Phishing attack let Unit 61398 spend 4 months installing trojans and keyloggers.
The technology behind Iron Dome, the missile defense system Israel has been using since 2011, was allegedly stolen by Chinese military hackers.
That claim was made by Cyber Engineering Services to Brian Krebs of security news site Krebs On Security, and it identifies Elisra Group, Israel Aerospace Industries (IAI), and Rafael Advanced Defense Systems as the three defense companies that were compromised during the cyber assault. The perpetrators, Cyber Engineering Services says, are the same ones behind a spate of attacks that have come to light in the past few years, all attributed to Unit 61398, a Shanghai-based arm of the Chinese army. The five Chinese military officers indicted by the US earlier this year for allegedly hacking energy firms in the country also belong to the same unit.
The hacks took place from October 2011, some six months after Iron Dome became operational, and continued up until August 2012. Israel Defense Forces (IDF) has said that many hundreds of rockets fired from Gaza, particularly during the current military operation and a series of clashes in 2012, have been scuppered by the system, which is thought to be one of the most effective missile-defense technologies in the world.
Many of the cyber breaches bear the hallmarks of similar attacks on private corporations or media outlets that we have seen in the past. For instance, IAI was thwarted by an e-mail phishing attack, reports Krebs On Security, after which the hackers spent four months installing malicious software (including trojans and keyloggers) to expand their reach. Several different systems were analyzed by the hackers as a result of the infiltration, amounting to at least 700 files of 762MB in total. Cyber Engineering Services estimates that those 700 files, in the form of e-mails, PFDs, scripts, spreadsheets and more, represent just a small amount of the total intellectual property stolen by hackers.
Although Iron Dome data was targeted and breached, the hackers also focused extensively on Arrow III missiles, drone technology and ballistic rockets. Joseph Drissel, founder of Cyber Engineering Services, told Krebs On Security that much of this IP does not in fact belong to the Israeli companies. Rather, the firms were obligated to protect it under US government regulations, having been provided with the data from US defense companies, including Boeing.
This could potentially have something to do with why the claims have not come to light until now. A representative from IAI told Krebs On Security that the report—still not publicly available—was “old news” and that all the relevant procedures following the revelation were followed. Nevertheless, it’s not something a private company responsible for the defense of a nation, either in the US or Israel, would likely want to admit to.
It’s not totally clear, however, how Cyber Engineering Services came to point the finger of blame at the Chinese military. Most of the hacks we know Unit 61398 perpetrated have been against the US, but they have equally been directed against private companies, often related to national infrastructure or big industry. The arrests made by the US earlier this year were off the back of a report published by Mandiant, which revealed that the secretive unit had been within company networks for years sometimes—in one case, four years and ten months.
Iron Dome has a reputation as one of the leading pieces of defense kit in the world, with a number of other countries thought to have either acquired it or engaged in talks with Israel to do so. Further development by Rafael Advanced Defense Systems has led to a teaser for a follow-up system, Iron Beam. While Iron Dome will only shoot down rockets heading for populated areas (using algorithms to instantly identify these) to conserve on ammunition, Iron Beam would use a high-energy laser that could stand to respond more indiscriminately, using a thermal radar to track and map all projectiles in range.
This story originally appeared on Wired UK.