China hacked the US Navy & stolen personal information on at least 100 K

ChinaNavy Data

The US Department of Justice (DOJ) has today filed unsealed charges against a couple of Chinese agents charged with hacking US computer systems between 2006 and 2018. The US Navy was among those successfully targeted.
Personally identifiable information including social security numbers, names and telephone numbers of at least 100,000 members of the US Navy service was reportedly stolen during the spying campaign. The FBI and the DOJ identified the defendants as Zhu Hua and Zhang Shilong, alleged members of a Chinese hacking group supported by the state.

According to unsealed documents:

Over the course of the Technology Theft Campaign, the defendants and their coconspirators successfully obtained unauthorized access to at least approximately 90 computers belonging to, among others, commercial and defense technology companies and US Government agencies located in at least 12 states, and stole hundreds of gigabytes of sensitive data and information from their computer systems …

The defendants and their co – conspirators successfully obtained unauthorized access to at least 90 computers, including commercial and defense technology companies and US government agencies in at least 12 states, and stored hundreds of gigabytes of sensitive data and information during the technology theft campaign.

According to the FBI’s desired poster for the group known as Advanced Persistent Threat 10 (APT 10) or Cloudhopper, the group’s efforts were massive: as alleged in the indictment, from at least 2006 to 2018, the defendants conducted extensive global intrusion campaigns into computer systems to steal intellectual property and confidential business and technology, among other data.

On a face value basis, the information published today tells us that China probably has an incredibly detailed knowledge of a large number of US technology secrets.

But what about the personal information of these 100,000 sailors?

Let’s pause for a moment and point out the obvious: at present, there is not enough information to make any specific decisions. If the DOJ says this is a case of IPT, it is a case of IPT. We are not trying to start a theory of conspiracy that the Chinese government has access to top secret information from the US navy. Because it’s probably not. It’s the unclassified information that matters to us. Our concern stems from some of the indictment’s declarations.

The above pictures are screenshots of the indictment. Taking the images and the parts we have highlighted out of context might seem a bit strange. However, we would like to know exactly what data the hackers received from the US Navy.

Unfortunately, since the DOJ did not remove any further details from the investigation, it is unlikely that we will get this right. But even a rough view here would help. In which states were naval computers broken?

Depending on the basis on which computers were hacked and how much data was stolen, there is the possibility that such a prolonged spying campaign could have given China the equivalent of a ” remove war fog, display all units ” cheat code.

Let me explain it to you.

Defense Finance and Accounting Services has a Cleveland, Ohio office. If you wanted to know when a sailor began and stopped receiving pay for fighting, this would be the place to hack. In Bethesda, Maryland, US military doctors train where they receive their first orders after graduating from the Uniformed Services University of Health and Science. If an opponent wanted to know where the support units were headed (and therefore the proximity of the support units) spear-phishing a Navy Lieutenant with an MD in Maryland would not be a bad idea.

That’s the rub: we don’t know what facilities have been hit, but we know that almost 1 in 3 sailors ‘ information has been exposed. Let’s not, however, blow this out of proportion. You could make a frightening argument for any of the hit states (Connecticut has a nuclear underwater training base, most sailors leaving San Diego, California, to the Middle East). The point is that it is quite spooky that none of the major news outlets— or the indictment itself — mentions any concern about the intelligence that has been stolen.

For more information, TNW reached out to the US Navy. Lt. Lt. Cmdr. Cmdr. Liza Dougherty, Navy spokesperson, told us:

The Navy takes any incident concerning personally identifiable information very seriously, and ensures that all affected Sailors are notified immediately when an incident occurs. Due to the ongoing investigations, we are unable to provide any additional information at this time. Until the case is adjudicated we refer you to the Department of Justice for more information.

Until the case is resolved, we refer you for further information to the Department of Justice.

We asked if she could confirm or deny whether the attack campaign hit Cleveland or Bethesda, but she was not free to discuss the matter further.

And if we’re honest, it’s logical. We’re happy that she didn’t provide information because we asked. It is important that the US Navy keeps its cards close to its chest: when it comes to transparency, the military gets a pass. But if we can’t be sure that the data wasn’t just Navy softball registration sheets and the Monthly Shortlist Sailor, there’s far more cause for concern than just the ongoing Chinese intellectual property theft saga.

Almost 20 years ago, while I was still in the navy, I attended a security briefing where an intelligence expert explained how the enemy could use tiny slivers of information to determine troop locations, such as whether a Chaplain had arrived on the base.

We have always been told that ” unclassified ” information is as valuable to the enemy as top – secret information if it can be used to identify a particular mariner. Imagine what Chinese machine learning specialists could do with Internet access and the personal information of 100,000 US navy sailors (and whatever additional context that data came into play).

Imagine what the Chinese government — and any entity with which it is prepared to share — could glean about the location of the other (about) 230,000 US navy sailors by connecting the dots between them and the 100 K that it now has information.

If the worst thing that happens is that 100 K sailors were robbed of their identity by hackers trying to make a buck, and US technology secrets leaked again, it would be bad. Hopefully, it’s just a bad thing.
TNW reached out to the DOJ but received no response immediately.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.