Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/31/2011
05:55 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Targeted Attacks On U.S. Defense Contractors: Fallout From RSA Breach?

No one's saying for sure, but the timing of the attack and Lockheed's reported SecurID token updates have sparked plenty of speculation

An apparent wave of targeted attacks leveled against U.S. defense contractors this month has experts trying to determine whether the newly revealed attack on Lockheed Martin and others is in any way tied to the breach of RSA's SecurID token database earlier this year.

Lockheed Martin over the weekend revealed that it had detected a "significant and tenacious attack" on its network, but that no customer, employee, or program data was compromised. So far Lockheed is the only defense contractor to come forward, though Raytheon, General Dynamics, and L3 Communications have all reportedly been affected as well. Raytheon had not responded to press inquiries as of this posting, and General Dynamics issued this general statement that neither confirmed nor denied it had been breached: "General Dynamics proactively protects the security of our networks through a variety of measures, but we do not discuss specific information-security tools or techniques."

Wired reported today that L3 was also among the victimized contractors whose networks were compromised using stolen SecurID token information. So far neither Lockheed nor RSA has publicly confirmed that the attackers got into Lockheed's network via stolen or cloned SecurID tokens -- nor has any other defense contractor. But a Lockheed executive reportedly told The New York Times that it "cannot rule out" that the attack was related to that of RSA.

Not everyone is sold on the RSA hack connection with Lockheed Martin. David Maynor, CTO at Errata Security, says he doesn't believe the Lockheed breach was a result of stolen SecurID tokens. "The time line is too short," Maynor says. "Stealing the code, weaponizing it, leveraging it in a real attack, and being caught [just doesn’t add up]," according to Maynor. "It's possible, but why waste the best 0day of all time on [all of] that."

Rick Moy, president of NSS Labs, says it appears the attackers were able to clone the tokens they pilfered from RSA's SecurID servers and match the tokens with their individual users, thus giving them direct access to the victims' networks. "It's like getting a bunch of keys and not knowing what door they go to," Moy says. "They can brute-force and create permutations of different sequences that would unlock that 'door' … then they would find out who it's linked up to," Moy says. He says a subsequent wave of malware and phishing attacks in the wild fishing for data tying tokens to their users was the work of the original RSA attackers.

Those attacks likely use social engineering or keyloggers to gather the additional intelligence they needed, namely the PIN. If the attackers did use the stolen credentials, then this is the realization of the worst-case scenario fallout from the targeted attack against RSA back in March. The bad guys would have had to match a real user's token with the stolen SecurID data from RSA, notes Dave Jevans, chairman of IronKey. "To impersonate a real SecurID user, criminals must match user tokens to their stolen RSA SecurID data. This is most easily done by monitoring and attacking SecurID users. This may very well be going on right now on thousands of desktops and laptops around the world."

Meanwhile, security experts say this is only the tip of the iceberg. "Recent incidents may just be the beginning," Jevans says. "Instead of a corporate network, bank transactions could be next."

On May 22, Lockheed reportedly shut down all remote access to its intranet for several days after discovering the attack the day before. On May 25, employees were told to change their passwords and that their SecurID tokens would be swapped out for new ones. And Lockheed added another layer to remote log-in authentication.

How could such a large, powerful company like Lockheed Martin get burnt two months after RSA revealed that its SecurID servers had been breached? Jeffrey Carr, CEO of Taia Global and author of “Inside Cyber Warfare," says it appears RSA didn't provide sufficient details to its customers in its nondisclosure revelations to them.

Carr says this is a game-changing hack. "If [the attackers] were able to get SecurID tokens or had the ability to duplicate them … that is something extremely valuable. To be able to breach RSA and then in 60 days simultaneously attack prime contractors in the government space … this is a record-setting breach from my perspective."

Given that the attacks have the telltale signs of an advanced persistent threat (APT) actor, speculation has immediately led to China, which is known for its industrial espionage capabilities. But a Chinese official dismissed charges that his country was behind the attack. "I'd say it's just irresponsible to arbitrarily link China to such cyber hacking activities in each and every turn," Wang Baodong, a Chinese Embassy spokesman in Washington, told Reuters. "As a victim itself, China is firmly against hacking activities and strongly for international cooperation on this front."

And Taia Global's Carr says that the attackers are not necessarily state-sponsored. "It's a mistake to blame China right off the bat. They are certainly responsible for a number of attacks, but they're not the only game in town," he says. "Russia is involved in many attacks, and this could easily have been financed by a large criminal organization … The data they steal would be valuable to competing companies," for example.

Even so, it's unclear why Lockheed Martin didn't better secure its tokens in the wake of the RSA breach, experts say. The company says its network is secure, and that it had detected the hack "almost immediately, and took aggressive actions to protect all systems and data."

"The team continues to work around the clock to restore employee access to the network, while maintaining the highest level of security," Lockheed said in a statement. "To counter the constant threats we face from adversaries around the world, we regularly take actions to increase the security of our systems and to protect our employee, customer and program data. Our policies, procedures and vigilance mitigate the cyber threats to our business, and we remain confident in the integrity of our robust, multi-layered information systems security."

Swapping out SecurID tokens is a pricey process, experts say. NSS Labs' Moy says some SecurID customers dropped the RSA products after the breach was revealed, while others are currently in the process of doing so. "The cost of product and labor for Lockheed's 130,000 employee tokens is not trivial … and you'd have to make sure remote workers were properly ID'ed when they come into the office," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
openeyed
50%
50%
openeyed,
User Rank: Apprentice
1/30/2012 | 7:07:10 PM
re: Targeted Attacks On U.S. Defense Contractors: Fallout From RSA Breach?
why should it be any surprise anyone would want to "attack American defense contractors"??? In fact, the American people themselves would do their country a great honor in going against these horrific war profiteers helping to bring down the USA's security, freedom, economy and overall social well being. -Ironic? Only due to fact so many Americans are very uneducated on the historic American imperialism and militarism that are tearing the U.S apart today leading it toward mediocrity and bankruptcy. -It takes travel to other continents (with higher peace/freedoms), reading a lot, thinking outside the box of American supremacy to see this. We are all conditioned to think we are "fighting for our country", when in fact it's always really been about Wall Street corrupt investments into financial weapons of mass destruction, spending trillions in that direction over past decade while taking from more beneficial areas to produce a positive economy and society.....education, hospitals etc. -The media puppets believing USA spends a lot in education or healthcare, which are both now so privatized for profits that could not be further from the truth. -We need huge drastic cuts in so called "defense", our overbloated MIC goes against warnings of several of our founding fathers and is very antithetical to American liberties. War does not "protect our country". We are becoming a negative High Hitler style military dictatorship and less and less the "free nation" the disillusion will have you think. funny thing is, its those of us today with no financial stress, owning nice homes, no credit card debt...that see this. Since we are not fighting with anyone from the imaginary demons in other nations to our mortgage brokers or legions of pills and cognac, we can take a healthy objective step back and look at our American culture closely. -One of guided missiles, misguided women and men, and a republic in peril due to it all. -The empire is self-destructing, and looking very anti-American. -Want to to something good for America? Go to college, clean up the environment, volunteer in schools, become a Doctor, learn to say "NO" to military just as you would drugs, robbery, any OTHER type of assassination for money. -Move away from false notion it is "brave to be a warrior" or somehow more appropriate or an "option" for a man than woman. -NOT!!!!!
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/4/2020
Data Loss Spikes Under COVID-19 Lockdowns
Seth Rosenblatt, Contributing Writer,  5/28/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13817
PUBLISHED: 2020-06-04
ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to cause a denial of service (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The victim must be relying on unauthenticated IPv4 time sources. There must be an off-path attac...
CVE-2020-13818
PUBLISHED: 2020-06-04
In Zoho ManageEngine OpManager before 125144, when <cachestart> is used, directory traversal validation can be bypassed.
CVE-2020-6640
PUBLISHED: 2020-06-04
An improper neutralization of input vulnerability in the Admin Profile of FortiAnalyzer may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the Description Area.
CVE-2020-9292
PUBLISHED: 2020-06-04
An unquoted service path vulnerability in the FortiSIEM Windows Agent component may allow an attacker to gain elevated privileges via the AoWinAgt executable service path.
CVE-2019-16150
PUBLISHED: 2020-06-04
Use of a hard-coded cryptographic key to encrypt security sensitive data in local storage and configuration in FortiClient for Windows prior to 6.4.0 may allow an attacker with access to the local storage or the configuration backup file to decrypt the sensitive data via knowledge of the hard-coded ...