China linked to new breaches tied to RSA

Recent attacks on three U.S. defense contractors could be tied to cyberespionage campaigns waged from China, several security experts told CNET.

The incidents at Lockheed Martin, L-3 Communications, and Northrop Grumman appear to stem from a breach at RSA in March in which data was stolen related to RSA's SecurID two-factor authentication devices--widely used by U.S. government agencies, contractors, and banks to secure remote access to sensitive networks.

Lockheed confirmed to The New York Times on Friday that hackers had used data stolen in the RSA breach and other methods to figure out the coded password of a Lockheed contractor, but that Lockheed had blocked the attack before any sensitive data could be exposed. The company said it was replacing 45,000 SecurID tokens.

L-3 told employees in April that it was targeted using information acquired from the RSA breach, Wired reported. And Northrop Grumman, meanwhile, unexpectedly shut down remote access to its network last month, leading to speculation that there had been a SecurID-related incident, according to FoxNews.com.

When RSA warned customers that their SecurID deployments could be affected by the intrusion, the industry was waiting for the proverbial other shoe to drop. Thus, word of the defense contractor attacks came as no surprise. And the timing is such that it seems unlikely to be coincidental, the experts said.

Two-and-a-half months is plenty of time for whoever stole the data to sell it to interested parties in underground channels and for buyers to prepare attacks that take advantage of the pilfered information--basically figuring out which key on the key chain goes to which door. But it's also a small enough window of time to let those attackers catch some RSA customers before they can change the locks.

Having the key, or token, isn't enough to break into a system. Attackers also need to have the passcode that token holders use when they are logging in to a network. Phishing e-mails that trick recipients into revealing their log-ins and e-mails bearing malware that infects the recipient's computer are commonly used to get that information. Having done their homework, the attackers know to craft an official-looking e-mail coming from a person or organization the recipient would trust.

Such sophisticated attacks on a specific target that are designed to steal credentials in order to get into the network to access critical data are known as Advanced Persistent Threats, or APT.

The RSA breach was accomplished using an APT, and Google cited APT in early 2010 as the method used in an attack on its network in which intellectual property was stolen. Google specifically said the attack originated in China and that Gmail accounts of human rights activists in the U.S., China, and Europe were separately compromised. Yahoo, Symantec, Northrop Grumman, and Dow Chemical were reportedly among the 30 or so other targets.

"APT is a euphemism for China," said Rich Mogull, chief executive of Securosis. "There is a massive espionage campaign being waged by a country. It's been going on for years, and it's going to continue."

Chinese representatives in the U.S. could not be reached for comment Friday, but government officials denied any involvement in the Google attacks last year. They also denied any responsibility in phishing attacks targeting Gmail accounts of officials in the U.S. and Asian countries, political activists, and journalists that Google announced last week. In fact, a Chinese official turned the tables and accused the U.S. of launching an Internet war against other countries, according to The Associated Press.

Meanwhile, the Pentagon is now saying it plans to issue new strategy declaring that in certain circumstances it will view cyberattacks from foreign nations as an act of war meriting military response.

"The reality is, part of the basis of U.S. hegemony...has been the ability to leverage command of signals intelligence to have perspective on the motivations and activities of others. Cyberspace has equalized that, so all of a sudden we're in a competitive intelligence environment," said Rafal Rohozinski, a principal at SecDev who did research on targeted attacks on Tibet and others with supposed links to China. Those attacks were detailed in a "GhostNet" report in 2009.

Espionage is common among the major nations, but reports of cyberespionage from China have increased over the past decade, campaigns that are ostensibly focused on silencing dissidents and other detractors, or reducing China's technology gap with the U.S. and other major countries.

"China has made no secret that they see cyberspace as the domain that allows them to compete with the U.S.," Rohozinski said.

It's easy to connect the dots between the various attacks, particularly considering what the motivation may be behind them. However, there is often no way to know for sure where a cyber attack originated because attackers can easily hide their tracks.

"I think [the attacks on the contactors] are completely related" to the RSA intrusion, said Chris Wysopal, chief technology officer at Veracode. "While I think they're related, I don't necessarily think it is the same group" that's responsible.

Just like in the financially motivated credit card criminal underground, there is an ecosystem around information that can be used for corporate or government cyberespionage, according to Wysopal. "The RSA attackers knew that what they were stealing could be sold to lots of governments," he said.

"If it's any kind of military espionage, military adversaries are going to be high on the list," Wysopal said. "The question then is who in China--is it government agents or independent contractors selling to the Chinese government?"

Update June 7 at 11:21 a.m. PT: RSA says it will replace SecurID tokens for customers. "On Thursday, June 2, 2011, we were able to confirm that information taken from RSA in March had been used as an element of an attempted broader attack on Lockheed Martin, a major U.S. government defense contractor. Lockheed Martin has stated that this attack was thwarted."