Chinese Spies Spent Months Inside Aerospace Engineering Firm's Network Via Legacy IT (theregister.com) 15
The Register's Jessica Lyons reports: Chinese state-sponsored spies have been spotted inside a global engineering firm's network, having gained initial entry using an admin portal's default credentials on an IBM AIX server. In an exclusive interview with The Register, Binary Defense's Director of Security Research John Dwyer said the cyber snoops first compromised one of the victim's three unmanaged AIX servers in March, and remained inside the US-headquartered manufacturer's IT environment for four months while poking around for more boxes to commandeer. It's a tale that should be a warning to those with long- or almost-forgotten machines connected to their networks; those with shadow IT deployments; and those with unmanaged equipment. While the rest of your environment is protected by whatever threat detection you have in place, these legacy services are perfect starting points for miscreants.
This particular company, which Dwyer declined to name, makes components for public and private aerospace organizations and other critical sectors, including oil and gas. The intrusion has been attributed to an unnamed People's Republic of China team, whose motivation appears to be espionage and blueprint theft. It's worth noting the Feds have issued multiple security alerts this year about Beijing's spy crews including APT40 and Volt Typhoon, which has been accused of burrowing into American networks in preparation for destructive cyberattacks.
After discovering China's agents within its network in August, the manufacturer alerted local and federal law enforcement agencies and worked with government cybersecurity officials on attribution and mitigation, we're told. Binary Defense was also called in to investigate. Before being caught and subsequently booted off the network, the Chinese intruders uploaded a web shell and established persistent access, thus giving them full, remote access to the IT network -- putting the spies in a prime position for potential intellectual property theft and supply-chain manipulation. If a compromised component makes it out of the supply chain and into machinery in production, whoever is using that equipment or vehicle will end up feeling the brunt when that component fails, goes rogue, or goes awry.
"The scary side of it is: With our supply chain, we have an assumed risk chain, where whoever is consuming the final product -- whether it is the government, the US Department of the Defense, school systems â" assumes all of the risks of all the interconnected pieces of the supply chain," Dwyer told The Register. Plus, he added, adversarial nations are well aware of this, "and the attacks continually seem to be shifting left." That is to say, attempts to meddle with products are happening earlier and earlier in the supply-chain pipeline, thus affecting more and more victims and being more deep-rooted in systems. Breaking into a classified network to steal designs or cause trouble is not super easy. "But can I get into a piece of the supply chain at a manufacturing center that isn't beholden to the same standards and accomplish my goals and objectives?" Dwyer asked. The answer, of course, is yes. [...]
This particular company, which Dwyer declined to name, makes components for public and private aerospace organizations and other critical sectors, including oil and gas. The intrusion has been attributed to an unnamed People's Republic of China team, whose motivation appears to be espionage and blueprint theft. It's worth noting the Feds have issued multiple security alerts this year about Beijing's spy crews including APT40 and Volt Typhoon, which has been accused of burrowing into American networks in preparation for destructive cyberattacks.
After discovering China's agents within its network in August, the manufacturer alerted local and federal law enforcement agencies and worked with government cybersecurity officials on attribution and mitigation, we're told. Binary Defense was also called in to investigate. Before being caught and subsequently booted off the network, the Chinese intruders uploaded a web shell and established persistent access, thus giving them full, remote access to the IT network -- putting the spies in a prime position for potential intellectual property theft and supply-chain manipulation. If a compromised component makes it out of the supply chain and into machinery in production, whoever is using that equipment or vehicle will end up feeling the brunt when that component fails, goes rogue, or goes awry.
"The scary side of it is: With our supply chain, we have an assumed risk chain, where whoever is consuming the final product -- whether it is the government, the US Department of the Defense, school systems â" assumes all of the risks of all the interconnected pieces of the supply chain," Dwyer told The Register. Plus, he added, adversarial nations are well aware of this, "and the attacks continually seem to be shifting left." That is to say, attempts to meddle with products are happening earlier and earlier in the supply-chain pipeline, thus affecting more and more victims and being more deep-rooted in systems. Breaking into a classified network to steal designs or cause trouble is not super easy. "But can I get into a piece of the supply chain at a manufacturing center that isn't beholden to the same standards and accomplish my goals and objectives?" Dwyer asked. The answer, of course, is yes. [...]
You Know (Score:3, Interesting)
One night America looked up and saw Sputnik. Twelve years later Neil Armstrong was standing on the moon.
China tied our economy to a piss-soaked motel bed thirty years ago and has been ramming her good and hard ever since.
One wonders if one day we'll stop firing people long enough to do something about it.
Re: (Score:2)
Re: (Score:2)
But, but, firing people is "doing something"! Not "about it", but definitely doing something! That has to be enough, right? Right?
Re: (Score:2)
Re: (Score:3)
One night America looked up and saw Sputnik. Twelve years later Neil Armstrong was standing on the moon.
China tied our economy to a piss-soaked motel bed thirty years ago and has been ramming her good and hard ever since.
No. I mean, I dislike a lot of things about China, but we can't blame them for what our leadership and our business leaders did to the economy. The economy was like a bored housewife who went looking for funsies. She found a piss soaked mattress, then tied herself to the bed in hopes of getting rammed. And hey, guess what? She's gettin' it good and hard. She got exactly what she wanted.
What I'm trying to say is that at some point America, my country, needs to start accepting responsibility for being massive
Default credentials? (Score:4, Insightful)
I mean with that, the defenders are not even trying. What is this, "Who has more laughable IT security?"
Also note that even a halfway competent exposure test (not even a full pen-test), which you can get for something like $3000 or cheaper, would have found this.
1985 (Score:2)
Re: (Score:3)
It does something important. Nobody remembers what.
Re: (Score:3)
Re: (Score:2)
Came here to ask this.
It's rather obvious whom they are talking about.
shadow IT or just left over stuff that did not fit (Score:2)
shadow IT or just left over stuff that did not fit into some newer tracking system?
Also how do manage threat detection on legacy services that can't run monitoring software and maybe can't be walled off that well due to older legacy software.
Vault7 (Score:3)
Yeah, China, like the cia can't make it look like it is China...
Collect your payoff for anti-China lies (Score:2)
Obvious attempt to claim anti-China pay from the US government.