Update July 15: Reuters reports that hat a classified US military weapons system will now need to be redesigned after specs and plans for the system were stolen from a defense contractor database during the breach of March,
According to an AP Statement, on Thursday the Pentagon revelead to have suffered a breach of 24,000 documents in March, during a single intrusion. Particularly interesting is the fact that sources believe the attack was perpetrated by a Foreign Country, confirming the fact that cyberspace has really become the fifth domain of war (earlier in this year China had been charged to have hacked some gmail accounts including those of senior US and South Korean government officials, and similarly at the end of 2009 some gmail accounts belonging to dissidents).
According to the original statement by AP:
William Lynn, the deputy secretary of defense, said in a speech outlining the strategy that 24,000 files containing Pentagon data were stolen from a defense industry computer network in a single intrusion in March. He offered no details about what was taken but in an interview before the speech he said the Pentagon believes the attacker was a foreign government. He didn’t say which nation.
“We have a pretty good idea” who did it, Lynn said the interview. He would not elaborate.
For the chronicle, DoD operates over 15,000 networks and seven million computing devices across hundreds of installations in dozens of countries around the globe.
It is not a coincidence that at the beginning of the year Pentagon declared that computer sabotage coming from another country can constitute an act of war, a finding that
for the first time opened the door for the U.S. to respond using traditional military force (probably at that time they were alre
ady aware of the above attack, which explains the change in strategy).
In the same wake, yesterday the Department of Defence announced its Strategy for Operating in Cyberspace, which relies on five strategic initiatives. At first glance the strategy aims to defend and prevent with a measured, reasonable approach focused on good network hygiene and data-sharing, rather than bombing hackers into submission.
- Strategic Initiative 1: Treat cyberspace as an operational domain to organize, train, and equip so that DoD can take full advantage of cyberspace’s potential;
- Strategic Initiative 2: Employ new defense operating concepts to protect DoD networks and systems;
- Strategic Initiative 3: Partner with other U.S. government departments and agencies and the private sector to enable a whole-of-government cybersecurity strategy;
- Strategic Initiative 4: Build robust relationships with U.S. allies and international partners to strengthen collective cybersecurity;
- Strategic Initiative 5: Leverage the nation’s ingenuity through an exceptional cyber workforce and rapid technological innovation.
Honestly Speaking I must confess that, as soon as I stumbled upon this report I could not help thinking (but this is a mere personal speculation) to the RSA Breach. Details of the Pentagon breach are not known so far, but I would not be surprised if they were somehow related. On the other hand the RSA breach happened in mid-March and was followed to attacks towards three US Defense Contractors (L-3, happened at the beginning of April but disclosed at the end of May, Lockheed Martin, discovered on May, the 22nd, and Northrop Grumman on May, the 26th). Only a coincidence?
It looks like that security issues for US Military contractors never end. The consulting firm Booz Allen Hamilton is only the last which has fallen under the blows of anonymous. In the name of the #AntiSec operation hackers claimed today that they compromised a server released internal data, including about 90,000 military e-mail addresses. Due to the huge amount of data leaked, the operation was called #MilitaryMeltdownMonday.
We infiltrated a server on their network that basically had no security measures in place. We were able to run our own application, which turned out to be a shell and began plundering some booty. Most shiny is probably a list of roughly 90,000 military emails and password hashes (md5, non-salted of course!). We also added the complete sqldump, compressed ~50mb, for a good measure.
The entire statement is available on pastebin, while the leaked data have been inserted into a torrent at The Pirate Bay, and are also already available on pastebin, although password are hashed (but not salted).
We also were able to access their svn, grabbing 4gb of source code. But this was deemed insignificant and a waste of valuable space, so we merely grabbed it, and wiped it from their system.
It was clear that something was in the air since a couple of days, as some tweets announced “the biggest day in #anonymous‘ history according to sabu”:
This might be an indication that the ghost of the infamous group LulzSec played a crucial role in the attack to Booz Allen Hamilton. As a matter of fact Sabu, is the alleged leader of the infamous group LulzSec, and also the alleged author of the hack to HBGary Federal, another military contractor hacked earlier this year becouse of its CEO Aaron Barr claimed to have unmasked some Anonymous members. In response to his actions, the hackers dumped 71,000 emails which revealed, among the others things, that HBGary had worked with Booz Allen Hamilton to develop a response plan for Bank of America based on what the bank feared might be an upcoming leak of its internal documents by WikiLeaks.
The Anonymous statement also paints the contractor as another player involved (together with HBGary) on a military project, dubbed Operation Metal Gear by Anonymous (for lack of an official title) designed to manipulate social media, and as a revolving door of military-related conflicts of interest, and argues that the firm has been involved in mass surveillance projects.
The company wrote on its Twitter feed that “as part of @BoozeAllen security policy, we generally do not comment on specific threats or actions taken against our systems.”
This is only the last attack to a U.S. Contractor. On July, the 9th, Anonymous attacked IRC Federal, an FBI contractor, and dumped the content of the attack on a torrent available once again at The Pirate Bay. The dumped content apparently included databases, private emails, contracts, development schematics, and internal documents for various government institutions. The attack was performed as a sequel to the first one against Infragard, another FBI affiliate, on June, the 3rd performed (what a coincidence) from LulzSec.
After HBGary Federal, between April and May 2011 three U.S. Defense contractors: L-3, Lockheed Martin and Northrop Grumman were attacked by using compromised RSA seeds, although in this case no one has been identified as the author of the attacks, and also no connection with anonymous has been found.
- Hackers claim they exposed Booz Allen Hamilton data (news.cnet.com)
- 50 Days of Hunt (paulsparrows.wordpress.com)
As already suggested, I considered the original 2011 Cyber Attacks Timeline graph by Thomson Reuters not enough complete since it did not show some important attacks occurred during this tremendous 2011. This is the reason why I decided to draw an enhanced version which shows, according to my personal opinion (and metric), the list of 2011 major cyber attacks both for size and impact. Moreover in this version I added the cost of the breaches (where possible), and the alleged kind of attack perpetrated.
All the data were taken from the bulletins or statements released by the victims, or from the tweets released by the attackers.
Costs were calculated, where possible, using the indications from the Ponemon’s insitute: the average cost of a Data Breach is US $214 for each compromised record, if the targeted company decided to respond immediately the cost is around UD $268 for each compromised record, which drops to US $ 174 if the company takes longer to react.
The Total Cost is an incredible number: nearly US $ 18 billion.
Useless to say, Sony achieves rank #1 with US $ 13.4 billion. In this unenviable chart, Epsilon gains the second place with an estimated cost for its breach, of US $ 4 billion.
The others breaches, although not comparable with the previous ones, if summed, allow to achieve the grand total.
Even if smaller in size, and apparently in importance, I decided to insert in the chart also the attack to Comodo Certificates, happened in March, the 24th. In this annus horribilis, it came immediately after the RSA affaire and it has decreed, together with the RSA breach, the fall of the modern bastions of Strong Authentication (in few days tokens and certificates have proved to be vulnerable). Moreover I consider the message of the author a memorable declaration of Cyberwar. On the trail of the RSA breach the wave of attacks towards US contractors is noteworthy as well.
Hackers focused on Media Sites (Fox, PBS, Sony, Sony BMG), with a clear message against censorship (and probably the neverending problem of copyright). Interesting the second attack to PBS made to show the poor skill of LuzSecs by Warv0x, one of their enemies. In the last part of June Videogame industry was the preferred target (also Epic suffered a breach) with different intentions: LulzSec attacked Nintendo and Bethesda (the second attack resulted in data breach for the victim), but offered to avenge Sega (the manufacturer of Dreamcast), after the disastrous breach.
Direct attacks to governments focused essentially on LOIC based DDoS, albeit some infamous breaches to related sites (as in case of Infoguard/FBI and NATO) lead to Data Breaches.
Last but not least, please notice the intense activity from LulzSec in their intense “50 days of living dangerously”, just before the sudden dissolution of the group happened on June, the 25th.
- What do RSA, Epsilon and Sony breaches have in common? (paulsparrows.wordpress.com)
- It was only a matter of time… (paulsparrows.wordpress.com)
- More Random Thoughts on the RSA Breach (paulsparrows.wordpress.com)
- 2011 CyberAttacks Timeline (paulsparrows.wordpress.com)
Update June 29: 2011 Cyber Attacks (and Cyber Costs) Timeline (Updated)
I found this interesting graph from an original Thomson Reuters post, showing the timeline of the major 2011 CyberAttacks.
The graph shows all the main Cyber Events of this tremendous 2011 up to June, the 16th. Actually to be perfect it should include also the infamous Epsilon Data Breach, happened on March, the 30th. Probably it had a major impact on the U.S. rather than in Europe, but it is clear that the aftermaths of this breach will last for years in terms of spear-phishing attacks tarteting the affected users.
Moreover, to be “ultra perfect”, it shpould also include the other attacks discovered against U.S. Defense Contractors (L-3 on April, the 6th, and Northrop Grumman on May, the 26th) should be considered as well.
Even if some attacks are missing, the graph is useful (and meaningful) to show the easiness with which our data are at risk.
Of course after June, the 16th, another cyber-attack leading to a breach was perpetrated against Sega (to be added to the list of Game Publisher), affecting 1.3 million users.
Following the Sega Breach, in these last two days, after the #Antisec Manifesto and the consequent teaming between LulzSec and Anonymous, several government sites have been hit by massive DDoS attacks, including SOCA in UK, some sites affiliated to PM Silvio Berlusconi in Italy, and some Government Sites in Brazil.
With the alleged Northrop Grumman Cyber-attack, we have experienced three attempts, unleashed in few days, to leverage the compromised RSA seeds in order to steal data from U.S. Contractors.
Albeit the above mentioned events are characterized by two evident points in common: all the targeted companies are U.S. Defense Contractors, and all of them use RSA tokens; there is a point that seems confusing, and it is the timeline with which the attacks were carried out and subsequently unleashed (we will see that the two are very different and somehow confusing).
Analyzing the timeline: the first attack unleashed was the one led against Martin Lockheed. According to the sources, remote access to internal resources was disabled late on Sunday, May, the 22nd, just immediately after the attack was detected. The first details, although the target was not immediately revealed, were given few days after, on May, the 26th.
The second cyber-attack targeted L-3 and was unleashed few days after , on May, the 31st. According to the information revealed, the event occurred at the beginning of April (more exactly on April, the 6th, that is more than a month and a half before) and described into an e-mail sent by an executive to the 5000 group’s employees belonging to the division affected. Nothing strange apparently: the late disclosure was unintended for the target company and probably a consequence of the huge echo raised after the Lockheed Martin affair which led an anonymous source to reveal details to Wired.
On June, the 2nd, an alleged third attempt to attack a U.S. Defense Contractor using compromised seeds was unleashed, this time against Northrop Grumman. According to the revealed timeline, this attack was held on May, the 26th, that is nearly in contemporary (4 days after) the event of Lockheed Martin.
So definitively although the three attacks were revealed nearly in contemporary, only two of them were (i.e. the ones towards Lockheed Martin and Northrop Grumman), while the second one, to L-3 happened a couple of weeks after the RSA Breach and almost one month and half before the others. This sounds not clear to me.
If I had been in the attackers’ shoes, I would have attacked all at once in order to prevent the spreading of the information, and definitively to avoid the possibility for the others victims to organize themselves, for instance immediately replacing the tokens as made by Raytheon immediately after the RSA Breach.
Let us suppose (as it seems clear) that the alleged theft of the seeds was only the first step of the “perfect plan” to attack the U.S. Defense contractors, let us also suppose that the attackers took some time to obtain the missing pieces of the puzzle, that is to link the tokens to users, and eventually to obtain the PINs, by mean of keylogger trojans or phishing e-mails as suggested by by Rick Moy, president of NSS Labs. Do you really think that they would have left one month and a half between one attack and the other? Honestly speaking I do not think so. Of course I can imagine that obtaining all the PINs or user to token mappings at once was simply impossible, for reasons of time because it is impossible that all the victims to a specific targeted phishing campaign could reply simultaneously, but also because a massive “vertical” campaign of phishing targeting all the U.S. Contractors (and aimed to obtain information about RSA tokens) would have probably raised too much attention, so that I do not exclude that the necessary information to perform the attack had to be obtained with “evasion” techniques.
Nevertheless, provided the above depicted scenario is real, even if it is unlikely the attackers could attack all the target simultaneously, one month and half between one wave and the other seems actually too much: I doubt they already knew that the information concerning the first alleged attack to L-3 would have been revealed only many days after, of course it is easy to predict that L-3 and the eventual other victims would not have been happy to do it immediately after; but if they really had the perfect plan, relying on a similar occurrence would have been a huge hazard capable to put at risk the entire operation.
I seriously fear the truth is different. Of course this is a mere personal speculation, but I am more and more considering the hypothesis that a first wave of attacks was really held at the beginning of April (more or less in contemporary with L-3), that is after a short interval the original breach, short enough to catch the most part of the victims unprepared, most of all in case of very big companies. The consequence could be that many others attacks have not been revealed or simply were not detected at all, since, as I said a couple of days ago:
I wonder if military contractors are really the only targets or if they have been the only ones capable to detect the attempts because of their strict security protocols and policies.
How to explain the alleged second wave of May? It might be that the attackers have tried once, since the result was successful (it is not clear if they were able to steal sensitive data, but for sure the information was not immediately revealed) so they decided to try a second and a third chance (and who knows how many others). Otherwise, it might be that after the first wave they decided to sell the seeds on the black market (probably at a lower price since at that point the seeds would have been considered a good of second choice), and this could explain the late attack to Lockheed Martin and Northrop Grumman (and who knows who else). In this case I am afraid we will see many other attacks, unless other potential targets (that so far refused to comment the events) will not decide to follow the example of Raytheon and replace the tokens.
Hard Times to come for U.S. Defense Contractors: it looks like each new day reveals information of a new cyber-attack to military technology companies using (alleged) compromised SecureID seeds.
This time Fox News reports that Northrop Grumman, another Defense Contractor has been the victims of a Cyber Attack, on On May 26, when the company shut down remote access to its network without warning, catching even senior managers by surprise and leading to speculation that a similar breach had occurred.
Even if there is no evidence so far that the cyber attack could be the consequence of the RSA Breach on March, there are at least two strange coincidences: the fact that this is the third attack to a U.S. Defense Contractor unleashed in less than a week (after Lockheed Martin and L-3), and the fact that Northrop Grumman is an RSA SecureID customer.
If the attack should be confirmed to have been carryed out by mean of compromised seeds, this would undoubtely confirm the RSA Breach was only the first stage of a (vertical) cyber-operation targeted to steal U.S. Military secretes (at this point I would not be surprised if other institutions belonging to different verticals are already under attack without realizing it).
Probably, as David Cenciotti said in a post of ysterday, it is time to rethink Strong Authentication: “something you know and something you have” is revealing to be a too weak paradigm if compared with the strenghts of Ciberweapons (because we are talking of Cyberweapons) who have shown to be capable to subtract any kind of data, sometimes leveraging users’ naivety with old-school techniques).
Morevoer also the users should be educated to face the new shape of cyberwar phishing if it is true, as it supposed to have happened in case of Lockheed Martin, that phishing techniques were used to map users to their token.