Threat Management, Threat Intelligence, Security Strategy, Plan, Budget

Lockheed admits to hack that may portend more breaches

Lockheed Martin released a statement over the weekend admitting that its network was breached by sophisticated adversaries, but the company said no assets were compromised.

"On May 21, Lockheed Martin detected a significant and tenacious attack on its information systems network," the statement, released Saturday, said. "The company's information security team detected the attack almost immediately and took aggressive actions to protect all systems and data. As a result...our systems remain secure; no customer, program or employee personal data has been compromised."

Some security experts, however, are skeptical that the nation's largest defense contractor is letting on to the true extent of the infiltration -- a breach on which President Obama was personally briefed.

Jeffrey Carr, founder and CEO of Taia Capital, which specializes in cybersecurity countermeasures for corporate executives and government officials who travel overseas, told on Monday that he doubts those responsible for the attack got away empty handed.

"I tried to look at exactly what Lockheed says, and it's not well thought out," Carr said. "You can't have a significant and tenacious attack that was immediately stopped. Come on."

According to reports, Lockheed's security team disabled remote access to its virtual private network on May 22, one day after discovering the breach. But that still would have given the adversaries roughly 24 hours of free reign, Carr said.

"That's like letting a Wal-Mart shopper loose in the store after hours," he said. "The store's going to be empty [at the end of the night] because those people know what they're looking for."

Carr said the security team should be commended for detecting the hack so quickly, but Lockheed officials should be wary of ruling out any theft, especially considering the scale of Lockheed's network.

"There's just no way you can do a network assessment in a week and be able to say that nothing was breached and everything is wonderful," he said.

While Lockheed has not confirmed how the attack was orchestrated, security experts with sources working at Lockheed said the attackers used cloned SecurID tokens from RSA to gain access.

"The area that the attack was targeting was only accessible through a SecurID authentication," said Vikram Phatak, CTO of NSS Labs, which tests network security products. "The only way to get to that part of the network was using RSA tokens...The general network wasn't the target. It was a more highly regarded piece of the network [that required two-factor authentication]."

The intruders likely were able to create the tokens thanks to "seed" information they obtained earlier this year in the high-profile hijack of RSA, combined with a malware campaign that allowed them to steal usernames and one-time passwords that linked Lockheed end-users to specific tokens.

According to reports, since the attack, Lockheed has replaced its existing tokens and forced all users to reset their passwords.

In the meantime, experts say the Lockheed breach should prompt EMC, which owns RSA, to release more details about its own compromise. Carr said the company has been less than forthcoming in conversations with customers.

"I can tell you that there are individuals who work at EMC that are unhappy with the way their company has handled this investigation," he said. "Customers should have been advised about the scope. They had conversations [with EMC and RSA], but the conversations were not of sufficient detail to satisfy the customers."

Lockheed employs some 130,000 people worldwide and took in $45.8 billion of revenue in 2010. The Bethesda, Md.-based company is a massive U.S. government contractor. Among its product suite are missiles, fighter aircrafts, radars and satellites.

Whether other SecurID customers have been or will be affected is pure conjecture at this point. But Phatak told on Monday that his "source" at Lockheed said other defense contractors were impacted.

"It was his understanding that they weren't the only ones," he said. "There may be others coming down the pike in the next few weeks."

A spokesperson at RSA did not immediately respond to a request for comment, though according to reports, the company said it was too early to connect its breach with the Lockheed incident.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.