RSA Tokens, Lockheed Martin, APT, OH MY!

Friday, June 03, 2011

Infosec Island Admin

7fef78c47060974e0b8392e305f0daf0

When @stiennon first re-tweeted the Cringley blog post that claimed LMCO had been hacked using EMC/RSA algorithms that were stolen in March, I thought oh frak, here we go.

Little did I know that the actual flap would not be the fact that LMCO had been under attack and potentially accessed via the RSA hack fallout, but instead that many people in the ‘community’ said EMC/RSA had nothing to do with it… Some rather vociferously in fact…

Having been in the defence contractor arena myself, I decided to touch base with someone I trust and who is usually in the know about this shortly after the twitter storm began over this incident.

That person’s answer to my question of whether or not the RSA angle was true was: “It has merit”.

So, for me, the word of this person (who is a DIB partner) is enough to surmise that what they knew at the time was in fact true. It would seem that the RSA tokens may have been used in an attempt to gather data from LMCO.

What’s more, now we are learning that the attackers had access for approximately 24 hours before they were shut down. Those 24 hours gave plenty of time for certain types to grab what they want because they already know the lay of the landscape usually.

Yes.. You know who I am talking about.. An Advanced Persistent Threat aka China.

I can hear certain people in the community now groaning at the use of the APT acronym but let me put it to you all straight. If there was a hack on LMCO, maker of the JSF and numerous black type projects to boot, then it was likely China or another nation state’s actors that would be considered APT under the definition put forth by the military.

Sick of APT as a sales tool you say? I agree, but in this case you moan or whine about this descriptor in this case and you are just setting yourselves up to look uninformed about the defence contractor security space.

While the full facts of the attack vector may never fully be known to anyone outside of the DIB (Defence Industrial Base) partners and certain cleared people, it is safe to assume that the attack was, as it has been described by LMCO, as tenaciously prosecuted by the attackers.

This means that whoever it was wanted in and was ‘persistent’ enough to really make a go of it. LMCO has been the target before to such attacks and in fact in this case, people are beginning to wonder why they did not follow other defence base partners and scrap their RSA tokens for another solution post the EMC hack.

That they didn’t, may in fact be the reason that the aggressors decided it was time to try this attack. If they had carried it off as explained with a combination of phishing emails and key logging, they could have had much greater access to the LMCO network persistently and for longer had they not been caught.

My money is on the Chinese as the aggressor here and I suspect they wanted even more data on the JSF (other than the 20 gig they got back a while ago) to round out their collection.

It is no coincidence that just before an air show recently the Chinese showed off a stealth aircraft of their own that had some striking similarities to hardware we have been working on. The Chinese want the superiority and they are willing to easily steal it from us, and when I say easily, I really do mean that.

We are a soft target and its unfortunate that the US is only learning that fact now.

Time will tell what we find out about the hack on LMCO, I am willing to bet that we will never know everything.. But, I should think that at the very least there may be some more of the DIB partners scrapping their RSA solution for something else.

K.

Cross-posted from Krypt3ia

Possibly Related Articles:
18976
Network->General
Information Security
RSA China Advanced Persistent Threats hackers SecurID Lockheed
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.