High Speed. Low Drag: Attack Efficiencies against U.S. Aerospace Joint Ventures (REPORT)

My team and I have completed a report (High Speed. Low Drag: Attack Efficiencies against U.S. Aerospace Joint Ventures) on how much more vulnerable U.S. companies are to being hacked if they engage in joint ventures in Russia and China. Everyone's first response to that is probably - of course! However, our findings might surprise you.

Key Findings:

An aerospace company that has a joint venture in Russia and/or China is 2.4 times more likely to experience a cyber attack than a non-JV company.

Of the study’s control group of 12 aerospace companies that have joint ventures in China and Russia, 8 experienced a cyber attack (67%), including Alcoa, Boeing, General Electric, Honeywell, Pratt & Whitney, Rockwell Collins, Rolls Royce North America and Sikorsky. The other 4 aerospace companies, Eaton, Goodrich, Hamilton Sundstrand, and Parker Aerospace, have not publicly disclosed any cyber attacks.

Of the 21 aerospace companies in the study’s random group, only 6 reported or were claimed to have been the victim of a cyber attack (28%), including General Dynamics, Gulfstream, Lockheed Martin, Northrup Grumman, Orbital Sciences Corporation, and Raytheon.

U.S. companies engaged in joint ventures represent a profit
center for international hacker groups.

This study shows that it is highly likely that the intellectual property owned by U.S. companies with Russian and Chinese JVs also represent high value targets for a variety of state and non-state actors worldwide.

It's unlikely that the Chinese or Russian government will utilize spear phishing or other low-level attacks against a U.S. company with a joint venture in their respective states when other superior means are available to them. 

While official and non-official sources frequently assign attribution to a state military or foreign intelligence organization rather than a mercenary hacker group, the host governments of joint venture companies do not need to craft spear phishing attacks against U.S. companies who operate within their borders; who are required to employ their citizens who are technically PRC government employees; and whose communications networks are supervised and monitored by the State.

Download the full report here

Add to Cart View detail

Just How Vulnerable To Attack Are U.S. Drone Operations?

GAO Reports Ongoing U.S. Air Force Vulnerabilities 

The alleged downing of an RQ-170 by Iran has raised a lot of public attention to existing problems in how the Air Force is managing its Unmanned Aerial Systems. As I reported earlier, an unknown person with FOUO access uploaded an Air Force report to the Public Intelligence website that detailed some of those vulnerabilities one day after Iran announced its capture.  On Saturday another FOUO document appeared on PublicIntelligence.net regarding Afghan drone operations by the US Marine Corps. The Government Accountability Office (GAO) has produced quite a few reports that delineate numerous problems with Unmanned Aerial Systems over the past few years. Some as far back as 2008. Some of the problems identified back then have yet to be fixed, such as the lack of a redundant satellite relay site (GAO report 10-331).

The above graphic illustrates the command and control framework that's in place for Predator, Reaper and Global Hawk UAS missions that support contingency operations in Iraq and Afghanistan. A ground control station in the U.S. takes control of the aircraft. A satellite relay site at a fixed location outside of CONUS relays signals from the ground control station to the UAS. Any disruptions at the satellite relay site would impair the operation of the aircraft. While the Air Force has told that GAO that they're working on implementing a redundant system to solve this problem, as of March, 2010 they "had not conducted a detailed analysis of these options to determine the extent to which they would provide for the continuity of UAS operations, or established a specific milestone to formalize a plan that could be implemented quickly in the event of a disruption." Furthermore, the Air Force didn't anticipate bringing a redundant Satellite system online until fiscal year 2012 at the earliest.

Two other detailed examinations of vulnerabilities present in the Air Force's UAS operations are in the following GAO reports (FOUO):

• GAO, Defense Critical Infrastructure: DOD’s Evolving Assurance Program Has Made Progress but Leaves Critical Space, Intelligence, and Global Communications Assets at Risk, GAO-08-828NI (Washington, D.C.: Aug. 22, 2008)
• GAO, Defense Critical Infrastructure: Additional Air Force Actions Needed at Creech Air Force Base to Ensure Protection and Continuity of UAS Operations, GAO-08-469RNI (Washington, D.C.: Apr. 23, 2008)

Cyber Attacks Against Unmanned Aerial System Producers and Developers

The above table of U.S. UAS Producers and Developers comes from the Department of Commerce' Flight Plan 2011 (.pdf). Of the 11 companies listed, the following have acknowledged that they have been the victim of cyber attacks: Boeing, Lockheed Martin, Northrup Grumman, and Raytheon. Most likely all 11 of these companies as members of the Defense Industrial Base would fall into that category, but the above four have gone publicly on record that they are constantly defending against malicious network attacks. However this reflects only a tiny portion of the attack surface for an adversary who's looking to acquire intelligence on operations or R&D. Globalization has extended an adversary's ability to compromise UAS company networks by attacking affiliates or sub-contractors. For example, Japan's UAV association membership includes Mistsubishi Heavy and Kawasaki Heavy, both of whom were hit with simultaneous cyber attacks last summer and both of whom regularly engage with U.S. defense contractors on various projects such as Boeing.

Europe has 153 UAS producers and developers, some of whom are giant companies like EADS and BAE. BAE was implicated in the massive theft of data from the F-35 Joint Strike Fighter program in 2009 when it was believed that access to the data was gained by breaching BAE's network. It's impossible to know how many of those 153 companies have suffered attacks against their network but considering the value of this technology and the rapidly growing demand for drone aircraft world-wide, it would be naive to believe that any of their networks could withstand a targeted attack.

The most important outcome from Iran's capture of the RQ-170 should be an indepth vulnerability assessment of both U.S. intellectual property and operational vulnerabilities of our Unmanned Aerial System aircraft. This must include an international analysis of partnering companies like Boeing - Mitsubishi, Lockheed Martin-BAE, Insitu-ADASI, and many others. The worst outcome is blind denial that Iran or other U.S. adversaries is capable of compromising U.S. drone operations. 

Add to Cart View detail

Was The RSA-Lockheed-L-3 Breach Over A $2.6B DHS Contract?

Site Plan New DHS Building

Since my original post on the Lockheed Martin / Prime contractors breach which I and other security researchers connected to the EMC RSA breach (a fact that EMC has now conceded to), I've been investigating possible motives for this multi-faceted attack. Its always been my belief that RSA's technology was not the primary target but a means to an end. And that "end" apparently involved breaching the networks of multiple Department of Defense contractors: Lockheed Martin, L-3 Communications, and allegedly Northrop Grumman. Other primes mentioned as possibilities by Reuters included General Dynamics, Boeing, and Raytheon.

If RSA was stage one of a multi-stage operation, that would suggest that Lockheed, L-3, and Northrup Grumman as the targets would have something else in common besides just being DOD contractors. Since it's my belief that the EMC RSA attack started earlier than March, 2011 and took some planning prior to its launch, I began looking for contract awards in mid to late 2010 that involved the three victim companies. I found a couple of possibilities that warranted further consideration but then I came across this news item from November 8, 2010: 4 competitors protest award of $2.6 billion IT contract to Northrop Grumman

The award, which is now up for re-bidding (GSA solicitation GST0011AJ0021) is for the crown jewels of the new Department of Homeland Security headquarters - building the infrastructure which will support information technology, telecommunications, security, and building management systems. The contractors who filed protests with GAO are Lockheed Martin, General Dynamics, Serco and L-3 Communications. Of the five companies involved, Lockheed and L-3 are confirmed attack targets, Northrop is an alleged target and General Dynamics is a possible target. Serco hasn't been named by any sources familiar with this attack but they also don't use RSA SecurID tokens; opting instead for Signify, one of RSA's competitors for two factor authentication. 

In order to compete for an award, companies must submit detailed technical proposals in written and oral form with an accompanying slide deck. DHS' acquisition schedule for the competing vendors corresponds with the known dates of the attacks:

DHS TIP Industry Day Deck: (Slide 39)

According to the schedule on slide #39, vendor written proposals were due in April and Orals were due in May. L-3 Communications announced active targeting with penetration attacks on April 6, 2011 while Lockheed reported that its breach commenced on May 21.  Late May was also the time of the alleged attack against Northrop Grumman. 

The information and communications infrastructure of the new DHS headquarters would certainly be a target of interest for foreign intelligence services like the FSB. Even the technical proposals from competing DOD contractors would contain valuable information. The level of detail asked for by DHS is fairly intensive as evidenced by the following slide which breaks out one of the eight required tasks: 

Task 2: Requirements Analysis and Design (slide 26)

If the November, 2010 article in the Washington Post triggered the planning stage of the operation, it offered sufficient time for an adversary to discover that the vendors shared the same two factor authentication technology; perform social engineering research on the target companies' employees, probe company websites for vulnerabilities, and craft customized attacks if needed. This doesn't require the resources of a nation state. Any experienced Eastern European hacker crew could pull it off with a relatively low budget. The upside however is huge. The information contained in those DHS technical proposals could be sold to multiple foreign governments and net the crew a seven figure or eight figure payday. And considering the scope of the DHS HQ project (the largest federal construction job since the Pentagon was built in the 1940's according to the Washington Post), this probably isn't the end of it. Whichever prime contractor wins the TIP contract, along with its sub-contractors, will almost certainly become the next targets to be compromised.

Add to Cart View detail