Threat Research Blog

Putting TRANSCOM in Perspective

Today, the Senate Armed Services Committee released information indicating that China-based threat actors were heavily targeting TRANSCOM, the U.S. military’s logistics arm. In terms of the private sector contractors impacted, the intrusions detailed in the Levin report mirror activity FireEye has observed: we frequently see nation state threat actors target not only government, but also private sector organizations in order to obtain military intelligence.

Why Pursue Military Secrets?

FireEye believes that China-based threat actors are primarily motivated to compromise the defense industrial base – both private defense contractors and government agencies -- (DIB) for data theft in order to:

  • Steal intellectual property and proprietary information capable of providing the government with a military advantage and assist the country in reaching its goals for military modernization. The Chinese government likely could use information stolen from the DIB to assess the U.S.’ military capabilities, and indigenously develop its products (as well as possibly the means to effectively counter them). This may also offer a way for the government to circumvent U.S. security restrictions and other export controls to obtain technologies that they are not able to otherwise purchase from the U.S. and its close allies.
  • Stealing data from the DIB could also provide the Chinese government with an economic advantage in the global arms market, as the government would be able to indigenously develop and then sell new and highly valued technologies. Using stolen blueprints would also allow the Chinese government to increase its market competiveness, as it would be able to skip the research and development process and thus sell the same products for a cheaper price.

Threat Actors and Targets

We have seen more than 20 unique threat groups (including almost all the China-based APT groups that we track) that have compromised corporate networks in the Aerospace and Defense industry, particularly the following subsectors:

  • Aerospace & Defense Parts Wholesalers
  • Aerospace Products & Parts Manufacturing
  • Aircraft Engine & Parts Manufacturing
  • Guided Missile & Space Vehicle Manufacturing
  • Industrial & Military Computer System Manufacturing

Common data theft includes:

  • Personal Documents
  • Research Reports
  • Organizational Charts and Company Directories
  • Testing Results and Reports
  • Product Designs/Blueprints
  • Business Communications
  • Production Processes
  • PII
  • Budget Information
  • Safety Procedures
  • General Proprietary Product or Service Information
  • Equipment Maintenance Records and Specifications
  • System Log Files

While TRANSCOM attributed all 20 intrusions that it classified as “advanced persistent threat” to China, it’s important not to lose sight of the fact that China is not the only player in this game:

  • We have also observed suspected Russia-based actors target a defense technology company, and in Operation Saffron Rose, we saw an Iranian group target US defense contractors in addition to members of the Iranian opposition.
  • We’ve also seen a number of regional conflicts, such as India-Pakistan, play out in the cyber arena, and we are seeing indications that Middle East-based hackers are tuning their skills and posing an increasing nuisance to companies around the globe.

Multiple threat groups appear to have a firm understanding of the Aerospace and Defense supply chains, including the relationships between organizations and specific projects in the industry. In multiple instances, cyber espionage groups have targeted information about specific projects across several companies. Similarly, we have observed threat groups target the entire Aerospace and Defense manufacturing production cycle, from research and development through testing and production, all the way to product launch.

Defense contractors are not the only parties who are affected by military intelligence collection. We have also seen relatively small companies—for example, technology companies that produce products for military and consumer applications—hit by probable nation-state threat actors, who appear to be collecting intelligence on the companies relationships with adversary military organizations.

The intrusions at TRANSCOM and its contractors resulted in data theft, but it’s important to note that data theft is not the only possible outcome of a breach. It’s also possible for threat actors to modify data once they have access to it, or even to destroy data, as they did in the case of Saudi Aramco. They may establish a foothold to ensure that they have access to victim networks for future use, or to conduct reconnaissance for possible, future operations.

Lessons from TRANSCOM

Of the 11 contractors impacted, eight said they were not aware of any threat activity occurring during the period in question. This hearkens back to a mantra we have at FireEye: it is not a matter of if an enterprise will be breached, but when. It is therefore critical that organizations prepare for the inevitable breach by monitoring for signs of an intrusion, sharing intelligence with industry peers, and having a strong incident response plan in place. In addition, intel sharing—more freely among government entities, as well as the threat intelligence community writ large—and contribute to better preparedness and a more effective defense against cyber threats.