China Cyberspies Outwit QinetiQ in a massive theft of US military secrets

Among defense contractors, QinetiQ North America (QQ/) is known for spy-world connections and an eye- popping product line. Its contributions to national security include secret satellites, drones, and software used by U.S. special forces in Afghanistan and the Middle East.

Former CIA Director George Tenet was a director of the company from 2006 to 2008 and former Pentagon spy chief Stephen Cambone heads a major division. Its U.K. parent was created as a spinoff of a government weapons laboratory that inspired Q’s lab in Ian Fleming’s James Bond thrillers, a connection QinetiQ (pronounced kin-EH-tic) still touts.

QinetiQ’s espionage expertise didn’t keep Chinese cyber- spies from outwitting the company. In a three-year operation, hackers linked to China’s military infiltrated QinetiQ’s computers and compromised most if not all of the company’s research. At one point, they logged into the company’s network by taking advantage of a security flaw identified months earlier and never fixed.

“We found traces of the intruders in many of their divisions and across most of their product lines,” said Christopher Day, until February a senior vice president for Verizon Communications Inc. (VZ)’s Terremark security division, which was hired twice by QinetiQ to investigate the break-ins. “There was virtually no place we looked where we didn’t find them.”

‘Major Embarrassment’

The lengthy spying operation on QinetiQ jeopardized the company’s sensitive technology involving drones, satellites, the U.S. Army’s combat helicopter fleet, and military robotics, both already-deployed systems and those still in development, according to internal investigations. Jennifer Pickett, a spokesman for QinetiQ, declined to comment as part of a general policy not to discuss security measures.

“God forbid we get into a conflict with China but if we did we could face a major embarrassment, where we try out all these sophisticated weapons systems and they don’t work,” said Richard Clarke, former special adviser to President George W. Bush on cyber security.

The spies’ trail at QinetiQ begins in late 2007, and so do the company’s mistakes. QinetiQ’s travails are documented in hundreds of unvarnished e-mails and dozens of reports that were never meant to be public, part of a cache that was leaked in 2011 by the group Anonymous after it hacked HBGary Inc., a Sacramento-based computer security firm hired by QinetiQ the previous year.

Team Outmaneuvered

The e-mails and reports are authentic, according to former HBGary executives and Day. Day agreed to an interview limited to the investigation’s findings because the documents had already become public.

By reviewing the documents with security experts and interviewing more than a dozen people familiar with the QinetiQ breaches, Bloomberg News reconstructed how the hackers outmaneuvered QinetiQ’s internal security team and at least five companies brought in to help salvage the situation.

Headquartered in a glass-and-steel office tower in McLean, Virginia, QinetiQ’s U.S. subsidiary is a boutique arms maker, less than one-tenth the size of industry giants like Lockheed or Northrop Grumman Corp. (NOC) It has specialized in fields expected to grow as the rest of the Pentagon budget shrinks, including drones, robotics, software and high-speed computing. A 2012 want ad for QinetiQ’s Albuquerque facility solicited a programmer to work on a “satellite-based global monitoring system” and limited candidates to those with top secret clearances only.

Stolen Data

In December 2007, an agent from the Naval Criminal Investigative Service contacted the company’s small security team and notified them that two people working in McLean were losing confidential data from their laptop computers, according to an internal report. The agency had stumbled upon the stolen data as part of another investigation and the alert was a courtesy.

The San Diego-based agent didn’t provide the identity of the hackers, who had been tracked by U.S. intelligence since at least 2002, or the crucial -- but classified -- fact that they were hitting other defense contractors. The company wouldn’t find out who its attackers were for two more years.

QinetiQ put strict limits on the investigation.

“They just felt like it was this limited little thing, like they’d picked up some virus,” said Brian Dykstra, a forensics expert based in Columbia, Maryland, which QinetiQ hired to conduct the investigation.

Security Holes

More investigations uncovered more security holes. In 2008, a security team found that QinetiQ’s internal corporate network could be accessed from a Waltham, Massachusetts, parking lot using an unsecured Wi-Fi connection. The same investigation discovered that Russian hackers had been stealing secrets from QinetiQ for more than 2 1/2 years through a secretary’s computer, which they had rigged to send the data directly to a server in the Russian Federation, according to an internal investigation.

QinetiQ’s executives in the meantime fretted about rising costs.

“You could spend all your resources chasing such things as this,” William Ribich, the former president of QinetiQ’s Technology Solutions Group, said in an interview in January. Ribich, who retired in November 2009, shortly after the discovery of a major data theft, said he needed to balance the uncertain risk that the hackers could use what they stole against a growing shopping list of security products and consulting fees.

“You finally have to reach a point where you say ’let’s move on,”’ he said.

Vast Control

China’s hackers in fact zeroed in first on Ribich’s division, based in Waltham, and specifically on QinetiQ’s drone and robotics technology. Internal reports leaked by Anonymous chronicle a breach at TSG in February 2008, followed by another attempt in March of that year. By 2009, the hackers had almost complete control over TSG’s computers, the documents show.

Over one stretch in 2009, the spies spent 251 days raiding at least 151 machines, including laptops and servers, cataloging TSG’s source code and engineering data. The hackers dribbled data out of the network in small packets to avoid detection, managing to get away with 20 gigabytes before they were finally stopped, according to an internal damage assessment.

The stolen cache included highly sensitive military technology and was equivalent in size to 1.3 million pages of documents or more than 3.3 million pages of Microsoft Excel spreadsheets.

Secrets ‘Gone’

“All their code and trade secrets are gone,” Phil Wallisch, senior security engineer at HBGary, wrote in an e-mail after being briefed on the loss by the company.

It was about to get much worse.

While QinetiQ’s team tripped from crisis to crisis, the hackers honed their skills. They were next spotted in March 2010, after signing on with the stolen password of a network administrator based in Albuquerque, New Mexico, Darren Back.

The hackers logged on through the company’s remote access system, just like any employee. It was a trick they were able to use only because QinetiQ didn’t employ two-factor authentication, a simple device that generates a unique code employees enter, along with their usual password, anytime they work from home.

The problem had been spotted months earlier in a security review. Mandiant, which worked on several TSG breaches and performed the test, recommended a relatively inexpensive fix. The advice was ignored, according to a person familiar with the report.

Digital Secrets

In four days of furious activity, the hackers rifled at least 14 servers, taking particular interest in the company’s Pittsburgh location, which specialized in advanced robotics design. The Comment Group also used Back’s password to raid the computer of QinetiQ’s Huntsville, Alabama-based technology control officer, which contained an inventory of highly sensitive weapons-systems technology and source code throughout the company. The spies had got their hands on a map to all of QinetiQ’s digital secrets.

They also had begun to broaden their attack. As evidence mounted that the hackers had moved to divisions beyond TSG, QinetiQ hired two outside firms in April 2010 -- Terremark (TMRK) and a relatively new start up called HBGary, headed by Greg Hoglund, a former hacker turned security expert.

HBGary installed specialized software on more than 1,900 computers, then scanned the machines for snippets of malicious code. Glitches surfaced almost immediately. The software wouldn’t load on at least a third of the computers, and even where it did, it missed some that the hackers’ spyware was known to have infected, according to internal HBGary e-mails.

Every Corner

The security teams found evidence that the hackers had burrowed into almost every corner of QinetiQ’s U.S. operations, including production facilities and engineering labs in St. Louis, Pittsburgh, Long Beach, Mississippi, Huntsville, Alabama and Albuquerque, New Mexico, where QinetiQ engineers work on satellite-based espionage, among other projects.

By the middle of June 2010, after weeks of intense work, the investigators believed they had cleaned QinetiQ’s networks and began wrapping up.

The calm lasted a little more than two months. In early September, the FBI called QinetiQ with evidence that the defense contractor was again losing data, according to e-mails and a person involved in the probe. Anglin messaged both HBGary and Terremark, asking how quickly their teams could return.

Within hours of their arrival, the investigators again began finding malicious software, or malware, in computers throughout the company’s North American divisions. Some of it had been there since 2009.

Software Deleted

It began to dawn on the security teams that the hackers had established a near permanent presence in the defense contractor’s computers, mining new information almost as soon as it was written onto hard drives. “Oh yeah...they are f’d,” Wallisch wrote to Hoglund in September.

Investigators also had to contend with frustrated QinetiQ employees. Upset about how much computer power the HBGary detection software was consuming, workers began deleting it from their computers with the approval of the company’s information technology staff.

As the hunt continued, more clues surfaced about what secrets the spies were after. The hunters’ digital footprints were found on the computers of QinetiQ’s chief operating officer, a division vice president and dozens of engineers and software architects, including several with classified clearances.

Military Robots

Among the victims was a specialist in the embedded software on microchips that control the company’s military robots, which would help in China’s own robot-building program, said Noel Sharkey, a drones and robotics expert at Britain’s Sheffield University. The PLA unveiled a bomb disposal robot in April 2012 similar to QinetiQ’s Dragon Runner.

The chip architecture could also help China test ways to take over or defeat U.S. robots or aerial drones, Sharkey said.

“You could set them up in a simulation board and hack into them,” he said. “That’s standard stuff.”

The spies also took an interest in engineers working on an innovative maintenance program for the Army’s combat helicopter fleet. They targeted at least 17 people working on what’s known as Condition Based Maintenance, which uses on-board sensors to collect data on Apache and Blackhawk helicopters deployed around the world, according to experts familiar with the program.

The CBM databases contain highly sensitive information including the aircrafts’ individual PIN numbers, and could have provided the hackers with a view of the deployment, performance, flight hours, durability and other critical information of every U.S. combat helicopter from Alaska to Afghanistan, according to Abdel Bayoumi, who heads the Condition Based Maintenance Center at the University of South Carolina.

Redstone Arsenal

The hackers also may have used QinetiQ to break into the Army’s Redstone Arsenal through a network shared with QinetiQ’s engineers in nearby Huntsville. A breach of the base, home of the Army’s Aviation and Missile Command, was linked by military investigators back to QinetiQ, according to a person familiar with the investigation.

It wasn’t the only time the hackers used the same back-door approach to federal computers. The same person said that as recently as last year, federal agents were looking into a breach at a QinetiQ cyber-security unit, which they suspected Chinese hackers were using in attacks against government targets.

The security lapses at QinetiQ led to investigations by several federal agencies, including the FBI, Pentagon, and Naval Criminal Investigative Service, according to two people involved, who didn’t know the final outcome of the probes. The State Department, which has the power to revoke QinetiQ’s charter to handle restricted military technology if it finds negligence, has yet to take any action against the company.

‘Learning Curve’

“In this case it looks like years go by without seeing any learning curve and that’s what’s scary,” said Steven Aftergood, who directs the Project on Government Secrecy at the Federation of American Scientists. “The company is responsible for its own failures, but the government is responsible for the inadequacy of its response.”

QinetiQ’s U.S. operations are overseen by a proxy board that includes Riley Mixson, the Navy’s former air-warfare chief. The board was briefed several times about the hacking and the investigations. Mixson said that “everything was duly reported” and then hung up the phone. Tenet declined to comment.

The investigations didn’t affect the company’s ability to win government contracts, even to provide cyber-security services to federal agencies.

Contract Awarded

In May 2012, QinetiQ received a $4.7 million cyber-security contract from the U.S. Transportation Department, which includes protection of the country’s critical transport infrastructure.

“When it comes to cyber security QinetiQ couldn’t grab their ass with both hands, so it cracks me up that they won,” Bob Slapnik, vice president at HBGary, wrote after QinetiQ received a grant from the Pentagon in 2010 to advise it on ways to counter cyber espionage.

In the fall of 2010, Terremark sent a report to Anglin concluding that QinetiQ had been targeted by the Comment Crew since 2007 and that the hackers had been operating continuously in their networks since at least 2009. The report was part of the trove of documents leaked by Anonymous.

In that time, the hackers had gained almost complete control over the company’s network. They had operated unhindered for months-long stretches and they had implanted multiple, hidden communications channels to extract data. Privately, the investigators concluded that the spies had gotten everything they wanted from QinetiQ’s computers.

“My feeling is that if an attacker has been in your environment for years, your data is gone,” Wallisch wrote in an e-mail to a colleague in December 2010, a few weeks before HBGary itself was hacked and the record stops.

“Everything about your business is known, cataloged, analyzed, by your enemy,” Wallisch wrote. “I don’t feel a sense of urgency anymore.”

To contact the reporters on this story: Michael Riley in Washington at; Ben Elgin in San Francisco at

To contact the editor responsible for this story: Daniel Golden at