Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:55 PM
Connect Directly

Targeted Attacks On U.S. Defense Contractors: Fallout From RSA Breach?

No one's saying for sure, but the timing of the attack and Lockheed's reported SecurID token updates have sparked plenty of speculation

An apparent wave of targeted attacks leveled against U.S. defense contractors this month has experts trying to determine whether the newly revealed attack on Lockheed Martin and others is in any way tied to the breach of RSA's SecurID token database earlier this year.

Lockheed Martin over the weekend revealed that it had detected a "significant and tenacious attack" on its network, but that no customer, employee, or program data was compromised. So far Lockheed is the only defense contractor to come forward, though Raytheon, General Dynamics, and L3 Communications have all reportedly been affected as well. Raytheon had not responded to press inquiries as of this posting, and General Dynamics issued this general statement that neither confirmed nor denied it had been breached: "General Dynamics proactively protects the security of our networks through a variety of measures, but we do not discuss specific information-security tools or techniques."

Wired reported today that L3 was also among the victimized contractors whose networks were compromised using stolen SecurID token information. So far neither Lockheed nor RSA has publicly confirmed that the attackers got into Lockheed's network via stolen or cloned SecurID tokens -- nor has any other defense contractor. But a Lockheed executive reportedly told The New York Times that it "cannot rule out" that the attack was related to that of RSA.

Not everyone is sold on the RSA hack connection with Lockheed Martin. David Maynor, CTO at Errata Security, says he doesn't believe the Lockheed breach was a result of stolen SecurID tokens. "The time line is too short," Maynor says. "Stealing the code, weaponizing it, leveraging it in a real attack, and being caught [just doesn’t add up]," according to Maynor. "It's possible, but why waste the best 0day of all time on [all of] that."

Rick Moy, president of NSS Labs, says it appears the attackers were able to clone the tokens they pilfered from RSA's SecurID servers and match the tokens with their individual users, thus giving them direct access to the victims' networks. "It's like getting a bunch of keys and not knowing what door they go to," Moy says. "They can brute-force and create permutations of different sequences that would unlock that 'door' … then they would find out who it's linked up to," Moy says. He says a subsequent wave of malware and phishing attacks in the wild fishing for data tying tokens to their users was the work of the original RSA attackers.

Those attacks likely use social engineering or keyloggers to gather the additional intelligence they needed, namely the PIN. If the attackers did use the stolen credentials, then this is the realization of the worst-case scenario fallout from the targeted attack against RSA back in March. The bad guys would have had to match a real user's token with the stolen SecurID data from RSA, notes Dave Jevans, chairman of IronKey. "To impersonate a real SecurID user, criminals must match user tokens to their stolen RSA SecurID data. This is most easily done by monitoring and attacking SecurID users. This may very well be going on right now on thousands of desktops and laptops around the world."

Meanwhile, security experts say this is only the tip of the iceberg. "Recent incidents may just be the beginning," Jevans says. "Instead of a corporate network, bank transactions could be next."

On May 22, Lockheed reportedly shut down all remote access to its intranet for several days after discovering the attack the day before. On May 25, employees were told to change their passwords and that their SecurID tokens would be swapped out for new ones. And Lockheed added another layer to remote log-in authentication.

How could such a large, powerful company like Lockheed Martin get burnt two months after RSA revealed that its SecurID servers had been breached? Jeffrey Carr, CEO of Taia Global and author of “Inside Cyber Warfare," says it appears RSA didn't provide sufficient details to its customers in its nondisclosure revelations to them.

Carr says this is a game-changing hack. "If [the attackers] were able to get SecurID tokens or had the ability to duplicate them … that is something extremely valuable. To be able to breach RSA and then in 60 days simultaneously attack prime contractors in the government space … this is a record-setting breach from my perspective."

Given that the attacks have the telltale signs of an advanced persistent threat (APT) actor, speculation has immediately led to China, which is known for its industrial espionage capabilities. But a Chinese official dismissed charges that his country was behind the attack. "I'd say it's just irresponsible to arbitrarily link China to such cyber hacking activities in each and every turn," Wang Baodong, a Chinese Embassy spokesman in Washington, told Reuters. "As a victim itself, China is firmly against hacking activities and strongly for international cooperation on this front."

And Taia Global's Carr says that the attackers are not necessarily state-sponsored. "It's a mistake to blame China right off the bat. They are certainly responsible for a number of attacks, but they're not the only game in town," he says. "Russia is involved in many attacks, and this could easily have been financed by a large criminal organization … The data they steal would be valuable to competing companies," for example.

Even so, it's unclear why Lockheed Martin didn't better secure its tokens in the wake of the RSA breach, experts say. The company says its network is secure, and that it had detected the hack "almost immediately, and took aggressive actions to protect all systems and data."

"The team continues to work around the clock to restore employee access to the network, while maintaining the highest level of security," Lockheed said in a statement. "To counter the constant threats we face from adversaries around the world, we regularly take actions to increase the security of our systems and to protect our employee, customer and program data. Our policies, procedures and vigilance mitigate the cyber threats to our business, and we remain confident in the integrity of our robust, multi-layered information systems security."

Swapping out SecurID tokens is a pricey process, experts say. NSS Labs' Moy says some SecurID customers dropped the RSA products after the breach was revealed, while others are currently in the process of doing so. "The cost of product and labor for Lockheed's 130,000 employee tokens is not trivial … and you'd have to make sure remote workers were properly ID'ed when they come into the office," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/30/2012 | 7:07:10 PM
re: Targeted Attacks On U.S. Defense Contractors: Fallout From RSA Breach?
why should it be any surprise anyone would want to "attack American defense contractors"??? In fact, the American people themselves would do their country a great honor in going against these horrific war profiteers helping to bring down the USA's security, freedom, economy and overall social well being. -Ironic? Only due to fact so many Americans are very uneducated on the historic American imperialism and militarism that are tearing the U.S apart today leading it toward mediocrity and bankruptcy. -It takes travel to other continents (with higher peace/freedoms), reading a lot, thinking outside the box of American supremacy to see this. We are all conditioned to think we are "fighting for our country", when in fact it's always really been about Wall Street corrupt investments into financial weapons of mass destruction, spending trillions in that direction over past decade while taking from more beneficial areas to produce a positive economy and society.....education, hospitals etc. -The media puppets believing USA spends a lot in education or healthcare, which are both now so privatized for profits that could not be further from the truth. -We need huge drastic cuts in so called "defense", our overbloated MIC goes against warnings of several of our founding fathers and is very antithetical to American liberties. War does not "protect our country". We are becoming a negative High Hitler style military dictatorship and less and less the "free nation" the disillusion will have you think. funny thing is, its those of us today with no financial stress, owning nice homes, no credit card debt...that see this. Since we are not fighting with anyone from the imaginary demons in other nations to our mortgage brokers or legions of pills and cognac, we can take a healthy objective step back and look at our American culture closely. -One of guided missiles, misguided women and men, and a republic in peril due to it all. -The empire is self-destructing, and looking very anti-American. -Want to to something good for America? Go to college, clean up the environment, volunteer in schools, become a Doctor, learn to say "NO" to military just as you would drugs, robbery, any OTHER type of assassination for money. -Move away from false notion it is "brave to be a warrior" or somehow more appropriate or an "option" for a man than woman. -NOT!!!!!
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
PUBLISHED: 2021-04-16
jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
PUBLISHED: 2021-04-16
Portofino is an open source web development framework. Portofino before version 5.2.1 did not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT. The issue will be patched in the upcoming 5.2.1 release.
PUBLISHED: 2021-04-16
a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this ...
PUBLISHED: 2021-04-16
jose-browser-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDec...