Tuesday, May 31, 2011

An Open Source Analysis Of The Lockheed Martin Network Breach

From RSA website
On Saturday 21 May 2011, multiple U.S. defense contractors [2] had their networks attacked by hackers who, in the case of Lockheed Martin, used duplicates of RSA's SecurID tokens to gain access to Lockheed's internal network. Of the possible defense contractors mentioned by Reuters (Boeing, Raytheon, General Dynamics, Northrup Grumman, Lockheed Martin) only Lockheed Martin has made public statements about the attack once LM employees began leaking information about the breach to tech blogger Robert X. Cringely on Wednesday May 25th [3].

Here's what is known about the attack so far:
  1. On Saturday night, May 21, 2011 [2], Lockheed Martin's  (NYSE:LMT) network was breached by attackers who created duplicates to EMC Corp's (NYSE:EMC) RSA SecurID tokens [1]
  2. Late Sunday night, May 22, Lockheed shut down all remote access to its intranet for at least one week, possibly longer [3], [4].
  3. On Wednesday, May 25, Lockheed announced that all employees would have to reset their passwords; that all SecurID tokens would be replaced with new ones; and added an additional password requirement for remote logins [3], [4].
Lockheed's official press release [6] about the attack contains contradictory language that calls into question how accurate its own assessments are:
BETHESDA, Md, May 28th, 2011 -- On Saturday, May 21, Lockheed Martin detected a significant and tenacious attack on its information systems network. The company’s information security team detected the attack almost immediately, and took aggressive actions to protect all systems and data. As a result of the swift and deliberate actions taken to protect the network and increase IT security, our systems remain secure; no customer, program or employee personal data has been compromised.
The word tenacious means "not easily dispelled" and "persisting in existence". An attack cannot be "swiftly" dealt with and "persistent" at the same time. Further "almost immediately" doesn't reconcile with the timeline provided by the above publicly available data, which implies that the attackers had up to 24 hrs of access to Lockheed's network before VPN access was shut off. Finally, while Lockheed claimed that no customer, program, or employee data had been compromised, it was significant enough for President Obama to receive a personal briefing on it, and for DHS and DOD (and presumably NSA) to offer their assistance on Lockheed's investigation [2], [4], [5].

Lockheed had slightly over two months from the time that EMC notified them and other RSA SecurID customers about their breach. At that time, at least one prime defense contractor (not Lockheed Martin) made the decision to stop using RSA SecurIDs for its senior staff and found a completely different vendor to supply their security tokens (7). Based upon their remediation actions for this breach, Lockheed Martin's senior executives chose to do very little about the compromised SecurID token technology in spite of many warnings issued by security specialists about the potential aftereffects of the RSA attack . Of particular note is the warning issued by ICANN's Whitfield Diffie, a crytographic expert who told John Markoff of the New York Times that "a worst case scenario would be that the intruder could produce cards that duplicate the ones supplied by RSA, making it possible to gain access to corporate networks and computer systems"[8]. Apparently that's precisely what happened [1].

Lockheed Martin has a history of significant cybersecurity breaches dating back to Titan Rain in 2003 [9], and the F-35 Joint Strike Fighter program in 2009 [10]. It has never publicly acknowledged the F-35 breach and it landed on the wrong side of the Sandia National Labs lawsuit (LM manages the lab) when a jury awarded a multi-million verdict to Shawn Carpenter for wrongful termination. By some ironic twist of fate, Shawn's employer NetWitness was just acquired by EMC corporation shortly after its SecurID breach and a month or so before Lockheed's.

Clearly, the extent of the RSA SecurID breach was worse than EMC reported to the public, to the Securities and Exchange Commission, and to its customers; at least the ones that I've spoken to. EMC is still refusing to acknowledge its role in this attack [11]. It'll be interesting to see if EMC is sued by Lockheed Martin or any of the other defense contractors for not providing accurate information on the extent of their SecurID compromise and/or fined by the SEC for same, even if Lockheed management couldn't read the tea leaves for themselves.

[1] Reuters 27 May 2011: "Exclusive: Hackers breached US Defense Contractors": http://www.reuters.com/article/2011/05/27/us-usa-defense-hackers-idUSTRE74Q6VY20110527
[2] NYTimes 29 May 2011: "Lockheed Strengthens Network Security After Hacker Attack"
[3] I, Cringely blog 25 May 2011: "InsecurID: No More Secrets?" http://www.cringely.com/2011/05/insecureid-no-more-secrets/
[4] Reuters 29 May 2011: "Lockheed says frequent cyber target from around the world" http://www.reuters.com/article/2011/05/29/us-usa-defense-hackers-idUSTRE74Q6VY20110529
[5] MSNBC (Reuters) 28 May 2011: "Lockheed Thwarts Cyber Attack": http://www.msnbc.msn.com/id/43199200/ns/technology_and_science-security/t/lockheed-martin-says-it-thwarted-tenacious-cyber-attack/
[6] Lockheed.com 28 May 2011: "Lockheed Martin Customer, Program And Employee Data Secure": http://www.lockheedmartin.com/news/press_releases/2011/0528hq-secuirty.html
[7] SANS Newsbites, Vol. XIII, issue 24 (editorial comment by Alan Paller): http://www.sans.org/newsletters/newsbites/newsbites.php?vol=13&issue=24&rss=Y
[8] NY Times, 17 March 2011: "SecureID Company Suffers A Breach Of Data Security": http://www.nytimes.com/2011/03/18/technology/18secure.html?_r=1
[9] Time.com, 29 August 2005: "The invasion of the Chinese cyberspies": http://www.time.com/time/magazine/article/0,9171,1098961,00.html
[10] WSJ.com, 21 April 2009: "Computer Spies Breach Fighter Jet Project":
[11] NY Times, 29 May 2011: "Lockheed Strengthens Network Security After Hacker Attack": http://www.nytimes.com/2011/05/30/business/30hack.html?_r=2&partner=rss&emc=rss

EMC and Google Lawyers Walked Into A Bar ...
What The RSA and NASDAQ Directors Desk Attacks Have In Common


  1. Nice analysis with only public information. Great catelogue of references

  2. Great post, J. I recall at the time the EMC breach was revealed, the conservative damage estimate assumed that SecureID/RSA seeds were stolen. That's the heart of their whole encryption system, no? If so, surprising how little public & corporate response seems to be.

  3. An insightful analysis backed up with statistics. There seems to be something more than meets the eye over this cyber attack thing.