Was The RSA-Lockheed-L-3 Breach Over A $2.6B DHS Contract?

Site Plan New DHS Building

Since my original post on the Lockheed Martin / Prime contractors breach which I and other security researchers connected to the EMC RSA breach (a fact that EMC has now conceded to), I've been investigating possible motives for this multi-faceted attack. Its always been my belief that RSA's technology was not the primary target but a means to an end. And that "end" apparently involved breaching the networks of multiple Department of Defense contractors: Lockheed Martin, L-3 Communications, and allegedly Northrop Grumman. Other primes mentioned as possibilities by Reuters included General Dynamics, Boeing, and Raytheon.

If RSA was stage one of a multi-stage operation, that would suggest that Lockheed, L-3, and Northrup Grumman as the targets would have something else in common besides just being DOD contractors. Since it's my belief that the EMC RSA attack started earlier than March, 2011 and took some planning prior to its launch, I began looking for contract awards in mid to late 2010 that involved the three victim companies. I found a couple of possibilities that warranted further consideration but then I came across this news item from November 8, 2010: 4 competitors protest award of $2.6 billion IT contract to Northrop Grumman

The award, which is now up for re-bidding (GSA solicitation GST0011AJ0021) is for the crown jewels of the new Department of Homeland Security headquarters - building the infrastructure which will support information technology, telecommunications, security, and building management systems. The contractors who filed protests with GAO are Lockheed Martin, General Dynamics, Serco and L-3 Communications. Of the five companies involved, Lockheed and L-3 are confirmed attack targets, Northrop is an alleged target and General Dynamics is a possible target. Serco hasn't been named by any sources familiar with this attack but they also don't use RSA SecurID tokens; opting instead for Signify, one of RSA's competitors for two factor authentication. 

In order to compete for an award, companies must submit detailed technical proposals in written and oral form with an accompanying slide deck. DHS' acquisition schedule for the competing vendors corresponds with the known dates of the attacks:

DHS TIP Industry Day Deck: (Slide 39)

According to the schedule on slide #39, vendor written proposals were due in April and Orals were due in May. L-3 Communications announced active targeting with penetration attacks on April 6, 2011 while Lockheed reported that its breach commenced on May 21.  Late May was also the time of the alleged attack against Northrop Grumman. 

The information and communications infrastructure of the new DHS headquarters would certainly be a target of interest for foreign intelligence services like the FSB. Even the technical proposals from competing DOD contractors would contain valuable information. The level of detail asked for by DHS is fairly intensive as evidenced by the following slide which breaks out one of the eight required tasks: 

Task 2: Requirements Analysis and Design (slide 26)

If the November, 2010 article in the Washington Post triggered the planning stage of the operation, it offered sufficient time for an adversary to discover that the vendors shared the same two factor authentication technology; perform social engineering research on the target companies' employees, probe company websites for vulnerabilities, and craft customized attacks if needed. This doesn't require the resources of a nation state. Any experienced Eastern European hacker crew could pull it off with a relatively low budget. The upside however is huge. The information contained in those DHS technical proposals could be sold to multiple foreign governments and net the crew a seven figure or eight figure payday. And considering the scope of the DHS HQ project (the largest federal construction job since the Pentagon was built in the 1940's according to the Washington Post), this probably isn't the end of it. Whichever prime contractor wins the TIP contract, along with its sub-contractors, will almost certainly become the next targets to be compromised.

Add to Cart View detail

18 Days From 0day to 8K - An RSA Attack Timeline Analysis

There was a lot that bothered me about the official statements surrounding the RSA SecurID breach. For example, they claimed to be victims of an Advanced Persistant Threat that was neither advanced nor persistant.  Then there was news of a related attack against L3 Communications prior to 6 April, less than three weeks after the Coviello letter was made public on 17 Mar 2011. I decided to construct a timeline out of the available facts and see if it supports or conflicts with RSA President Art Coviello [3] and Mr. Uri Rivner's [10] versions of what happened. Either the attack was short-lived, as Mr. Rivner claims, or it was of much longer duration which would put RSA Security division products at greater risk for compromise along with EMC's customers who use them, such as Lockheed Martin [6], L3 Communications [5], and possibly Northrup Grumman [11], among others.


According to Rivner's "Anatomy of an Attack" blog post of 1 April 2011 [10], the attacker used a zero day Flash exploit (CVE-2011-0609) [4]. Neither Rivner nor Coviello provided information about the duration of the attack, however it was easy to calculate.  The 0day that was used in the attack was created on 28 Feb 2011 by a Chinese hacker whose Twitter alias is yuange1975 [2].

yuange1975's Twitter page

If you do the math, 28 Feb to 17 March is 18 days. Think about that for a minute. 18 days from 0day to EMC's 8-K filing with the SEC.  If your head isn't already spinning in disbelief, here's a list of what Uri Rivner claims happened interspersed with other key dates.

1. At some point on or after 28 Feb 2011, an Attacker acquired yuange1975's Flash 0day, embedded it into an .xls spreadsheet entitled "2011 Recruitment Plan" along with a Poison Ivy RAT payload, and wrote a spear phishing letter to deliver it (est. #days = ?) [2], [4]
2. Attacker sent two different phishing emails over a 2 day period before one employee opened the attachment. (est. #days = 2) [10]
3. Attacker gained access to RSA network, learned who the privileged users were who had access to sensitive material and stole their credentials, navigated their way across protected levels of access with multiple authentications, intrusion detection systems, and other layers of defense in depth (est. #/days = ?) [10]
4. Attacker "established access to staging servers at key aggregation points; then went into the servers of interest, removed data (some related to SecurID) and moved it to internal staging servers where the data was aggregated, compressed and encrypted for extraction" (est. #/days = ?) [10], [3]
5. Attacker "used FTP to transfer password protected RAR files from the RSA file server to an outside staging server at an external, compromised machine at a hosting provider. The files were subsequently pulled by the attacker and removed from the external compromised host to remove any traces of the attack." (est. #/days = ?) [10]
6. EMC/RSA Security discovered the attack (date unknown), conducted a forensics investigation, and reported their findings to EMC executives
7. RSA notified SecurID customers individually under NDA (est. #/days to contact 25,000 customers = ?) [8], [9]
8. EMC lawyers edited and/or approved Art Coviello's statement which served as both its customer letter and SEC 8-K notification, which was finally published on 17 Mar 2011. (est. #/days = ?) [3], [7]

I invite readers to make their own estimates on the number of days that it might take to accomplish any of these 8 steps; particularly those involving forensic investigators and attorneys. The 18 day figure is impossibly brief, which means that the likely first stage of the Prime defense contractor attacks in April and May were deliberately down-played to save EMC's stock price and reputation. EMC's customers, particularly its Dept of Defense customers, should be demanding answers from Art Coviello and the EMC Board of Directors right about now.

UPDATE: An excellent analysis of the Flash 0day that was used can be read at Villys777's security blog [12]. 

References:

[2] @yuange1975 Twitter post; 28 Feb 2011: https://twitter.com/#!/yuange1975/status/42357318628802560

[3] RSA.com website, Art Coviello's "Open Letter To RSA Customers" (17 Mar 2011) http://www.rsa.com/node.aspx?id=3872

[4] Adobe Security Advisory 14 Mar 2011 "Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat": http://www.adobe.com/support/security/advisories/apsa11-01.html

[5] Wired.com ThreatLevel blog by Kevin Poulsen "Second Defense Contractor L-3 ‘Actively Targeted’ With RSA SecurID Hacks": http://www.wired.com/threatlevel/2011/05/l-3/

[6] NYTimes 29 May 2011: "Lockheed Strengthens Network Security After Hacker Attack"

[7] Securities and Exchange Commission website "Form 8-K filing from EMC Corporation": http://www.sec.gov/Archives/edgar/data/790070/000119312511070159/d8k.htm

[8] Confidential source provided this information to the author via email correspondence

[9] 25,000 RSA SecurID customers source: 18 Mar 2011 Intrepidus Group blog post: http://intrepidusgroup.com/insight/2011/03/risk-posed-by-securid-hack/

[10] The RSA Blog 1 Apr 2011 "Anatomy of an Attack" by Uri Rivner: http://blogs.rsa.com/rivner/anatomy-of-an-attack/

[11] Fox News.com, 1 June 2011 "EXCLUSIVE: Northrop Grumman May Have Been Hit by Cyberattack, Source Says":
http://www.foxnews.com/scitech/2011/05/31/northrop-grumman-hit-cyber-attack-source-says/#ixzz1O6jjeiyE
[12] Blog IX Security Research: http://bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html

Add to Cart View detail

An Open Source Analysis Of The Lockheed Martin Network Breach

From RSA website

On Saturday 21 May 2011, multiple U.S. defense contractors [2] had their networks attacked by hackers who, in the case of Lockheed Martin, used duplicates of RSA's SecurID tokens to gain access to Lockheed's internal network. Of the possible defense contractors mentioned by Reuters (Boeing, Raytheon, General Dynamics, Northrup Grumman, Lockheed Martin) only Lockheed Martin has made public statements about the attack once LM employees began leaking information about the breach to tech blogger Robert X. Cringely on Wednesday May 25th [3].

Here's what is known about the attack so far:

1. On Saturday night, May 21, 2011 [2], Lockheed Martin's  (NYSE:LMT) network was breached by attackers who created duplicates to EMC Corp's (NYSE:EMC) RSA SecurID tokens [1]
2. Late Sunday night, May 22, Lockheed shut down all remote access to its intranet for at least one week, possibly longer [3], [4].
3. On Wednesday, May 25, Lockheed announced that all employees would have to reset their passwords; that all SecurID tokens would be replaced with new ones; and added an additional password requirement for remote logins [3], [4].

Lockheed's official press release [6] about the attack contains contradictory language that calls into question how accurate its own assessments are:

BETHESDA, Md, May 28th, 2011 -- On Saturday, May 21, Lockheed Martin detected a significant and tenacious attack on its information systems network. The company’s information security team detected the attack almost immediately, and took aggressive actions to protect all systems and data. As a result of the swift and deliberate actions taken to protect the network and increase IT security, our systems remain secure; no customer, program or employee personal data has been compromised.

The word tenacious means "not easily dispelled" and "persisting in existence". An attack cannot be "swiftly" dealt with and "persistent" at the same time. Further "almost immediately" doesn't reconcile with the timeline provided by the above publicly available data, which implies that the attackers had up to 24 hrs of access to Lockheed's network before VPN access was shut off. Finally, while Lockheed claimed that no customer, program, or employee data had been compromised, it was significant enough for President Obama to receive a personal briefing on it, and for DHS and DOD (and presumably NSA) to offer their assistance on Lockheed's investigation [2], [4], [5].

Lockheed had slightly over two months from the time that EMC notified them and other RSA SecurID customers about their breach. At that time, at least one prime defense contractor (not Lockheed Martin) made the decision to stop using RSA SecurIDs for its senior staff and found a completely different vendor to supply their security tokens (7). Based upon their remediation actions for this breach, Lockheed Martin's senior executives chose to do very little about the compromised SecurID token technology in spite of many warnings issued by security specialists about the potential aftereffects of the RSA attack . Of particular note is the warning issued by ICANN's Whitfield Diffie, a crytographic expert who told John Markoff of the New York Times that "a worst case scenario would be that the intruder could produce cards that duplicate the ones supplied by RSA, making it possible to gain access to corporate networks and computer systems"[8]. Apparently that's precisely what happened [1].

Lockheed Martin has a history of significant cybersecurity breaches dating back to Titan Rain in 2003 [9], and the F-35 Joint Strike Fighter program in 2009 [10]. It has never publicly acknowledged the F-35 breach and it landed on the wrong side of the Sandia National Labs lawsuit (LM manages the lab) when a jury awarded a multi-million verdict to Shawn Carpenter for wrongful termination. By some ironic twist of fate, Shawn's employer NetWitness was just acquired by EMC corporation shortly after its SecurID breach and a month or so before Lockheed's.

Clearly, the extent of the RSA SecurID breach was worse than EMC reported to the public, to the Securities and Exchange Commission, and to its customers; at least the ones that I've spoken to. EMC is still refusing to acknowledge its role in this attack [11]. It'll be interesting to see if EMC is sued by Lockheed Martin or any of the other defense contractors for not providing accurate information on the extent of their SecurID compromise and/or fined by the SEC for same, even if Lockheed management couldn't read the tea leaves for themselves.

REFERENCES:
[1] Reuters 27 May 2011: "Exclusive: Hackers breached US Defense Contractors": http://www.reuters.com/article/2011/05/27/us-usa-defense-hackers-idUSTRE74Q6VY20110527
[2] NYTimes 29 May 2011: "Lockheed Strengthens Network Security After Hacker Attack"
http://www.nytimes.com/2011/05/30/business/30hack.html?_r=1&partner=rss&emc=rss
[3] I, Cringely blog 25 May 2011: "InsecurID: No More Secrets?" http://www.cringely.com/2011/05/insecureid-no-more-secrets/
[4] Reuters 29 May 2011: "Lockheed says frequent cyber target from around the world" http://www.reuters.com/article/2011/05/29/us-usa-defense-hackers-idUSTRE74Q6VY20110529
[5] MSNBC (Reuters) 28 May 2011: "Lockheed Thwarts Cyber Attack": http://www.msnbc.msn.com/id/43199200/ns/technology_and_science-security/t/lockheed-martin-says-it-thwarted-tenacious-cyber-attack/
[6] Lockheed.com 28 May 2011: "Lockheed Martin Customer, Program And Employee Data Secure": http://www.lockheedmartin.com/news/press_releases/2011/0528hq-secuirty.html
[7] SANS Newsbites, Vol. XIII, issue 24 (editorial comment by Alan Paller): http://www.sans.org/newsletters/newsbites/newsbites.php?vol=13&issue=24&rss=Y
[8] NY Times, 17 March 2011: "SecureID Company Suffers A Breach Of Data Security": http://www.nytimes.com/2011/03/18/technology/18secure.html?_r=1
[9] Time.com, 29 August 2005: "The invasion of the Chinese cyberspies": http://www.time.com/time/magazine/article/0,9171,1098961,00.html
[10] WSJ.com, 21 April 2009: "Computer Spies Breach Fighter Jet Project":
http://online.wsj.com/article/SB124027491029837401.html
[11] NY Times, 29 May 2011: "Lockheed Strengthens Network Security After Hacker Attack": http://www.nytimes.com/2011/05/30/business/30hack.html?_r=2&partner=rss&emc=rss

RELATED POSTS:
EMC and Google Lawyers Walked Into A Bar ...
What The RSA and NASDAQ Directors Desk Attacks Have In Common

Add to Cart View detail