U.S. Military Defense Systems: The Anatomy of Cyber Espionage by Chinese Hackers

The Internet has revolutionized our world, creating an interconnected ecosystem of networks through which users worldwide can interact and share information. This has dramatically increased access to information and customers, improving the efficiency of government, allowing businesses to blossom, and enriching citizens’ lives. However, the Internet has also become a platform for nefarious activities by various actors ranging from criminals to nations.

The number of cyber-attacks has exploded in the last decade, gravely endangering the nation’s infrastructure. The threat continues to grow as Internet usage expands. Despite continuous improvements in detection and prevention, malicious cyberattacks remain widespread due to the economic and tactical gains they afford.

The preservation of critical infrastructure (energy, manufacturing, telecommunications, financial, medical, transportation, military, governmental, and otherwise) is essential for national security, and the Internet has become its nucleus. If an adversarial nation launches a sophisticated, targeted cyber-attack that takes down significant parts of our critical infrastructure, the consequences will be calamitous.

In 2009, the United States Cyber Command was established to centralize command of our military’s various cyberspace operations. It has the difficult but vital mission of keeping military networks secure, helping protect critical infrastructure, and assisting other branches of the military. Less obvious is Cyber Command’s role in identifying and protecting systems prone to vulnerabilities, which could provide a launch pad for adversaries to conduct cyber-attacks. Keeping ahead of adversaries is a challenge, especially as zero-day attacks (i.e., those exploiting previously unknown vulnerabilities in critical systems) have catastrophic repercussions that can rattle the nation’s military defense systems. In the context of cyberspace and cyber-attacks, zero-day exploits can be understood as weapons, and military cyber systems as targets.

It is no longer a secret that Chinese hackers launched successful campaigns in which they used zero-day exploits to plant Remote Access Toolkits (RATs) to compromise and control critical U.S. systems. The scope of these campaigns is astonishing: once hackers establish access, they periodically revisit the victim’s network over several months or years and steal intellectual property—including technological blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and email contact lists—from victim organizations’ leadership. For one organization alone, Mandiant observed the theft of 6.5 terabytes of compressed data over a ten-month period. In one example, Chinese hackers conducted cyber-espionage against the U.S. Transportation Command (TRANSCOM), the agency responsible for moving U.S. troops and military equipment around the world. Entry was traced through civilian contractors (secondary targets are frequently exploited to attain access to primary targets). The targeted cyber-attacks against TRANSCOM persisted for over a year.

The most common technique the Chinese use to conduct targeted cyber-attacks is a spear phishing attack, in which the target receives an email containing a malicious attachment or a link to a malware download. The malware then creates a backdoor in the system, allowing the adversary free access in the future while avoiding all defenses. Two characteristics are critical: targeting increases the probability of a target clicking on a malicious link, and zero-day exploits allow for the establishment of backdoors even in the presence of sophisticated defenses.

Nations (and criminals) are paying a hefty amount of money to purchase zero-day exploits to strengthen their cyber-war capabilities. The purchase and secreting of zero-day exploits by Western cyber-forces has engendered a lively debate on the morality and practicality of the practice, but their adversaries widely use the same technique. Securing critical infrastructure must be the primary goal, but cyber-attacks against military defense systems cannot be ignored; the potential consequences for the nation’s defense capabilities are cataclysmic. Potential ramifications of successful attacks include:

  • Disruption of supply-chains, drastically impacting the performance of the military due to shortages of food, water, ammunition and other basic supplies.
  • Deployment of malicious hardware exported from other countries such as China without verification, resulting in the compromise of military defense systems.
  • Exploitation of vulnerabilities in Satellite Communication (SATCOM) systems, allowing attackers to control the satellite remotely; this can impact the state of military planes and other weapons.
  • Manipulation of GPS communication channels to control military drones
  • Exploitation of Industrial Control Systems (ICS), especially supervisory control and data acquisition systems (i.e., SCADA, as in Stuxnet), impacting defense operations. Such systems are used for various purposes in the military, including Command, Control, Communications, Computer, Intelligence, Surveillance and Reconnaissance (C4ISR) for managing electrical and mechanical machinery during defense operations.
To state the obvious, defense systems are a crucial component of a nation’s critical infrastructure.

Table 1 lists some of the publicly acknowledged, highly advanced attacks conducted against U.S. military systems and other critical infrastructure by Chinese hackers for the purpose of cyber espionage.

S. No. Target Identity – Espionage by Chinese Hackers
1 Chinese hackers attacked U.S. Transportation Command (TRANSCOM) networks, which are responsible for movement of U.S. troops and equipment around the globe.
2 Chinese hackers stole the designs for advanced U.S. weapons systems, including:

  • F-35 Joint Strike Fighter (JSF)
  • F/A-18 Fighter Jet
  • Patriot Missile System
  • RQ-4 Global Hawk Drones
  • P-8 Poseidon Reconnaissance Aircraft
  • UH-60 Black Hawk Helicopter
  • Littoral Combat Ship
  • Army’s Terminal High Altitude Area Defense (THAAD) Missile Defense System
  • Navy’s Aegis Ballistic Missile Defense (BMD) Program
3 Chinese hackers compromised White House computer systems for espionage against military offices, targeting interoffice communication, nuclear codes, and other objectives.
4 Chinese hackers took temporary control of the National Oceanic and Atmospheric Administration’s (NOAA) weather satellites. The NOAA is a federal agency focused on the condition of the oceans and the atmosphere.
5 Chinese hackers also compromised Civil Reserve Air Fleet (CRAF) systems by compromising the computers the defense contractors used.

Military defense systems are the computer systems and networks that are specifically used for intelligence purposes and dedicated defense operations. In spite of this, military defense systems remain susceptible to the same set of cyber-attacks as other systems. For clarity, we classify the threats against military defense systems into three primary classes of vulnerabilities that are exploited in cyber-attacks. These vulnerability classes are: software-based, hardware-based, and insider threats. The majority of military defense systems deploy widely used software and devices, such as operating systems, open source software, routers, radio frequency devices, switches, ICS/SCADA, etc. These are prone to various classes of vulnerabilities such as hardcoded passwords and backdoors in firmware, insecure protocols, Remote Command Execution (RCE), default passwords for Human-Machine Interfaces (HMIs), and insecure authentication and authorization, which all fall into the category of software vulnerabilities. In this taxonomy, malicious hardware and insider threats are also considered to be vulnerabilities that pose a serious threat to military defense systems and networks.

Software-based Vulnerabilities

  • Backdoors and Hardcoded Passwords: A number of critical infrastructure systems have hardcoded passwords embedded in the firmware that allow attackers who discover them to gain complete access to these systems. These backdoors exist for support or remote access purposes. The hardcoded passwords can be easily obtained by reverse engineering firmware and carefully analyzing functional components. In one example, hardcoded passwords in the firmware can be used to control military SATCOM systems.
  • Remote Code Execution (RCE): This class of vulnerabilities can be present in any software including that used by military defense systems. Remote code execution can be triggered by exploiting security flaws in operating system components, browsers, critical systems such as ICS/SCADA, routers, other software such as Microsoft Office, Adobe Reader, Java and so on. Attackers exploit security issues such as buffer overflows (stack, heap, and integer), use-after free errors, race conditions, memory corruption, privilege escalations, dangling pointers, and others. Successful exploitation of these vulnerabilities allows the attackers to execute arbitrary code on compromised systems. Several vulnerabilities in browsers (or their plugins) and office components have allowed triggering of drive-by download and spear phishing attacks in military systems. Even critical systems such as ICS/SCADA are vulnerable to remote code execution vulnerabilities.
  • Insecure Protocols, Spoofing and Hijacking: A number of systems used for military defense purposes use undocumented and insecure protocols that allow hijacking and spoofing of communication channels. Unencrypted protocols and usage of insecure cryptographic algorithms allow attackers in the vicinity to hijack the channel through Man-in-the-Middle (MitM) attacks. Protocol vulnerabilities can be used for RCE and Denial-of-Service (DoS) attacks. Several vulnerabilities in MODBUS and DNP3 SCADA protocols have been identified. The emergence of drones brings new vulnerabilities, with researchers taking control of a Department of Homeland Security (DHS) drone. Drones can also be susceptible to a GPS spoofing attack redirecting them to unauthorized targets, which clearly has the potential to undermine critical operations.
  • SQL Injections: These vulnerabilities are frequently exploited to extract sensitive data, and military websites have not been immune. SQL injection exploits weaknesses in a web application to allow attackers’ queries to be executed directly in the backend database. Data stolen using SQL injection can provide critical information for advanced targeted attacks. For example, successful SQL injections allow the attackers to dump backend databases to extract sensitive information such as credentials, emails, critical documents, etc. The stolen information is of immense value to the attackers. In recent years, SQL injections have been used to attack U.S. military websites.
  • Insecure Authentication and File Uploading Flaws: These flaws allow remote attackers to access critical systems by exploiting weak authentication design and uploading malicious code (or firmware) onto the systems. This security issue persists due to the inability of the systems to implement granular control through proper authentication and authorization checks. File uploading attacks exploit the system’s inability to determine the type of files being uploaded on the server.

Insider Threat Vulnerabilities

Insider threats are a major problem for both military organizations and all types of businesses. Insider threats involve a malicious employee or contractor that steals sensitive organizational assets or otherwise diminishes the integrity of the organization. Snowden is the archetype. Insider threats can have different motives such as revenge, personal grudge, or greed. In general, insider threats can be placed into two broad categories:

  • Unintentional Insider Threats (UIT): U.S. military defense organizations outsource jobs to private firms. Contractors present a softer target than military facilities, so they are attractive prey. Recent attacks demonstrate that compromising contractors’ assets allows attackers to steal intelligence from military defense networks. The contractor acts as a proxy to provide entry for the attacker, as the contractor has no intention to conduct any spying.
  • Intentional Insider Threats (IIT): When contractors or employees turn malicious, that is an intentional insider threat, and the results can be devastating. Snowden, an NSA contractor, is the most recent person who worked for NSA to leak sensitive and classified information through WikiLeaks, which revealed the various stealth operations of the NSA as a part of U.S. Cyber Defense Operations (CDO). Other examples include Ames who conducted spying operations against the CIA.
Hardware-based Vulnerabilities

Vulnerabilities in hardware are also emerging. U.S. government and security researchers have unveiled a number of cases showing threats in cyberspace through imported hardware. DHS reports finding malware preloaded in hardware imported from China—backdoors for access to the hardware after deployment. In one example, Zombie Zero malware was implanted in the software of scanner hardware manufactured in China as part of an attack targeted against shipping and logistics industries. A scanner seems innocuous, but when connected to a network it provides a platform for compromising everything on the network, in this case communicating with Command and Control (C&C) servers located in China. Although few in number, such threats in hardware can have a substantial impact on U.S. defense systems.

A less nefarious but still serious problem stems from counterfeit devices. In 2011, two culprits were prosecuted for selling thousands of counterfeit devices and circuits developed in China to U.S. military and defense contractors to be used in warships, missiles, airplanes, etc. One can imagine the disastrous consequences such hardware threats pose when installed in critical military systems.

These cases highlight and elevate the threat Chinese hardware poses to not only the United States, but all nations that receive hardware preinstalled with malware.

Table 2 shows most widely used vulnerabilities observed in actual attacks on military defense systems and applications.

S No. Vulnerabilities / Threat Types Real World Cases – Vulnerable Systems
1 Backdoors and Hardcoded Passwords

  • Global Positioning System (GPS) Satellite Communication (SATCOM) systems provided by Harris, Cobham, JRC, Iridium and Hughes were vulnerable
  • Supervisory Control and Data Acquisition Systems (SCADA) provided by Siemens, TURCK, etc. were vulnerable
2 Insecure Authentication and File Uploading

  • Global Positioning System (GPS) Satellite Communication (SATCOM) systems provided by Harris, Cobham, JRC, Iridium and Hughes were vulnerable
3 Remote Code Execution

  • SCADA systems provided by ICONICS GENESIS32, BizViz, IntegraXor, Sielco Sistemi, etc. were vulnerable to Buffer Overflows
  • XMLDOM Zero-day vulnerability was exploited to attack U.S. Veterans of Foreign Wars' website
  • Operation Pawn Storm uses vulnerabilities in MS office files to target U.S. military officials
4 SQL Injections

  • Royal Navy website hacked using SQL Injection
  • U.S. Army website hacked using SQL Injection
5 Insecure Protocols, Spoofing and Hijacking

  • Global Positioning System (GPS) Satellite Communication (SATCOM) systems provided by Harris, Cobham, JRC, Iridium and Hughes were vulnerable
  • Possible attacks to spoof GPS communication to control U.S. drones
6 Insider Threat

  • Whistleblower Edward Snowden worked as a contractor for Central Intelligence Agency (CIA) and NSA, leaked classified documents of military operations and NSA functions.
7 Hardware-based

  • Chinese manufacturing units exported tampered military-grade FPGA computer chips, circuits, and counterfeit devices such as scanners

In general, most software and hardware vulnerabilities are the result of poor coding practices and dearth of security understanding in the developers. Hardcoded passwords, for example, exist because programmers prefer to have an easy way to access software for recovery purposes such as debugging. However, these vulnerabilities have a drastic impact on the security of the software and the different environments in which the software is used. Alternatively, developers or programmers with malicious intent may implant computer hardware with code as part of a targeted attack. Insider threat vulnerabilities are difficult to assess due to the human element involved. Due to the wide variety of threats, multi-layer defenses are required to combat vulnerabilities in the software world.

Proactive Measures

Cyber-attacks cannot be prevented through technical solutions alone. The nation requires well-drafted cyber laws, organizational policies, and cyber strategies in addition to highly advanced defensive solutions. Some proactive procedures and measures to protect military defense systems from cyber-attacks are discussed below.

  • Software and Hardware Assurance: Assuring the security of both software and hardware is essential. Extensive security auditing of software and hardware allows military organizations to obtain a level of assurance against exploitation by hackers. Security auditing reveals the state of software and hardware against counterfeiting trends, vulnerabilities, advanced malicious code, insecure components and code tampering. Software assurance and security auditing also help military organizations to work in conjunction with vendors to patch vulnerabilities before the software is deployed. Hardware assurance protects the integrity and security of hardware devices against pre-installed nefarious code. In addition, the U.S. military should implement the following recommendations:

    • All critical software used in military defense systems should be audited regularly to ensure systems are patched against known vulnerabilities and to address newly detected vulnerabilities. In particular, software should be audited to removing any backdoors embedded by vendors, especially hard-coded passwords.
    • Protocols used for transmission of data among defense systems should be made cryptographically secure and insusceptible to hijacking or spoofing attacks. If possible, the military should avoid the use of protocols employing custom encryption algorithms.
    • All military defense systems including ICS/SCADA should use strong authentication and authorization mechanisms. Administrators should ensure that critical defense systems are not accessible over the Internet. Additionally, default configurations should be altered prior to deployment in accordance with security policies. Critical systems should be air-gapped and should not be exposed in any situation.
    • Hardware imported from other countries and vendors should undergo rigorous security auditing to detect tampering, counterfeiting and implanting of malicious code before use in military operations.
    • Advanced penetration testing and red team exercises for network exploitation may be employed to provide assurance.
  • Insider Threat Detection:While government officials currently scrutinize contractors through background checks, this alone is insufficient. Military defense organizations must invest in technology-based solutions such as identity and behavior profiling to help detect anomalous behavior. Such analysis can both prevent and minimize the impact of security breaches.
  • Cybersecurity Training: Cybersecurity training is necessary for all military organizations. Technical personnel need to learn about existing threats in cyberspace and how to defend against them. Military officials must learn to defend against cyber-attacks and perform incident response. People represent a critical vulnerability, which is why phishing remains a primary attack vector. Therefore, basic cybersecurity training of all personnel is essential.
  • Dedicated Cybersecurity Government Bodies: Extensive efforts are required to secure control systems. The United States initiated an effort in that direction by establishing an Industrial Control System (ICS) Computer Emergency Response Team (CERT), which responds to emergency situations in the context of ICSs. ICS-CERT incorporates global security researchers working in conjunction with ICS vendors to eradicate vulnerabilities and release well-defined advisories. This combined process raises awareness among ICS customers and provides guidelines on how to best implement patches for vulnerable ICS software. The Department of Homeland Security (DHS) has also established the Control Systems Security Center (CSSC) to support organizations in the secure deployment of control systems. The U.S. cyber command monitors Department of Defense (DoD) networks to detect possible infiltrations by hackers and secure the systems accordingly. These organizations are an important step, but substantial and continuous governmental effort remains necessary to combat cyber-attacks.


Security is a process requiring the combined efforts of people and equipment. Cybersecurity is simply a new vector, one needing the attention of the government and the military. The challenge, as with any threat, is to balance the fundamentals of the Constitution with the needs of defense. Cyber-attacks by nation-states exist, and they occur on multiple fronts. Recent activity indicates that China is a highly motivated and patient adversary with vast sums at their disposal. A multifaceted response is therefore required to mitigate the threat posed to military systems.

Dr. Sood works as a Director of Security and Cloud Threat Labs at Elastica Inc.Blue Coat Systems. Dr. Sood has research interests in malware automation and analysis, application security, secure software design and cybercrime. He has worked on a number of projects pertaining to penetration testing specializing in product/appliance security, networks, mobile and web applications while serving Fortune 500 clients for IOActive, KPMG and others. He is also a founder of SecNiche Security Labs, an independent web portal for sharing research with security community. He has authored several papers for various magazines and journals including IEEE, Elsevier, CrossTalk, ISACA, Virus Bulletin, Usenix and others. His work has been featured in several media outlets including Associated Press, Fox News, The Register, Guardian, Business Insider, Kaspersky Threatpost, CBC and others. He has been an active speaker at industry conferences and presented at BlackHat, DEFCON, HackInTheBox, RSA, Virus Bulletin, OWASP and many others. Dr. Sood obtained his Ph.D from Michigan State University in Computer Sciences. Dr. Sood is also an author of "Targeted Cyber Attacks," a book published by Syngress. He also sits on the review board of "CrossTalk - Journal of Defense Engineering", a publication sponsored by Department of Homeland Security (DHS) and NavAir.

Richard Enbody is an Associate Professor in the Department of Computer Science and Engineering. He joined the faculty in 1987 after earning his Ph.D. in Computer Science from the University of Minnesota. He has served as Acting Chair of the Department, Associate Chair, and as Director of the Computer Engineering Undergraduate Program. Together with Aditya Sood he published a book on Targeted Cyber Attacks (Syngress, 2014).