Chinese Connections

By Ericka Chickowski

Last week the threat of cyberwarfare and state-sponsored hacking activities flared up to show itself as more than just an imaginary boogeyman. The fleeting specter gained some tangibility with a number of incidents coming to light, including the details of a sophisticated attack against defense contractor Lockheed Martin, some of  its subcontractors and potentially other defense contractors as well, a hack against Google Gmail aimed at gaining White House secrets and proclamations from Department of Defense (DoD) officials that cyberwarfare  will be treated as acts of war. All of these events have been tied together with speculation that the common denominator for all of them is the threat from China.

Lockheed and Defense Contractors

One of the biggest hacking events of the year and potentially not a lick of information actually reported breached as a result, the Lockheed Martin incident has kicked up a lot of dust over the few weeks due to its big-picture implications. Security experts claim that recent attacks of Lockheed and several other defense contractors have potentially leveraged information gained through the attack earlier this spring that many speculate compromised the authentication token seeds for RSA's SecurID products.

The incident came to light on May 21 when news broke that Lockheed had shut down remote access to its internal network following a major attack on those resources. Journalist Robert Cringely reported early on that the Lockheed reissued RSA tokens to all of its employees in the attack's wake.

A week later the company confirmed that it had come under attack, saying that " As a result of the swift and deliberate actions taken to protect the network and increase IT security, our systems remain secure; no customer, program or employee personal data has been compromised."

Lockheed confirmed to the New York Times that the breach was linked to the RSA SecurID breach. It was just a matter of time, industry experts said. Experts with security testing and analysis firm NSS Labs had predicted in March that high-profile attacks against government-related targets utilizing SecurID would be hackers’ next chess move following the RSA breach.

"Since then, there have been malware and phishing campaigns in the wild seeking specific data linking RSA tokens to the end-user, leading us to believe that this attack was carried out by the original RSA attackers," wrote Rick Moy, president of NSS Labs, following the Lockheed news. "Given the military targets, and that millions of compromised keys are in circulation, this is not over."

And last week it was clear that Moy was right as news of more government contractors potentially getting hit came uncovered.

One source with Northrup Grumman told FoxNews.com that the firm "went through a domain name and password reset across the entire organization," though that firm publicly said it would not comment on cyberattacks against it. More concrete evidence showing a SecurID connection also blew open last week when Wired released an internal memo that it came across from defense contractor L3 Communications that "L-3 Communications has been actively targeted with penetration attacks leveraging the compromised information."

Chinese Connections

There's no direct evidence that Chinese-sponsored hackers were responsible for any of the defense contractor's woes, but it would certainly fit the trend of increasing pressure from China's underground attacks. The country was linked to a previous attack on Lockheed to steal plans for the F-35 Joint Strike Fighter and numerous documents leaked over the last few years from the DoD have reported that the agency has numerous examples of Chinese-sponsored probing attacks levied against critical infrastructure targets within the U.S.

In fact, last week Google accused Chinese-sponsored hackers of targeting Gmail accounts of White House staffers. On Thursday China naturally denied the allegations, claiming in its state-run press that the allegation was "a fabrication out of thin air."

But the accusation and the verbal denial sent from China were serious and potentially grounded enough to bring U.S. Secretary of State Hillary Clinton out for a press conference that had her explain that an FBI investigation was underway and that the White House was looking into the matter.

Meanwhile, DoD officials last week told the Wall Street Journal that it was changing its policies to classify cyberwarfare activity as official acts of war.

"Given that malicious code can be used as a weapon and that attackers are capable of breaking into and controlling systems that are part of the national infrastructure, the Pentagon's strategy makes perfect sense," wrote Dr. Eugene Schultz, CTO at Emagined Security, in a recent update from the SANS Institute.

The DoD official did not link its policy change or announcement with the Google attack or the attacks against government defense contractors, but the timing was curious enough to raise the hackles of Chinese officials. On Friday the country accused the United States itself of conducting its own cyberwarfare activities against the Middle East, a statement that many consider a political move to distract from accusations lodged against it.

Lesson: Be Prepared

According to some, the events of last week underscore a big transition the security industry must face.

"I do think that this (Lockheed) attack and many others is really a symptom of a sea change in the security threat landscape," says Brent Remai, vice president of marketing for security firm FireEye. "It's amazing how many of these attacks have happened in just the last three months. The whole industry's moved from just worms and viruses causing disruption of companies to spyware and bots that were really more for cybercrime and financial gain to now evolving even broader into state-sponsored attacks and cyber espionage, going after (intellectual property)."


With this progression of the threat, vendors and partners are going to need to help their customers negotiate this change. So far, Remai says, they've been pretty unsuccessful.

"The security landscape is not really keeping up with the evolution of the sophistication of the attacks," he says. "Most people's defenses are signature-based and very reactive. Fundamentally they cannot stop the advanced zero day and targeted attacks."


This article was originally published on 2011-06-06