Military contractors for the US Transportation Command were breached by hackers associated with the Chinese government at least 20 times in one year, according to a report released Wednesday by the US Senate Armed Services Committee.
The committee’s investigation identified gaps in cyber-incident reporting requirements at the US Transportation Command (TRANSCOM), which is responsible for moving US troops and equipment, including to and from war zones.
TRANSCOM was only aware of two of the breaches, even though the FBI and US Department of Defense were aware of 11 of the 20 successful cyber attacks, revealing a lack of information sharing between agencies.
The TRANSCOM contractors include US commercial airlines and shipping companies, although the Senate report did not identify which companies were breached.
Preparation for cyberwar?
Among the investigation’s findings was a Chinese military intrusion in 2010 of a Civil Reserve Air Fleet (CRAF) contractor in which “documents, flight details, credentials and passwords for encrypted email were stolen.”
The report said the CRAF is made up of contractors who do little business with the US military during peace time, but may be called upon to rapidly deploy military assets during times of crisis.
Loss of data at CRAF contractors could potentially compromise US operational readiness, the report said.
Sen. Carl Levin, chairman of the investigating committee, said the intrusions into the contractors’ networks were a sign of “China’s aggressive actions in cyberspace.”
A China Foreign Ministry spokesman called the report “groundless.”
“We urge America to stop criticizing China irresponsibly,” the spokesman said, according to the Wall Street Journal.
The US Department of Justice earlier this year identified cyber-espionage by members of the Chinese military, indicting five People’s Liberation Army officers on charges of breaching the networks of US metals and energy companies in order to steal trade secrets.
Canada has also accused China of cyber-espionage targeting the country’s main science and technology research body.
Big fish, little fish
Attacking contractors is a method hackers frequently use to gain access to information that can help them climb the food chain to attack larger companies.
As evidenced by the attack on Target last year, which reportedly exploited remote desktop access tools to steal network credentials of a Target HVAC vendor, a company’s security is only as good as the security of anyone with access to its network.
As Naked Security writer John Hawes observed in an article about the US Department of Defense’s belated steps last December to ensure security standards of private sector companies doing business with the military:
Everyone we do business with, share data with, outsource operations to, sell things to or buy things from forms a part of our own security chain. A breach at any point in the chain can have an impact on the privacy and integrity of our data.
Whether it’s a matter of national security, or the privacy of information we share on websites and via mobile apps, whenever we share our data, we are putting our security in the hands of others.