John Dwyer, research director for cybersecurity firm Binary Defense, said in an interview on Wednesday that Chinese state-sponsored hackers were able to infiltrate the network of a U.S.-based global engineering firm and linger for months before they were discovered.
Dwyer did not name the targeted engineering firm in his interview with The Register, or name the Chinese cyber-espionage team that penetrated its system. He said the company in question “makes components for public and private aerospace organizations and other critical sectors, including oil and gas.”
According to Dwyer, the Chinese intruders gained access to the network through “one of the victim’s three unmanaged AIX servers.”
AIX is a proprietary version of the Unix operating system sold by IBM. Unix is an older system, but it is still widely used, and IBM still actively supports AIX.
The Register inferred from Dwyer’s comments that the targeted company essentially forgot about the three old servers connected to its corporate network, creating a vulnerability for the Chinese hackers to exploit. All three of the servers were exposed to the Internet without adequate protection. One of them reportedly gave full administrator powers to remote users by default, a hideous security flaw.
The AIX servers were also allegedly comfortable nests for the intruders, who lurked in the network for four months before the company detected them and called in federal law enforcement, including the FBI and the Cybersecurity and Infrastructure Security Agency (CISA). Binary Defense also consulted on the response, which is how Dwyer learned the details of the intrusion.
The hackers were reportedly in the system long enough to upload some data and create bigger gaps in security for themselves, effectively gaining “full, remote access to the IT network.” Among other dangers, this could have given them the ability to manipulate the company’s supply chain to produce deliberately defective products.
“The scary side of it is: With our supply chain, we have an assumed risk chain, where whoever is consuming the final product – whether it is the government, the US Department of the Defense, school systems – assumes all of the risks of all the interconnected pieces of the supply chain,” he said.
Dwyer offered extensive details about the havoc the Chinese hackers wreaked on network security, but did not specify whether they stole data from the targeted company or tried to sabotage its supply chain. He found some dry humor in the attackers’ apparent confusion over AIX, which looks a great deal like Unix, but did not recognize some of the standard Unix commands the intruders attempted to execute.
Dwyer felt one of the important lessons to be learned from the incident was that older computers connected to massive networks can create huge security flaws, especially if they have not been updated and locked down in accordance with current security standards for the active systems on the network.
Dwyer noted the three AIX servers were not “compatible with the organization’s security monitoring tools,” which is why the hackers were able to lurk inside them for months undetected. The jig was finally up when the hackers tried to use a memory dump to steal user IDs and passwords from another computer on the network, a bit of mischief egregious enough to alert network security programs.
Cybersecurity professionals are increasingly worried about “legacy systems,” older machines that can become “digital time bombs” because network administrators forget about them, or underestimate how vulnerable they are. The last few generations of computers were much more robust and durable than their predecessors, so there are more elderly and semi-obsolete machines still running on big networks, especially at cost-conscious companies that avoid performing expensive upgrades for as long as possible.