Targeted Attacks On U.S. Defense Contractors: Fallout From RSA Breach?

No one's saying for sure, but the timing of the attack and Lockheed's reported SecurID token updates have sparked plenty of speculation

An apparent wave of targeted attacks leveled against U.S. defense contractors this month has experts trying to determine whether the newly revealed attack on Lockheed Martin and others is in any way tied to the breach of RSA's SecurID token database earlier this year.

Lockheed Martin over the weekend revealed that it had detected a "significant and tenacious attack" on its network, but that no customer, employee, or program data was compromised. So far Lockheed is the only defense contractor to come forward, though Raytheon, General Dynamics, and L3 Communications have all reportedly been affected as well. Raytheon had not responded to press inquiries as of this posting, and General Dynamics issued this general statement that neither confirmed nor denied it had been breached: "General Dynamics proactively protects the security of our networks through a variety of measures, but we do not discuss specific information-security tools or techniques."

Wired reported today that L3 was also among the victimized contractors whose networks were compromised using stolen SecurID token information. So far neither Lockheed nor RSA has publicly confirmed that the attackers got into Lockheed's network via stolen or cloned SecurID tokens -- nor has any other defense contractor. But a Lockheed executive reportedly told The New York Times that it "cannot rule out" that the attack was related to that of RSA.

Not everyone is sold on the RSA hack connection with Lockheed Martin. David Maynor, CTO at Errata Security, says he doesn't believe the Lockheed breach was a result of stolen SecurID tokens. "The time line is too short," Maynor says. "Stealing the code, weaponizing it, leveraging it in a real attack, and being caught [just doesn’t add up]," according to Maynor. "It's possible, but why waste the best 0day of all time on [all of] that."

Rick Moy, president of NSS Labs, says it appears the attackers were able to clone the tokens they pilfered from RSA's SecurID servers and match the tokens with their individual users, thus giving them direct access to the victims' networks. "It's like getting a bunch of keys and not knowing what door they go to," Moy says. "They can brute-force and create permutations of different sequences that would unlock that 'door' … then they would find out who it's linked up to," Moy says. He says a subsequent wave of malware and phishing attacks in the wild fishing for data tying tokens to their users was the work of the original RSA attackers.

Those attacks likely use social engineering or keyloggers to gather the additional intelligence they needed, namely the PIN. If the attackers did use the stolen credentials, then this is the realization of the worst-case scenario fallout from the targeted attack against RSA back in March. The bad guys would have had to match a real user's token with the stolen SecurID data from RSA, notes Dave Jevans, chairman of IronKey. "To impersonate a real SecurID user, criminals must match user tokens to their stolen RSA SecurID data. This is most easily done by monitoring and attacking SecurID users. This may very well be going on right now on thousands of desktops and laptops around the world."

Meanwhile, security experts say this is only the tip of the iceberg. "Recent incidents may just be the beginning," Jevans says. "Instead of a corporate network, bank transactions could be next."

On May 22, Lockheed reportedly shut down all remote access to its intranet for several days after discovering the attack the day before. On May 25, employees were told to change their passwords and that their SecurID tokens would be swapped out for new ones. And Lockheed added another layer to remote log-in authentication.

How could such a large, powerful company like Lockheed Martin get burnt two months after RSA revealed that its SecurID servers had been breached? Jeffrey Carr, CEO of Taia Global and author of “Inside Cyber Warfare," says it appears RSA didn't provide sufficient details to its customers in its nondisclosure revelations to them.

Carr says this is a game-changing hack. "If [the attackers] were able to get SecurID tokens or had the ability to duplicate them … that is something extremely valuable. To be able to breach RSA and then in 60 days simultaneously attack prime contractors in the government space … this is a record-setting breach from my perspective."

Given that the attacks have the telltale signs of an advanced persistent threat (APT) actor, speculation has immediately led to China, which is known for its industrial espionage capabilities. But a Chinese official dismissed charges that his country was behind the attack. "I'd say it's just irresponsible to arbitrarily link China to such cyber hacking activities in each and every turn," Wang Baodong, a Chinese Embassy spokesman in Washington, told Reuters. "As a victim itself, China is firmly against hacking activities and strongly for international cooperation on this front."

And Taia Global's Carr says that the attackers are not necessarily state-sponsored. "It's a mistake to blame China right off the bat. They are certainly responsible for a number of attacks, but they're not the only game in town," he says. "Russia is involved in many attacks, and this could easily have been financed by a large criminal organization … The data they steal would be valuable to competing companies," for example.

Even so, it's unclear why Lockheed Martin didn't better secure its tokens in the wake of the RSA breach, experts say. The company says its network is secure, and that it had detected the hack "almost immediately, and took aggressive actions to protect all systems and data."

"The team continues to work around the clock to restore employee access to the network, while maintaining the highest level of security," Lockheed said in a statement. "To counter the constant threats we face from adversaries around the world, we regularly take actions to increase the security of our systems and to protect our employee, customer and program data. Our policies, procedures and vigilance mitigate the cyber threats to our business, and we remain confident in the integrity of our robust, multi-layered information systems security."

Swapping out SecurID tokens is a pricey process, experts say. NSS Labs' Moy says some SecurID customers dropped the RSA products after the breach was revealed, while others are currently in the process of doing so. "The cost of product and labor for Lockheed's 130,000 employee tokens is not trivial … and you'd have to make sure remote workers were properly ID'ed when they come into the office," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights