An executive at defense giant L-3 Communications warned employees last month that hackers were targeting the company using inside information on the SecurID keyfob system freshly stolen from an acknowledged breach at RSA Security.
The L-3 attack makes the company the second hacker target linked to the RSA breach -- both defense contractors. Reuters reported Friday that Lockheed Martin had suffered an intrusion.
“L-3 Communications has been actively targeted with penetration attacks leveraging the compromised information,” read an April 6 e-mail from an executive at L-3's Stratus Group to the group’s 5,000 workers, one of whom shared the contents with Wired.com on condition of anonymity.
It’s not clear from the e-mail whether the hackers were successful in their attack, or how L-3 determined SecurID was involved. L-3 spokeswomen Jennifer Barton declined comment last month, except to say: “Protecting our network is a top priority and we have a robust set of protocols in place to ensure sensitive information is safeguarded. We have gotten to the bottom of the issue.” Barton declined further comment Tuesday.
Based in New York, L-3 Communications ranks eighth on Washington Technology’s 2011 list of the largest federal-government contractors. Among other things the company provides command-and-control, communications, intelligence, surveillance and reconnaissance (C3ISR) technology to the Pentagon and intelligence agencies.
In the Lockheed breach, attackers may have gained access by cloning the SecurID keyfobs of Lockheed users.
Together, the attacks suggest the RSA intruders obtained crucial information -- possibly the encryption seeds for SecurID tokens -- that they’re using in targeted intelligence-gathering missions against sensitive U.S. targets.
The attacks come as the Pentagon is in the final stages of formalizing a doctrine for military operations in cyberspace, which will reportedly view cyberattacks that cause death or significant real-world disruption as the equivalent of an armed attack.
RSA Security, a division of EMC, declined to comment on the L-3 incident.
SecurID adds an extra layer of protection to a login process by requiring users to enter a secret code number displayed on a keyfob, or in software, in addition to their password. The number is cryptographically generated and changes every 30 seconds.
RSA acknowledged in March that it had been the victim of an “extremely sophisticated” hack in which intruders succeeded in stealing information related to the company’s SecurID two-factor authentication products.
“While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers,” RSA wrote at the time, “this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.”
RSA characterized the breach as an “advanced persistent threat," or APT. APT is a buzzword assigned to unusually sophisticated attacks in which intruders use social engineering coupled with zero-day vulnerabilities to infiltrate a target network at a weak point, and then spread out carefully to steal source code and other intellectual property. Last year’s hack into Google was considered an APT attack and -- like many intrusions in this category -- was linked to China.
L-3 uses SecurID for remote employee access to the unclassified corporate network, but classified networks at the company would not have been at risk in the attack, the L-3 source said.
Asked if the RSA intruders did gain the ability to clone SecurID keyfobs, RSA spokeswoman Helen Stefen said, "That's not something we had commented on and probably never will."
If the intruders have gained cloning ability, the implications could be far-reaching. SecurID is used by most federal agencies and Fortune 500 companies. As of 2009, RSA counted 40 million customers carrying SecurID hardware tokens, and another 250 million using software clients.
RSA has been privately briefing its customers about its intrusion, but only after placing them under nondisclosure agreements, and the company has shared few details with the public.
Update 6/1/11 15:40 EDT: Fox News reports that Northrop Grumman, the second largest U.S. defense contractor and a SecurID customer, abruptly shut down remote access to its network on Thursday and instituted a "domain name and password reset across the entire organization."
Photo: L-3's Mobius optionally-piloted aircraft. (L-3 2010 Report to Shareholders)
See Also:- Hacker Spies Hit Security Firm RSA
