Chinese spies spent months inside aerospace engineering firm's network via legacy IT Chinese state-sponsored spies have been spotted inside a global engineering firm's network, having gained initial entry using an admin portal's default credentials on an IBM AIX server. In an exclusive interview with The Register, Binary Defense's Director of Security Research John Dwyer said the cyber snoops first compromised …
Yeah that makes no sense. Does the company not have a firewall? Because in any normal company you'd have to go to some effort to connect something to the open internet - it would be some effort to even find the right network device to plug into for that! Then you'd have to set the correct IP/netmask, and insure it doesn't conflict with an existing device.
All I can think of is that they had no firewall, and if that's the case they should be barred from ever getting another government contract.
Remember, this is AIX. And someone twenty years ago needed to figure out how to make the permanent routes to get on the internet. Once they were created and masked off from the rest of the internal networks, they were forgotten.
The notion of a firewall was around 30 years ago and more. It might not be as complex ("sophisticated") as a modern one but digging into others' machines on a network has been a fact of life since the beginning of interconnectivity. Back then it was merely programmer curiosity and bragging rights, a nuisance rather than malicious, but obviously these days its more about finding ways to profit from such intrusions.
"...and the reason why these machines were on a public facing Internet without being protected by a decent firewall was?"
You laugh.
At a former employer, the entire (workers, management, everyone) ASIC design department was laid off at once. A few weeks later, the new HP design workstations arrived on pallets in the empty office area. And sat...until I noticed them and mentioned to a lower level executive I knew from outside work, that if we acted quickly, we might be able to return them for credit.
'Twas all for nought, as I wound up my time there shortly afterwards and the company crumbled into dust.
If you've ever been involved in hunting down Shadow ( and Legacy ) Servers in semi to very large organizatons, you'll know hat an unprotected servers on the Internet are more common than everybody think.
While I ddn't find any server direcly connected to Internet, when I was tasked to hunt down and put in rack all the Shadow IT that managed to bloom in a $TELCO EQUIPMENT local branch it took me two weeks to track the hardware, track the person that "owned" said hardware, get it turned off properly and inventoried in order to be put in racks. ( it took me several more weeks to have everything put in said racks and ready for being moved to our new office building ). It's been 20 years ago... and to this day I'm not sure I caught all the Shadow IT at that time.
Did they upload themselves to the network like Neo in The Matrix.
--
Microsoft has finally locked me out of my own computer :(
> You didn't set up a Micro$lurp account instead of a local one did you?
a. I did nothing. This happened after the last forced update from Micro$lurp.
c. Cryptographic Services churning the disk at 100%
d. Cannot run admin tools. “An administrator has blocked you from .. mmc.exe”
You missed this part of the article :
"Binary Defense is due to publish a report on Thursday about the cyber-break-in and lessons learned. "
If they're already writing up a report about lessons learned, it seems to me that the details are known.
Maybe not by you, but they are known.
After MS failed and somehow allowed a signing key for mail of high up government officials to be captured, Microsoft reported is was unclear how the threat actor discovered they could take advantage of the issue to forge tokens that worked for both consumer and enterprise accounts but Microsoft speculates they learned of the capability through trial and error. Probably after stealing a consumer key from an engineers notebook.
However, almost 10 months after Microsoft started the investigation, the U.S. Department of Homeland Security's Cyber Safety Review Board (CSRB) stated there wasn’t any definitive evidence on how the threat actor obtained the signing key, regardless of what Microsoft previously claimed.
Binary can only report to the depth that their allotted budget allows, and they may or may not be under some pressure to lean a certain way - the aerospace company would probably prefer a simple story offering full closure with nothing dangling. The report is certainly bound to be informative - not necessarily the final word or whole truth.
The Binary Defense report says These types of oversights are often the result of shadow IT practices where systems are deployed without the knowledge or control of the security team and regularly serve as enticing entry points for attackers. The threat actor exploited the default Apache credentials to gain administrative access, upload a web shell, and establish persistent access through SSH keys and a reverse proxy.
There is nothing in the report about the history of the system being deployed without the knowledge or control of the security team, including the reason for it being public facing.
It could have been an accident. It could have been something else.
Almost all cellphone fraud happens because cellphones are easily hacked though malicious apps. But a few big targets are defrauded through SIM card fraud with the help of low level ATT employees. Similar, isn't it?
"The server wasn't compatible with the organization's security monitoring tools"
So you start off with a port scan from the outside and then inside. Nessus is a couple of grand per year on prem or you hire an outfit to do it for you. Other scanners are available. It can use ssh and will work with ksh. AIX has a syslog daemon which can send to a central collector. It has SNMP (Security Not My Problem) so there's that!
From a top view, data was accessible from the internet with little protection and no intrusion detection. The technical reasons don't make any difference and a proper IT department should be looking for this sort of thing with legacy hardware and find a way to section it off if it can't be shut down altogether. Of course, that means funding allocated from higher up. If the higher ups can't be bothered, they should be forcefully dis-employed from the company and re-employed making license plates in a highly supervised facility and the retraining funded by their assets. Either that or prohibited from ever working in a company that supplies products and services to government and the company shut down behind them (the corporation taking blame in its own "person").
There has to be a downside to being sloppy with sensitive information. Until there is, companies and their management won't bother since it could cost money and maximizing value for the shareholder is job one. The definition of shareholder is senior management.
Seems like nobody read The Fourth Protocol. (Can't remember if it was used in The Day of the Jackal even though that is pretty much the same plot). The next time they tried to break in they should have been redirected to a directory with feasible-looking but utterly useless content (possibly real Boeing designs, as mentioned before) to poison their haul of gathered intelligence.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
