If IBM had been allowed to make CPUs for desktops/laptops there would never had been Intel. Well Intel would have been a lot smaller due to IBM ruling the market.

I am guessing that if the shit does hit the fan, IBM may be allowed to do something. At least for government systems.

Cyberweapon Proliferation

[Anonymous Coward]

When we start using cyberweapons against people without constraint and then post a whole bunch of articles about how cost effective it is, other nations see that as a reason enough to use them against us. Most states cant afford enough money to build $35 million dollar fighter jets or spy satilites, but can slip some script kiddies a few bucks to send out some spam with exploits in it.

Biggest Change

[Papa Legba]

This is low level Cyber warfare and its starting to ramp up. this is like the introduction of planes in WWI. At first they waived at each other on their scouting mission. then someone brought a pistol, then a rifle. Then it was gunners and machineguns until we get the Red Baron and Fighter Aces. Next thing we know its jet Propulsions and heat Seakers, Stealth fighters launching! Make no mistake, Stuxnet was the First pistol at 1000 feet, what comes next no one can guess.

what is obvious is that Information Assutrance is no longer a support service, somewhere behind tech support and first to be cut, IA is now a front line warfighter task. Lets just hope the bean countes realize in time!

Re:

[Anonymous Coward]

Sure we can guess, because it's just the same goddamn hacking methods. The only new thing that'll obviously change is the quality and complexity of the malicious software - like more intelligent worms/trojans/botnets/whatever. Stuxnet wasn't the first pistol, it was the first heat-seeker.

Re:

[Anonymous Coward]

For some time, Chinese hacking has been the "landwar in Asia" tactic. Lots and lots of units in the field. When you have 30,000 longbowmen, it really doesn't matter how good their aim is, as long as they can fire quickly and in roughly the right direction a lot of people are going to be hit by arrows. Much of their hacking has been the same, sacrifice accuracy for quantity and get results.

The USA has (for quite some time now) preferred the "sniper" model. Small groups, low profile, and then someone fall

Re:

[plover]

Stuxnet wasn't a virus designed to spread until it found Natanz and then attack it. That would have been noticed much earlier. Stuxnet was deployed inside the air-gapped systems of Natanz, and was only detected after it escaped containment and began to spread.

That's the sniper using a ghillie suit and flash suppression, hiding in a marsh. Sounds like the USA's m.o.

Re:

[Beardo the Bearded]

Make no mistake, Stuxnet was the First pistol at 1000 feet, what comes next no one can guess.

Year 3021: Buffer over-run exploit used to gain access to global defence grid

Re:

[couchslug]

People don't care about Security until they get hurt.

I see these attacks as useful to coerce a defensive response. Evolutionary pressure FTW!

Re:

[jxander]

But then how will I play Diablo??

Re:

[lgw]

UNPLUG THE DAMN INTERNET CABLE!

You can rest assured that Three Letter Agencies have that aspect covered (and of course the important shit has its own internets). A power cutoff device to drop all outside connectivity for-damn-sure is pretty normal in such datacenters.

Local governments, however, are a different story. If these attacks go from information collecting to causing mayhem, the first attack will get quite ugly. The somone will sell a buttload of remove power cutoff boxes, and that threat will end (well, except for the inevitab

Re:

[plover]

The most recent theory is the Natanz system was most likely infected on the non-Internet side of the facility by software planted an agent. The Internet cable was not plugged in until long after the damage was done.

There was no simple defense, no easy prevention when the attackers are the IDF and you've both announced "death to Israel" and are enriching uranium.

I am outraged!

[busyqth]

How dare China try to hack another country's computers, infect them with malware, and otherwise snoop on us!
Only a ROGUE STATE would do such a thing!!!

Re:

[k6mfw]

Yeah, like when we want to learn activities of foreign countries, we employ intelligence agents. When they do the same to us, we accuse them of using spies.

So what? ? ?

[sgt_doom]

They offshore all the jobs, all the technology, all the R&D work and the investments there, so who gives a rat's ass?????

No offense, but posts like these are nonsensical --- or maybe propaganda for the next war by design?????

So maybe the blog poster should contact Boeing (Narus), Packet Forensics, and all the other sleazoid American corporate whores about selling them all that surveillance tech, huh???

And please let us never forget about Jerry Yang and his Yahoo crimes (we've heard of one, but that

Sounds like...

[eternaldoctorwho]

...they need to stock up on copious amounts of gold to stave off the cyberarmy, or else be "deleted".

Things Willie Sutton Never Said.

[bmo]

FTFS: "Researchers have identified an ongoing series of attacks, possibly emanating from China, that are targeting a number of high-profile organizations, including SCADA security companies, universities and defense contractors."

While Willie Sutton never actually said "that's where the money is" when it came to robbing banks, the truth in general about that statement couldn't be more apropos regarding this situation.

Data=Wealth.

--
BMO

I would just like to point out...

[Brewster Jennings]

If you are a defense contractor doing IT and you're clicking on random .exe files in your email, you may want to consider another line of work. I mean, to be honest, your users shouldn't even be able to run them, or send them over the company e-mail network.

That's why we have administrator-level access and ultra-restrictive GPOs in the first place, right? In the hopes that the few people who can actually do damage to computers and servers aren't monkeys banging away in the hopes of producing Shakespeare?

As a final note, I would like to point out that ending my post with a question mark makes it seem more poingant and totally deserving a five. Except I spoiled it. Crap.

Re:

[jxander]

Crap.

Or is it?

Except

[frankgerlach11]

...that it is NOT *.exe attachments. These days are long over. Attackers use PDF or MS Office documents attached to emails. So you are Wally Blacksmith of Killcorp Inc. Your job entails developing novel radar systems. One nice, sunny morning you get a nicely worded email about "Innovations in low-observable Radar" and it writes about a conference in Napes, Italy. The sender appears to be james.smith@britishradar.com. So you can't wait to see that the brits are up to an you click on that PDF. Acrobat Reader

Re:

[FhnuZoag]

Except that if you RTFA, it is.

"The attack begins with a spear phishing email sent to employees of the targeted company and containing a PDF attachment. In Digitlbond's case, the file is called "Leveraging_Ethernet_Card_Vulnerabilities_in_Field_Devices.pdf.exe" and when it's opened, the file installs a Trojan downloader called spoolsvr.exe."

If you are running an unsolicited attachment called blah.pdf.exe and ignoring the windows authorisation message that pops up, then why the hell are you providing IT secu

"Cyberwar" is bullshit

[David Gerard]

If "cyberwar" was actually a real threat they cared about, they would shift to Linux and thin-client desktops forthwith. Hell, they could get more government money for doing so. "It's for security!" That they are not doing so shows that this is not a real threat, but trumped-up nonsense to try to look like there's a problem. Which they need more money to deal with.

What's the name of the Targeted Operating System?

[dgharmon]

"Researchers have identified an ongoing series of attacks, possibly emanating from China, that are targeting a number of high-profile organizations, including SCADA security companies

Just who in their right minds connects a SCADA unit directly to the Internet. Lets have a contest too see how long someone can write about Internet security without once mentioning Microsoft Windows.

"In Digitlbond's case, the file is called "Leveraging_Ethernet_Card_Vulnerabilities_in_Field_Devices.pdf.exe" and when it's opened, the file installs a Trojan downloader [threatpost.com] called spoolsvr.exe "

Re:

[antifoidulus]

And the sad thing is that due to incompetence and/or greed, the DoD not only permits Windows on its networks, it actually ENCOURAGES it. Many of the security reqs are written such that only Windows can really do all them(basically they throw in some pointless shit that only windows does but doesnt offer any security and call it a major issue). The PLA really should write Redmond a thank you letter for writing such shitty software then lobbying the hell out of the people in power to get it installed everyw

Technology Solutions

[frankgerlach11]

Before I am going to elaborate, yes - technology will be only part of the fix. But technology will be a major part of better security ! Here is my list of security technologies:

Sandboxing:Google Chrome's Sandbox is an excellent example of how to limit damage from faulty code. Much more could be done by using this approach in many other file formats and use cases. Other interesting approaches are AppArmor, SE Linux and Linux Security Modules in general.

Formal Proofs:The problem with sandboxes and operati

Thats impossible!

[Billly Gates]

The DOJ uses IE 6 and SP2 which stopped receiving security updates only 2 years ago!

How could this possibly happen?

just Some Emails destined to random suckers

[ipduh]

made it to ppl who know one thing about trojans and security. I love how he explains that "Leveraging_Ethernet_Card_Vulnerabilities_in_Field_Devices.pdf.exe" installs spoolsvr.exe ... this email would not even make it to someones mailbox and if the email makes it and that someone is a "programmer" or "security expert" and did not understand that this is most probably a trojan then .... f*c|$ "Attacks Targeting US Defense Contractors and Universities Tied to China" is a really bad title