Targeted Attacks On U.S. Defense Contractors: Fallout From RSA Breach?

No ones saying for sure, but the timing of the attack and Lockheeds reported SecurID token updates have sparked plenty of speculation

An apparent wave of targeted attacks leveled against U.S. defense contractors this month has experts trying to determine whether the newly revealed attack on Lockheed Martin and others is in any way tied to the breach of RSAs SecurID token database earlier this year.
Lockheed Martin over the weekend revealed that it had detected a significant and tenacious attack on its network, but that no customer, employee, or program data was compromised. So far Lockheed is the only defense contractor to come forward, though Raytheon, General Dynamics, and L3 Communications have all reportedly been affected as well. Raytheon had not responded to press inquiries as of this posting, and General Dynamics issued this general statement that neither confirmed nor denied it had been breached: General Dynamics proactively protects the security of our networks through a variety of measures, but we do not discuss specific information-security tools or techniques.
Wired

reported today
that L3 was also among the victimized contractors whose networks were compromised using stolen SecurID token information. So far neither Lockheed nor RSA has publicly confirmed that the attackers got into Lockheeds network via stolen or cloned SecurID tokens -- nor has any other defense contractor. But a Lockheed executive reportedly
told
The New York Times
that it cannot rule out that the attack was related to that of RSA.
Not everyone is sold on the RSA hack connection with Lockheed Martin. David Maynor, CTO at Errata Security, says he doesnt believe the Lockheed breach was a result of stolen SecurID tokens. The time line is too short, Maynor says. Stealing the code, weaponizing it, leveraging it in a real attack, and being caught [just doesn’t add up], according to Maynor. Its possible, but why waste the best 0day of all time on [all of] that.
Rick Moy, president of NSS Labs, says it appears the attackers were able to clone the tokens they pilfered from RSAs SecurID servers and match the tokens with their individual users, thus giving them direct access to the victims networks. Its like getting a bunch of keys and not knowing what door they go to, Moy says. They can brute-force and create permutations of different sequences that would unlock that door … then they would find out who its linked up to, Moy says. He says a subsequent wave of malware and phishing attacks in the wild fishing for data tying tokens to their users was the work of the original RSA attackers.
Those attacks likely use social engineering or keyloggers to gather the additional intelligence they needed, namely the PIN. If the attackers did use the stolen credentials, then this is the realization of the worst-case scenario fallout from
the targeted attack against RSA back in March
. The bad guys would have had to match a real users token with the stolen SecurID data from RSA, notes Dave Jevans, chairman of IronKey. To impersonate a real SecurID user, criminals must match user tokens to their stolen RSA SecurID data. This is most easily done by monitoring and attacking SecurID users. This may very well be going on right now on thousands of desktops and laptops around the world.
Meanwhile, security experts say this is only the tip of the iceberg. Recent incidents may just be the beginning, Jevans says. Instead of a corporate network, bank transactions could be next.
On May 22, Lockheed reportedly shut down all remote access to its intranet for several days after discovering the attack the day before. On May 25, employees were told to change their passwords and that their SecurID tokens would be swapped out for new ones. And Lockheed added another layer to remote log-in authentication.
How could such a large, powerful company like Lockheed Martin get burnt two months after RSA revealed that its SecurID servers had been breached? Jeffrey Carr, CEO of Taia Global and author of “Inside Cyber Warfare, says it appears RSA didnt provide sufficient details to its customers in its nondisclosure revelations to them.
Carr says this is a game-changing hack. If [the attackers] were able to get SecurID tokens or had the ability to duplicate them … that is something extremely valuable. To be able to breach RSA and then in 60 days simultaneously attack prime contractors in the government space … this is a record-setting breach from my perspective.
Given that the attacks have the telltale signs of an advanced persistent threat (APT) actor, speculation has immediately led to China, which is known for its industrial espionage capabilities. But a Chinese official dismissed charges that his country was behind the attack. Id say its just irresponsible to arbitrarily link China to such cyber hacking activities in each and every turn, Wang Baodong, a Chinese Embassy spokesman in Washington, told
Reuters
. As a victim itself, China is firmly against hacking activities and strongly for international cooperation on this front.
And Taia Globals Carr says that the attackers are not necessarily state-sponsored. Its a mistake to blame China right off the bat. They are certainly responsible for a number of attacks, but theyre not the only game in town, he says. Russia is involved in many attacks, and this could easily have been financed by a large criminal organization … The data they steal would be valuable to competing companies, for example.
Even so, its unclear why Lockheed Martin didnt better secure its tokens in the wake of the RSA breach, experts say. The company says its network is secure, and that it had detected the hack almost immediately, and took aggressive actions to protect all systems and data.
The team continues to work around the clock to restore employee access to the network, while maintaining the highest level of security, Lockheed said in a statement. To counter the constant threats we face from adversaries around the world, we regularly take actions to increase the security of our systems and to protect our employee, customer and program data. Our policies, procedures and vigilance mitigate the cyber threats to our business, and we remain confident in the integrity of our robust, multi-layered information systems security.
Swapping out SecurID tokens is a pricey process, experts say. NSS Labs Moy says some SecurID customers dropped the RSA products after the breach was revealed, while others are currently in the process of doing so. The cost of product and labor for Lockheeds 130,000 employee tokens is not trivial … and youd have to make sure remote workers were properly IDed when they come into the office, he says.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps