Hackers from the Chinese Ministry of State Security who broke into the systems of a contractor working for the U.S. Naval Undersea Warfare Center stole 614GB of sensitive information, including plans for a supersonic anti-ship missile to be launched from a submarine.
The hacks, which occurred in January and February, according to a report in the Washington Post, yielded details on the Sea Dragon missile program, which was created in 2012 to adapt existing military technology to new uses.
“We saw a similar attack when the Dragonfly group gained direct access to the U.S. power grid through a vulnerable third party. That makes two significant, successful breaches targeting highly sensitive materials that have occurred through third parties,” said Fred Kneip, CEO, CyberGRX. “It's an effective approach because large organizations have thousands of contractors, vendors and suppliers that they interact with – and any one of them could be the way in.”
The breach demonstrates that “even an entity as highly regulated and classified as the federal government is not immune from the danger posed by third-party vulnerabilities,” said Ruchika Mishra, director of product marketing for Balbix, who concurred that since hackers commonly use third parties as entry points, “it makes sense that similar patterns would hold true for nation-states looking to breach their adversaries' cyber defenses.”
The Pentagon and the FBI are investigating the breach.
“There are measures in place that require companies to notify the government when a ‘cyber incident' has occurred that has actual or potential adverse effects on their networks that contain controlled unclassified information,” the Post quoted Navy spokesman Commander Bill Speaks as saying. “It would be inappropriate to discuss further details at this time.”
Kneip noted that “the same methods hackers are using to access classified military information are being used every day to access commercial assets – and the only way to prevent it is through a more collaborative approach to understanding risk exposure.”
Mishra said security pros at any organization “must be absolutely clear about the relative values of all its assets and, with that context, implement solutions that enable it to prioritize its defenses and proactively address vulnerabilities that would put them at risk before they become entry points for attackers.”