Chinese Hackers Comment Crew stole plans of Iron Dome Defense System

Pierluigi Paganini July 29, 2014

CyberESI firm revealed that Chinese hackers members of the Comment Crew group violated the corporate networks of top Israeli defense companies.

Once again a news refers of Chinese hackers, alleged members of the Comment Crew group, who have conducted a cyber espionage campaign. This time is has been reported that the attackers violated the databases of three Israeli defense contractors and stole blueprints for Israel’s Iron Dome missile defense system.
The Israeli Iron Dome is the technology that allows Israel to intercept rockets sent against its territories, it has been estimated that approximately one-fifth of the more than 2,000 rockets that Palestinian militants have fired at Israel during the current conflict were intercepted with this defense system.
“The U.S. Congress is currently wrangling over legislation that would send more than $350 million to Israel to further development and deployment of the missile shield technology. If approved, that funding boost would make nearly $1 billion from the United States over five years for Iron Dome production, according to The Washington Post.”

An investigation by a Maryland-based cyber security firm ‘Cyber Engineering Services Inc. (CyberESI)’ revealed the disconcerting reality, he also reported that the Chinese hackers accessed plans regarding other other missile interceptors, including drones, ballistic rockets and the Arrow III missile interceptor which was designed by Boeing and other US-based companies.


israel iron dome Comment Crew


In February 2013, the Mandiant Intelligence Center released an interesting report on a large-scale cyber espionage campaign dubbed APT1.  The term APT1 is referred to one of the numerous cyber espionage campaign that stole the major quantity of information all over the world.  After the disclosure of the Mandiant Report the Comment Crew went in the dark, senior researcher at FireEye. Alex Lanstein explained that The Comment Crew was still working undercover after an apparent period of rest.

“They took a little breather, and they started back up,” he said.

Security researchers noted that after the intense activities observed early 2013 the group stopped using its infrastructures and suspended attack the company initially targeted, in reality the Comment Crew group started new campaigns against new and old targets from different infrastructures.

“We didn’t see them take control of any of the systems they had previously compromised,” “They started fresh with a whole new round of attacks.” Lanstein revealed.

The Mandiant’s report blamed the Chinese military unit called “61398” for a series of cyber attacks that compromised 141 organizations in seven years. Experts at Mandiant identified a common pattern for the attacks originated from Chinese sources defining also a series of key indicators for identifying ongoing APT attacks.

CyberESI revealed that the Chinese hackers violated the corporate networks of top Israeli defense companies, including Elisra Group, Israel Aerospace Industries, and Rafael Advanced Defense Systems, which were committed for the development of the “Iron Dome” missile shield. The attackers hit the Israeli companies through spear-phishing attacks conducted between October 10th, 2011 and August 13, 2012.
“Joseph Drissel, CyberESI’s founder and chief executive, said the nature of the exfiltrated data and the industry that these companies are involved in suggests that the Chinese hackers were looking for information related to Israel’s all-weather air defense system called Iron Dome.” reported Brian Krebs in a blog post.
The Comment Crew team maintained a persistent access to the IAI network, which allowed it to steal administrator credentials, implant malware and dump Active Directory data from at least two domains.
The Comment Crew hackers exfiltrated any type of document, including emails and Office documents containing also information about Iron Dome and other sophisticated ballistic projects. Experts at Cyber ESI
identified more than 700 documents that were stolen from Israel Aerospace Industries (IAI).

“All told, CyberESI was able to identify and acquire more than 700 files — totaling 762 MB total size — that were exfiltrated form IAI’s network during the compromise. The security firm said most of the data acquired was intellectual property and likely represented only a small portion of the entire data loss by IAI.”

“The intellectual property was in the form of Word documents, PowerPoint presentations, spread sheets, email messages, files in portable document format (PDF), scripts, and binary executable files,” CyberESI wrote in a lengthy report produced about the breaches.

The experts identified a similar attack pattern in the offensive against the company Elisra, a data breach that according to CyberESI began in October 2011 and persisted intermittently until July 2012. 
The worrying aspect of the disconcerting discovery is that the information stolen, once in the wrong hands, could represent a serious menace for Israel and its population.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

Security Affairs –  (Iron Dome, cyber espionage)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment