Vince Warrington, founder of cyber security solutions specialist Protective Intelligence, explains the measures the defence supply chain must take to combat the growing global threat from state-backed malicious cyber actors.
You are unlikely to have ever heard of the Sea Dragon project, an initiative that came out of a Pentagon programme to adapt existing US military technologies to new applications, and is believed to involve the development of a submarine-launched supersonic anti-ship missile. The US Department of Defense is, of course, tight-lipped about the project, only saying that it is an underwater platform that will introduce a “disruptive offensive capability” by “integrating an existing weapon system with an existing Navy platform”. The project budget is around $300 million.
The Chinese government, however, knows all about it.
In early 2018, hackers working for the Chinese government compromised the computers of an unnamed firm contracted to the Naval Underwater Warfare Center. 614 Gigabytes of data was exfiltrated from the contractor, not only covering the Sea Dragon project but also data on signals, sensors and cryptographic systems as well as the US Navy submarine development unit’s electronic warfare library.
Despite the data obviously being of a highly sensitive nature, the contractor had stored it on an unclassified network. To make matters worse, when different parts of the stolen data are combined they present a serious security issue. Hundreds of systems relating to the US capacity to undertake undersea operations have been significantly compromised. Given Chinese territorial ambitions in the South China Seas and the lack of decent anti-submarine capability in PLA Navy, this is an area where the government in Beijing would love to dent US capabilities.
The data could easily reveal to Chinese intelligence operatives valuable information regarding the knowledge levels that the US has secured of the electronic and acoustic signatures of the PLA Navy’s submarines, and also expose the distance at which the US can detect the craft. This is certainly useful information to have if you’re thinking of shadowing a US Task Force. Knowledge of an under-development supersonic anti-ship missile not only allows you to devise counter-measures, it could also allow you to replicate the technology.
Of course, any intelligence agency worth its salt is up to the same game. The Chinese, however, are particularly adept – in recent years we know that they have obtained data on the F-35 Lightning II aircraft, the Patriot PAC-3 missile system and the US Navy’s new Littoral Combat Ship. For those in the defence supply chain they represent a significant threat. The US Director of National Intelligence, Daniel Coats, testified to the Senate Intelligence Committee that the vast bulk of Chinese cyber attacks against US industry focus on defence contractors and technology firms who supply government.
These hacking groups go by many names – Codoso, Iron Tiger, Lazarus/Bluenoroff, Unit 61398 – but they are all classified as Advanced Persistent Threats (APTs). FireEye lists 16 highly active APT groups worldwide, but there are probably many more. Well funded, well organised and with a high level of hacking skills, these groups are willing to play the long game in order to get what they want. They will sit in your systems for years, waiting for the right moment to execute their attacks or quietly exfiltrating data unnoticed. Occasionally these groups will make some noise – it’s believed that Lazarus/Bluenoroff is a North Korean APT responsible for attacking banks via the SWIFT network – but generally they remain as silent as possible.
While information on the Sea Dragon incident is still sparse, it does bear the hallmarks of a group known as APT3. This group is suspected of having links with the Chinese Ministry of State Security, and operate out of Guangdong province. They are typically more sophisticated than their better known counterparts, APT1 (or Unit 61398), who are associated with the PLA’s General Staff Division.
So what are the lessons here? Firstly, it’s important to realise that any and all parts of the defence supply chain can be targeted by an APT – even the people who maintain your air-conditioning units. Most APT attacks are still initiated through phishing emails rather than directly hacking a network from the outside, so if an APT can gain access to the lower part of the supply chain with weaker security levels, they can then move upwards by appearing to be part of your legitimate supplier ecosystem. So, as ever, your people and suppliers need high levels of education and awareness training on identifying phishing attacks.
Your Security Operations Centre needs to be aware of the threat posed by APTs, and needs the tools to be able to detect anomalous behaviour associated with them. There are a wide range of tools available, and it’s a good idea to run a blend of detection kits to cover as many gaps as possible. APTs are usually adept at a couple of methods of penetration, and tend to be loyal to specific variants of malware, so your SOC needs to be actively scanning for the signatures of known APT malware. Remember, though, that just because you discover a signature in your systems it doesn’t necessarily mean you’re being actively targeted, but your security teams need to proceed with caution.
It’s also a good idea to talk to the National Cyber Security Centre. You need to join the NCSC’s Cyber Security Information Sharing Partnership (CiSP) to get information on the latest threat. Yes, it’s a bit clunky and user unfriendly – but valuable nonetheless. Gain as much threat intelligence as you can, not only from the NCSC but through private intelligence providers. Remember that APTs are essentially government-funded entities (even if some of the hackers who are part of the APT don’t realise it), and therefore operate in a political environment. You need to understand how the geopolitical world affects the cyber world – does a change of government in Angola mean that a Russian APT switches focus from the US defence sector to the UK?
You also need to talk about cyber security, not only internally, but also with your suppliers – and even with your competitors. We need a ‘herd immunisation’ approach to solving the cyber problem – APTs will attack your rivals with the same tools as they attack you, so sharing data on cyber incidents with your competitors is vital, even if it makes your Board uncomfortable. The Financial Conduct Authority in the UK has made great strides in getting financial services firms to talk to each other through their Cyber Co-ordination Groups – we need the same thing to occur in the defence sector.
APTs are here to stay, so you need to be aware of the threat they pose and be ready to combat them. And, of course, make sure you’re not storing classified data on an unclassified network.
If you would like to join our community and read more articles like this then please click here.