Melbourne IT, now Arq group, surprised by Chinese aerospace hack claims

An Australian company says it has no knowledge of events described in a US indictment, alleging that it was the victim of a Chinese hacking attack.
Written by Chris Duckett, Contributor on

The chief executive of a leading Australian domain registrar says the company is surprised that it could be a victim of an alleged Chinese government-backed hacking attack targeting US and European aircraft engine technology companies.

The US government has revealed an indictment charging 10 Chinese government intelligence officers and co-conspirators with a hacking spree between January 2010 and May 2015.

The hackers' ultimate goal was to steal intellectual property, including confidential business information related to a turbofan engine used in commercial airliners, US prosecutors allege.

The 21-page unsealed indictment does not reveal the name of the Australian domain registrar. It only refers to it as "Company L".

But information included in the indictment points to Melbourne IT, recently changed to the ASX-listed Arq Group, as the Australian victim of the attack.

Martin Mercer, Arq Group's chief executive, told AAP on Thursday Sydney time that "all of this comes as a surprise to us".

"Melbourne IT (as it then was) has no knowledge of the events described in the indictment and cannot confirm that it is Company L," Mercer told AAP in an email.

"Melbourne IT did not receive advice and never has received advice from the Dept of Justice (or anyone else for that matter) relating to the events described in the indictment."

Also see: US charges two Chinese intelligence officers 'and their team of hackers'

In a statement [PDF] to the ASX, Mercer said the company is "very confident" about the integrity of its systems and customer data.

"Following a number of acquisitions in 2014 and 2015, the group consolidated all of its domains onto a single domain name registrar platform," he said.

"In addition, the group regularly engages third parties to undertake testing and assurance activities, to review our security posture and access controls, and follow a schedule of external audit programs."

The US alleges that the intrusions were by a foreign intelligence arm of China's Ministry of State Security (MSS), as a Chinese state-owned aerospace company was working to develop a comparable engine for use in aircraft manufactured in China and elsewhere.

The US Department of Justice (DOJ) said two of the 10 are Chinese intelligence officers, six served as hackers, and two were insiders at a French aerospace manufacturer.

"The charged intelligence officers, Zha Rong and Chai Meng, and other co-conspirators, worked for the Jiangsu Province Ministry of State Security ('JSSD'), headquartered in Nanjing, which is a provincial foreign intelligence arm of the People's Republic of China's Ministry of State Security ('MSS')," the DOJ said in a press release.

The indictment describes how on August 28, 2013, alleged hacker Liu Chunlian sent accused malware developer Ma Zhiqi a link to a news article that explained how the Syrian Electronic Army had hacked into the computer systems of Australia's "Company L" in order to facilitate intrusions.

The Syrian Electronic Army is a group of hackers supporting Syrian President Bashar al-Assad.

The New York Times announced on August 27, 2013, that its website was unavailable to readers after an online attack by the Syrian Electronic Army on its Australian domain name registrar, Melbourne IT.

At the time, ZDNet reported that the attack was simple, as the hackers had valid credentials for a Melbourne IT reseller account that had permissions to change DNS entries that took out The New York Times and Twitter. The credentials were gained through a successful phishing attack.

Melbourne IT said its registry lock features were not in use on all of the domains that the reseller was responsible for, but domains that did have the feature enabled were not affected.

Soon after that attack, the Syrian Electronic Army defaced Melbourne IT's corporate blog.

The DOJ further details how hacks happened over five years, targeted multiple companies in a coordinated manner, and employed a wide variety of techniques ranging from infections with custom-made malware to basic spear-phishing campaigns, and hijacking victims' official websites and using them for watering hole attacks.

The indictment explains how the Chinese hackers, just weeks after the Syrian Electronic Army's Australian attack, allegedly "used the same method" to hack into the computer systems of Company L to hijack the domain names of Company H, a San Diego-based technology company.

The hacked Australian domain registrar hosted the San Diego company's domain names.

"On December 3, 2013, a member of the conspiracy installed Sakula malware on Company H's computer network and caused the malware to send a beacon to a doppelganger domain name under the control of one or more members of the conspiracy," the indictment states.

"Notably, the doppelganger domain name was designed to resemble the real domain of Company A (a Massachusetts-based aerospace company), which had previously been hacked by members of the conspiracy.

"Between December 3, 2013, and January 15, 2014, members of the conspiracy accessed approximately 40 computer systems operated by Company H and installed a variety of malware, including Sakula, Winnti, and PlugX, to steal Company H's data."

In March 2016, the Department of Justice charged three Syrian members of the Syrian Electronic Army with offences related to hacking.

At the time, Ahmad Umar Agha, using the handle "The Pro", and Firas Dardar, calling himself "The Shadow", were charged with engaging in a terrorism hoaxes, attempting to incite mutiny in US armed forces, unauthorised access to and damage to computer systems, access device fraud, and illicit possession of authentication features.

By May this year, the pair were indicted on further charges of conspiracy and aggravated identity theft.

"According to allegations in the indictment, under the name 'Syrian Electronic Army', the conspirators focused on spearphishing US government, military, international organizations, and private-sector entities, including the Executive Office of the President, the US Marine Corps, the National Aeronautics and Space Administration, National Public Radio, the Associated Press, Reuters, The Washington Post, The New York Times, CNN, The Onion, USA Today, The New York Post, Time, Human Rights Watch, and scores of other entities and individuals," the DOJ said.

The pair are believed to be in Syria.

In April this year, Melbourne IT rebranded itself as Arq Group as part of a shift into being a "full service digital partner".

Arq Group comprises Melbourne IT's acquired subsidiaries Outware Mobile, WME Group, Infoready, Netregistry, and Web Central.

"The Melbourne IT of today is almost unrecognisable from who we were four years ago. We've gone from a business that sold domains and hosting to one of the leading providers of services and solutions to businesses embracing a digital operating model," CEO Martin Mercer said at the time.

"We're ready to take the next step. To become Australia's leading digital partner. And to lead organisations through the maze of online challenges they face. We've created an environment where innovation thrives, a place where today's digital leaders and innovations shape the future, and a culture where excellence is considered standard practice."

With AAP

Related Coverage

Arrest of top Chinese intelligence officer sparks fears of new Chinese hacking efforts

Suspect is a top official in one of China's intelligence agencies, accused of controlling China's state hacking operations.

Cyber defence: We'll hack back at attackers, says US

The Pentagon says that the US military must take on attacks before they reach its networks.

DOJ to charge North Korean officer for Sony hack and WannaCry ransomware

After charging Chinese, Iranian, and Russian cyberspies, US prepares indictment against North Korean officer.

China blamed for data theft from US Navy contractor

A successful cyberattack resulted in the theft of sensitive data including information on military equipment.

5 tips to secure your supply chain from cyberattacks (TechRepublic)

It's nearly impossible to secure supply chains from attacks like the alleged Chinese chip hack that was reported last week. But here are some tips to protect your company.

Can Russian hackers be stopped? Here's why it might take 20 years (TechRepublic)

Deterring hackers is almost impossible when the rewards are so great and the risks are so low. Can anything stop them?

Editorial standards