Saturday, June 4, 2011

Lockheed Says Hacker Used Stolen SecurID Data

Via New York Times (June 3, 2011) -

Lockheed Martin said Friday that it had proof that hackers breached its network two weeks ago partly by using data stolen from a vendor that supplies coded security tokens to tens of millions of computer users.

Lockheed’s finding confirmed the fears of security experts about the safety of the SecurID tokens and heightened concerns that other companies or government agencies could be vulnerable to hacking attacks.

The tokens, which are used to protect remote access to computer networks, are sold by the RSA Security Division of the EMC Corporation. RSA officials said Friday that they accepted Lockheed’s findings and were working with customers to offset the risks through other measures.

RSA disclosed in March that hackers had stolen data that could compromise a company’s SecurID system in a broader attack, and the breach of Lockheed, the nation’s largest defense contractor, is the first time that is known to have occurred.

A rash of prominent breaches has brought new attention to an increase in the frequency and sophistication of computer hacking. Google said this week that it believed an effort to steal hundreds of Gmail passwords for accounts of prominent people, including senior American government officials, had originated in China.

The Pentagon, which has long been concerned about efforts by China and Russia to obtain military secrets, announced separately that it would soon view serious computer attacks from foreign nations as acts of war that could result in a military response.

RSA officials noted that Lockheed said it planned to continue using the SecurID tokens, and they said they believed other customers would as well. But security experts said RSA’s reputation had most likely been seriously damaged, and many of its 25,000 customers, including Fortune 500 companies and government agencies around the world, could face difficult decisions about what to do next.

RSA’s prospects for holding on to some of those customers “certainly seems bleak,” said Harry Sverdlove, the chief technology officer at Bit9, a firm that provides other types of security products and does not compete with RSA.

He and other experts said RSA might need to reprogram many of its security tokens or create an upgraded version to rebuild confidence in its systems.

In response to questions on Friday, Lockheed said in an e-mail that its computer experts had concluded that the breach at RSA in March was “a direct contributing factor” in the attack on its network. Government and industry officials said the hackers had used some of the RSA data and other techniques to piece together the coded password of a Lockheed contractor who had access to Lockheed’s system.

Lockheed, which makes fighter planes, spy satellites and other confidential equipment, said it had detected the attack quickly and blocked it before any important data was compromised.


Impressive timeframe. This means the attackers weaponized the stolen data from RSA very very quickly and used it to target high-value target(s).

The stolen RSA (leading to cloned tokens) could have been used as an initial attack vector or as an alternative entry method to maintain persistence....or both (my guess).

While APT should be categorized as such based more on the motives and objectives of the attackers [and less on techniques used], this shows the actors have the capability to push beyond standard exploitation techniques to achieve their objectives.

This is industrial / military espionage.

No comments:

Post a Comment