week has passed and Lockheed Martin Corp. (LMT),
the U.S. government's top information technology services provider, was hacked.
The attack has been characterized as a "fairly subtle", yet
"significant and tenacious" attack on servers at its
massive Gaithersburg, Maryland data center, located not far from the
company headquarters in Bethesda.
As details emerge the attack is appearing more and more like it was lifted out of a spy movie or Tom Clancy
novel. The hackers appeared to have gained entry using information stolen
in a separate, even more audacious attack of one of the world's highest profile
I. RSA Sec. Breach -- Prelude to the Lockheed Martin Attack?
Back in March hackers gained access to RSA Security's servers.
RSA Sec. takes its name from the last initials of founders Ron Rivest,
Adi Shamir, and Leonard Adleman, three top cryptographers. The trio's
popular public-key cryptography algorithm shares the same name -- RSA.
At the time of the RSA Sec. intrusion, the company commented that despite
the fact that it believed information was stolen, the company did not believe
customer information or the security of the company's software products were
not comprised. Yet, they did advise clients to follow online advice to safeguard
themselves against possible fallout from the data loss.
The attack on RSA was described as "extremely sophisticated".
Sources close to Lockheed point to compromised RSA SecurID tokens --
USB keychain dongles that generate strings of numbers for cryptography purposes
-- as playing a pivotal role in the Lockheed Martin hack.
II. Damage Control
Hackers are believed to have entered Lockheed Martin's servers by gaining
illegitimate access to the company's virtual private network (VPN). The
VPN allowed employees to connect over virtually any public network to the
company's primary servers, using information streams secured by cryptography.
With the RSA tokens hacked, though, those supposedly secure VPN connections
Lockheed says that it detected the attack "almost immediately" and
warded it off quickly. The company has since brought the VPN back online,
but not before "upgrades" to the RSA tokens and adding new layers of
security to the remote login procedure.
III. What Was Lost?
At this point the question on everyone's mind likely is "What was
Lockheed has cause for concern -- the company is not only safeguarding a wealth
of U.S. government military information from external sources, it's also
protecting its own valuable projects -- the F-16, F-22 and F-35 fighter
aircraft; the Aegis naval combat system; and the THAAD missile defense.
A U.S. Defense Department spokeswoman, Air Force Lieutenant Colonel April
Cunningham told Reuters Saturday night that
the risk from the breach was "minimal and we [the USAF] don't expect any
Lockheed Martin claims that no compromise of customer, program or employees'
personal data occurred. The company has made
similar claims about past breaches.
Now that the Pentagon is involved, if anything was stolen, it
should be identified shortly.
IV. Who Attacked Lockheed Martin?
After the pressing issue of what was lost, perhaps the second most compelling
question is who was behind the breach. Military officials and security
staff at Lockheed are looking for clues in local time stamped information
stored on the server and IP logs, trying to find out who accessed the
compromised systems from where and when.
The problem is not easy as hackers commonly reroute their malicious traffic
through multiple proxies, disguising their location. That said, given the
nature of attack -- take down one of the world's top security firms and then
use that information to compromise a top defense contractor -- involvement by a
foreign government is suspected.
Lockheed posted a job listing last week requesting the services of a "lead
computer forensic examiner". Requirements included someone who could
"attack signatures, tactics, techniques and procedures associated with
advanced threats" and "reverse engineer attacker encoding
protocols." The cyber forensics expert's first task will likely be
to try to pinpoint the identity of the attacker.
The most likely suspect is obviously China, with whom the U.S. government has
been waging a "cyberwar" with for a
decade now. China hires freelance hackers and maintains a large military
force of official hackers as well. It uses this force to infiltrate
international utilities, businesses, government servers, and defense
contractors, looking for valuable information.
China has recently been testing a stealth jet, the J-20, which contains
features curiously similar to those found on past Lockheed
Martin designs. China insists, though, that it did not use stolen
information to build its new weapon.
V. One Million Threats
Lockheed Martin's IT staff say they encounter 1 million "incidents" a
day. They have to filter through these, distinguishing "white
noise" from serious threats.
The Maryland data center from which information was taken is a state of the art
facility, built in 2008. It covers 25,000 square-feet and cost $17M USD
to build. But even with relatively modern systems and protections,
defenses were still not strong enough to hold off the sophisticated and savvy
The company has a separate back-up data center in Denver, Colorado, which
shares some of the company's contract workload. That center is not
believed to have been breached in the intrusion.
Going ahead, Lockheed Martin will invariably face pressure from the U.S.
Military and Congress to do a better job in making its systems breach-proof.
But given the company's budget versus China's virtually blank check given
to cyber security efforts, one has to wonder how much the company will be able
to do with so little.
Sondra Barbour, the company's chief information officer, reminded employees in
an email, "The fact is, in this new reality, we are a frequent target of
adversaries around the world."
quote: during the window in which the authenticator key was still valid.
quote: You mean they used a key logger coupled with a phishing site? They didnt defeat the rsa system, they defeated the user's intelligence.