Hard Times to come for U.S. Defense Contractors: it looks like each new day reveals information of a new cyber-attack to military technology companies using (alleged) compromised SecureID seeds.
This time Fox News reports that Northrop Grumman, another Defense Contractor has been the victims of a Cyber Attack, on On May 26, when the company shut down remote access to its network without warning, catching even senior managers by surprise and leading to speculation that a similar breach had occurred.
Even if there is no evidence so far that the cyber attack could be the consequence of the RSA Breach on March, there are at least two strange coincidences: the fact that this is the third attack to a U.S. Defense Contractor unleashed in less than a week (after Lockheed Martin and L-3), and the fact that Northrop Grumman is an RSA SecureID customer.
If the attack should be confirmed to have been carryed out by mean of compromised seeds, this would undoubtely confirm the RSA Breach was only the first stage of a (vertical) cyber-operation targeted to steal U.S. Military secretes (at this point I would not be surprised if other institutions belonging to different verticals are already under attack without realizing it).
Probably, as David Cenciotti said in a post of ysterday, it is time to rethink Strong Authentication: “something you know and something you have” is revealing to be a too weak paradigm if compared with the strenghts of Ciberweapons (because we are talking of Cyberweapons) who have shown to be capable to subtract any kind of data, sometimes leveraging users’ naivety with old-school techniques).
Morevoer also the users should be educated to face the new shape of cyberwar phishing if it is true, as it supposed to have happened in case of Lockheed Martin, that phishing techniques were used to map users to their token.
A bolt from the blue! Source report some details of the alleged first attack to a very large U. S. Defense contractor perpetrated by mean of compromised RSA seeds.
Late on Sunday all remote access to the internal corporate network was disabled. All workers were told was that it would be down for at least a week. Folks who regularly telecommute were asked to come into nearby offices to work. Then earlier today (Wednesday) came word that everybody with RSA SecureID tokens would be getting new tokens over the next several weeks. Also, everybody on the network (over 100,000 people) would be asked to reset their passwords, which means admin files have probably been compromised.
It seems likely that whoever hacked the RSA network got the algorithm for the current tokens and then managed to get a key-logger installed on one or more computers used to access the intranet at this company. With those two pieces of information they were then able to get access to the internal network.
Fortunately the contractor was able to detect the breach and to manage it, avoiding worst consequences.
But many questions remain unsolved: was this the first attempt? Were all the seeds compromised during the famous breach? For Sure it will not be the last and my sixth sense and one half thinks we will have to get used to this kinds of attacks.
As I told in previous post I am more and more convinced that the final target of the attack was not RSA…
- Some Random Thoughts On RSA Breach (paulsparrows.wordpress.com)
- What do RSA, Epsilon and Sony breaches have in common? (paulsparrows.wordpress.com)