Chinese government hackers have stolen more than 600 gigabytes of secret U.S. Navy data from a third-party contractor’s unclassified network, a new report said.
Among the jewels the cyber thieves made off with in January and February are secret plans to outfit U.S. submarines with a supersonic missile by 2020, the Washington Post reported. The blueprints are part of a $300 million clandestine project known as Sea Dragon, the report said, citing unnamed U.S. officials. China’s Ministry of State Security, a non-military spy agency, is said to be the culprit.
So sensitive is the pilfered data that the Post agreed to not report some details of the project for fear the information could compromise national security.
As we’ve seen in other third-party break-ins, this one again involved classified and highly sensitive information stored on a vulnerable supplier's network. The hackers reportedly zeroed in on an unnamed contractor working for the research and development Naval Undersea Warfare Center in Newport, Rhode Island.
In addition to the missile schematics, China now also possesses material on U.S. signals and sensors, secure communications and parts of the Navy’s cache of electronic warfare documents that could benefit it in disputes over territory in the South China Sea, according to the Post. It’s not known if the stolen data will hamper U.S. efforts to protect its allies in the region.
The Navy and the FBI are reportedly investigating the burglary, including an examination of cybersecurity policies of third-party contractors undertaken by U.S. Secretary of Defense Jim Mattis, the report said. The Pentagon has assessed the damage, officials said.
“There are measures in place that require companies to notify the government when a cyber incident has occurred that has actual or potential adverse effects on their networks that contain controlled unclassified information,” a Navy spokesperson, who declined to provide any details, told the Post.
Locking down third-party networks holding top secret military information is similar to what security experts face protecting critical data in the commercial sector. “Even an entity as highly regulated and classified as the federal government is not immune from the danger posed by third-party vulnerabilities.” said Ruchika Mishra, director of product marketing for Balbix. “It is unfortunately common in the enterprise for third-parties to be the entry points for attackers, so it makes sense that similar patterns would hold true for nation-states looking to breach their adversaries’ cyber defenses.”
The Sea Dragon incident adds to growing government concern over the security of third-party contractors’ networks. Earlier this year, hackers hit a third-party communications system used by at least four U.S. natural gas pipeline companies. In a similar break-in, Russian cyber attackers gained access to U.S. critical infrastructure running nuclear power plants by sneaking into a third-party supplier’s less secure networks.
Five years ago, Chinese hackers stole some two dozen of U.S. weapons system designs, including plans for missile defenses and combat aircraft and ships. That incident has been followed by cyber attacks directed at other sensitive military technology. In 2015, China agreed to stop cyber attacks on U.S. businesses but both countries declined to halt hacking military material.