Chinese Hackers Breach U.S. Navy Contractors

By Gordon Lubold and Dustin Volz (WSJ)

Updated Dec. 14, 2018 5:09 p.m. ET

Review of cyber vulnerability is ordered after intruders gain access to information about military technology

WASHINGTON—Chinese hackers are breaching Navy contractors to steal everything from ship-maintenance data to missile plans, officials and experts said, triggering a top-to-bottom review of cyber vulnerabilities.

A series of incidents in the past 18 months has pointed out the service’s weaknesses, highlighting what some officials have described as some of the most debilitating cyber campaigns linked to Beijing.

Cyberattacks affect all branches of the armed forces but contractors for the Navy and the Air Force are viewed as choice targets for hackers seeking advanced military technology, officials said.

Navy contractors have suffered especially troubling breaches over the past year, one U.S. official said.

The data allegedly stolen from Navy contractors and subcontractors often is highly sensitive, classified information about advanced military technology, according to U.S. officials and security researchers. The victims have included large contractors as well as small ones, some of which are seen as lacking the resources to invest in securing their networks.

One major breach of a Navy contractor, reported in June, involved the theft of secret plans to build a supersonic anti-ship missile planned for use by American submarines, according to officials. The hackers targeted an unidentified company under contract with the Navy’s Naval Undersea Warfare Center in Newport, R.I.

The hackers have also targeted universities with military research labs that develop advanced technology for use by the Navy or other service branches, according to analysis conducted by cyber firms as well as people familiar with the matter.

A highly classified initial assessment of the problem that was provided to Mr. Spencer in recent days validates concerns and lays the groundwork for response by the Navy, officials said.

Navy officials declined to say how many attacks had taken place during the 18-month period except to say that there were “more than a handful,” calling the breaches troubling and unacceptable.

“Attacks on our networks are not new, but attempts to steal critical information are increasing in both severity and sophistication,” Mr. Spencer wrote in an internal memo in October reviewed by the Journal. “We must act decisively to fully understand both the nature of these attacks and how to prevent further loss of vital military information.”

Mr. Spencer’s memo didn’t mention China. But officials say that the hacking targets are some that China is interested in, and that hackers also left behind some clues that point toward Beijing.

On Friday, the Navy said Mr. Spencer’s memo “reflects the seriousness to which the [Navy] prioritizes cybersecurity in this era of renewed great power competition so that our Navy and Marine Corps warfighting team can sustain and improve our military advantage over any peer or competitor.”

Chinese officials didn’t immediately respond to a request for comment, but have denied that they engage in cyberattacks.

Though most of the hacking involves the theft of secrets, Navy officials say China also wants to demonstrate it can pose a different kind of threat even if it is unable to engage the U.S. military ship-to-ship or airplane-to-airplane.

“They are looking for our weak underbelly,” said one defense official. “An asymmetric way to engage the United States without ever having to fire a round.”

Cyber fingerprints pointing to China include the remote administering of malware from a computer address accidentally exposed as located in the island province of Hainan, and a documented use of a suite of custom hacking tools shared among known Chinese hacking groups.

U.S. officials also say they have classified sources and methods that make it clear China is responsible.

Tom Bossert, who until April was President Trump’s homeland security adviser, said the Chinese hack the U.S. military and other organizations for various reasons—sometimes to sabotage American systems, sometimes to gather intelligence and other times to gain a competitive advantage by stealing intellectual property.

“It’s extremely hard for the Defense Department to secure its own systems,” Mr. Bossert said. “It’s a matter of trust and hope to secure the systems of their contractors and subcontractors.”

Mr. Spencer’s review comes as the Defense Department has struggled to steer its large bureaucracy toward more thorough digital-security practices and give incentives to its subcontractors to safeguard themselves.

An intelligence official said that subcontractors across the entire military were lagging behind in cybersecurity and frequently suffered breaches that affected other branches.

Senior Pentagon leaders view the military’s acquisition process as inadequately structured to hold contractors and subcontractors accountable for their cybersecurity, officials said.

Mr. Spencer’s review coincides with a broader push by the Trump administration to call out what U.S. authorities say are China’s continuing efforts to steal information from American companies through cyberattacks and on-the-ground recruiting, both for economic gain and military advances.

Chinese hackers stand accused of stealing billions of dollars annually in intellectual property from U.S. businesses, and the Justice Department in recent weeks has announced a series of charges, casting blame on Beijing. More charges against Chinese hackers were expected to be unsealed this week, but have been delayed due to an issue involving declassifying intelligence, a U.S. official said. Investigators are also increasingly confidentthe data breach recently disclosed by Marriott International Inc. was China’s handiwork.

The breaches of Navy contractors and subcontractors have been linked by private-sector cybersecurity researchers to a suspected Chinese government hacking unit, known as Temp.Periscope or Leviathan, that often deploys email phishing schemes to break into computer networks.

The group has been active since at least 2013 and has focused largely on U.S. and European maritime and engineering targets, researchers said.

Temp.Periscope slowed its hacking activity in 2015, around the time then-President Obama and Chinese President Xi Jinping signed a bilateral pact to refrain from economic espionage and amid a reorganization of the Chinese army, according to FireEye , a U.S. cybersecurity firm that has closely tracked the group. Temp.Periscope re-emerged in the middle of 2017, FireEye said.

Senior U.S. officials said in recent weeks that China is no longer abiding by the 2015 accord.

Ben Read, senior manager for cyber espionage analysis at FireEye, said that Temp.Periscope had been one of the most active Chinese hacking groups the firm has observed over the past year. The group has continued to focus heavily on maritime interests during that time while branching out to target other entities that may be strategically significant to Chinese interests in the South China Sea, including Cambodian political organizations, Mr. Read said.

“While they do have a maritime focus, they are kind of a full-service intel organization,” Mr. Read said.

—Robert McMillan contributed to this article.

Write to Gordon Lubold at Gordon.Lubold@wsj.com and Dustin Volz at dustin.volz@wsj.com

Appeared in the December 15, 2018, print edition as 'Chinese Hackers Breach Navy Data.'