(Bloomberg) — In January, BAE Systems PLC got a routine call from a new client: The health care company's computer systems were mysteriously crashing. BAE's sleuths soon discovered a dangerous new strain of a virus called Qbot.
Using skills honed via years of work for British intelligence services, BAE's cyber specialists traced the worm to a shadowy Russian-speaking criminal network. It had infected more than 54,000 computers worldwide, mostly in the U.S., stealing usernames and passwords from targets such as hospitals, universities, police departments and big banks like Wells Fargo and Bank of America.
"Working out the motivation behind an attack is more an art than a science," said Adrian Nish, BAE's head of cyberthreat intelligence. "It was criminal. They were looking to monetize the attack."
As Europe's largest defense company, BAE is better known for producing Typhoon fighter jets and nuclear-powered submarines than battling computer viruses. Yet in the past decade, it has developed its cyber-security chops as one of the biggest suppliers of threat intelligence to the Government Communications Headquarters, Britain's counterpart to the U.S. National Security Agency.
BAE is leveraging its track record serving government spooks to target a wider range of clients, selling cyber-security services to major corporations, banks, health care providers and transportation businesses such as Britain's National Rail network. BAE joins U.S. defense contractors Raytheon and Northrop Grumman, both of which have created units to target commercial clients.
Intimate access
In a fragmented business filled with dozens of small companies, the credibility gained by working for the government can pay off, says Harry Breach, an analyst at Raymond James in London.
"People will be really careful about what kind of cyber security firm they're going to allow intimate access to their network," Breach said. "It can look good to say, 'We hired the guys who work for U.K. government security services.'"
BAE's approach differs from its American rivals, which have formed new subsidiaries with distinct branding that doesn't immediately reveal their ties to the mother company. BAE, by contrast, is positioning itself as a military-grade computer security shop for corporations. Since 2008, the company has spent more than £1 billion ($1.4 billion) on a half-dozen surveillance and cyber-security businesses.
"We recognized the world of defense is changing" said Kevin Taylor, who runs Applied Intelligence, BAE's cyber-security arm. "The modern battlefield is not just in air, land and sea, but also in cyberspace."
The cost of online crime for businesses is expected to reach $2 trillion by 2019, according to Juniper Research. BAE estimates the markets where it operates to be worth more than $60 billion a year, giving it ample room for growth.
