An executive at defense giant L-3 Communications warned employees this spring that hackers were targeting the company using inside information on the SecurID keyfob system freshly stolen from an acknowledged breach at RSA Security.
“L-3 Communications has been actively targeted with penetration attacks leveraging the compromised information,” read an April 6 e-mail from an executive at L-3’s Stratus Group to the group’s 5,000 workers, one of whom shared the contents with Wired.com on condition of anonymity.
It’s not clear from the e-mail whether the hackers were successful in their attack, or how L-3 determined SecurID was involved. L-3 spokeswomen Jennifer Barton declined comment at the time, except to say: “Protecting our network is a top priority and we have a robust set of protocols in place to ensure sensitive information is safeguarded. We have gotten to the bottom of the issue.” Barton declined further comment Tuesday.
Based in New York, L-3 Communications ranks eighth on Washington Technology’s 2011 list of the largest federal government contractors. Among other things the company provides command and control, communications, intelligence, surveillance and reconnaissance (C3ISR) technology to the Pentagon and intelligence agencies.
The L-3 attack makes the company the second hacker target to be linked to the RSA breach – both defense contractors. On Friday, Reuters reported that Lockheed Martin suffered an intrusion in which attackers may have gained access by cloning the SecurID keybobs of Lockheed users. Together, the attacks suggest the RSA intruders obtained crucial information – possibly the encryption seeds for SecurID tokens – that they’re using in targeted intelligence-gathering missions against sensitive U.S. targets.
The attacks come as the Pentagon is in the final stages of formalizing a doctrine for military operations in cyberspace, which will reportedly view cyber attacks that cause death or significant real-world disruption as the equivalent of an armed attack.
RSA Security, a division of EMC, declined to comment on the L-3 incident.
SecurID adds an extra layer of protection to a login process by requiring users to enter a secret code number displayed on a keyfob, or in software, in addition to their password. The number is cryptographically generated and changes every 30 seconds.
RSA acknowledged in March that it had been the victim of an “extremely sophisticated” hack in which intruders succeeded in stealing information related to the company’s SecurID two-factor authentication products.
“While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers,” RSA wrote at the time, “this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.”
RSA characterized the breach as an “advanced persistent threat”, or APT. APT is a buzzword assigned to unusually sophisticated attacks in which intruders use social-engineering coupled with zero-day vulnerabilities to infiltrate a target network at a weak point, and then spread out carefully to steal source code and other intellectual property. Last year’s hack into Google was considered an APT attack, and, like many intrusions in this category, was linked to China.
L-3 uses SecurID for remote employee access to the unclassified corporate network, but classified networks at the company would not have been at risk in the attack, the L-3 source says.
Asked if the RSA intruders did gain the ability to clone SecurID keyfobs, RSA spokeswoman Helen Stefen said, “That’s not something we had commented on and probably never will.”
If they have, the implications could be far reaching. SecurID is used by most federal agencies and Fortune 500 companies; as of 2009, RSA counted 40 million customers carrying SecurID hardware tokens, and another 250 million using software clients
RSA has been privately briefing its customers about its intrusion, but only after placing them under NDA, and the company has shared few details with the public.
Photo: L-3’s Mobius optionally-piloted aircraft. (L-3 2010 Report to Shareholders)
Authors: