Legacy Systems Vulnerability Leads to Serious Breach at U.S. Firm

Chinese Hackers

Chinese hackers infiltrated a U.S. engineering firm’s network, exploiting legacy systems and remaining undetected for months.

At a Glance

  • Chinese hackers used default credentials on an IBM AIX server to infiltrate a U.S. engineering firm’s network.
  • The intruders remained undetected for four months.
  • The compromised firm manufactures components for aerospace, oil, and gas sectors.
  • The breach highlights the risks associated with legacy systems.

Chinese Hackers Exploit Legacy Systems in U.S. Engineering Firm Breach

Chinese state-sponsored hackers managed to infiltrate the network of a U.S.-based global engineering firm, utilizing default credentials on an IBM AIX server. The attackers remained undetected for several months, with initial entry occurring in March. The compromised firm, which manufactures components for aerospace, oil, and gas sectors, discovered the breach in August and alerted local and federal law enforcement.

The intrusion was attributed to a Chinese espionage team aiming to steal blueprints and conduct espionage. According to John Dwyer, research director for Binary Defense, the attackers exploited weaknesses in three unmanaged AIX servers. Binary Defense was called in to investigate the breach and found that the intruders had uploaded a web shell and established persistent access.

Exploiting Vulnerabilities

The compromised AIX servers were exposed to the internet and used default admin credentials. These servers were incompatible with the organization’s security monitoring tools, delaying detection of the breach. The intruders installed an AxisInvoker web shell, harvested Kerberos data, and added SSH keys for remote access. They also deployed additional post-exploitation tools, including Cobalt Strike and web shells.

The US government has issued multiple alerts about Chinese cyber threats, including APT40 and Volt Typhoon. Earlier this year, the US accused Volt Typhoon of infiltrating networks that operate critical US services, such as water facilities, the power grid, and communications sectors. Volt Typhoon is exploiting a bug in a California-based startup’s product to hack American and Indian internet companies.

Lessons Learned and Future Actions

After being removed from the system, the intruders attempted a credential-stuffing attack within 24 hours to regain access. Binary Defense plans to publish a report on the incident and lessons learned. Dwyer emphasized the significant risks associated with legacy systems, labeling them as potential “digital time bombs” within extensive networks. This breach serves as a stark reminder of the critical need to regularly update and secure older technological infrastructure to mitigate security vulnerabilities.

“The scary side of it is: With our supply chain, we have an assumed risk chain, where whoever is consuming the final product – whether it is the government, the US Department of the Defense, school systems – assumes all of the risks of all the interconnected pieces of the supply chain,” Dwyer told The Register.

This incident underscores the ongoing threats posed by state-sponsored hackers, particularly those from China. Only concerted efforts to update and safeguard our technological infrastructure can help prevent such intrusions in the future.