How the RSA Attackers Swung and Missed at Lockheed Martin

SAN JUAN, PUERTO RICO–The attack that resulted in the compromise of RSA’s SecurID database in 2011 had a lot of ramifications and sent shockwaves through much of the security industry. But it could have had much broader consequences had the security team at Lockheed Martin not discovered the same attack team on its own network and taken actions to shut them down.

SAN JUAN, PUERTO RICO–The attack that resulted in the compromise of RSA’s SecurID database in 2011 had a lot of ramifications and sent shockwaves through much of the security industry. But it could have had much broader consequences had the security team at Lockheed Martin not discovered the same attack team on its own network and taken actions to shut them down.

Some of the details of the RSA attack are well known, as the company disclosed some of the tactics that the attackers used, as well as the tools they deployed on the company’s network. After the attack became public, speculation started that the attackers were not actually that interested in RSA as a target, but were more keen on compromising some of the company’s high-profile customers, namely defense contractors.

One of those customers was Lockheed Martin, the massive U.S. defense and aeronautics company that does billions of dollars of business with the federal government. The company runs a lot of interesting projects for the Department of Defense, including the development of the Joint Strike Fighter. So the security team at Lockheed has spent quite a bit of time developing a methodology to not just discover attackers on its networks, but also to monitor their activities and prevent them from exfiltrating any useful data.

That methodology came in handy in the days after the attack on RSA, as the same attackers began making their way up the chain to Lockheed’s network. After compromising RSA and obtaining the seed database for the company’s SecurID tokens, the attackers then compromised an unidentified company that’s a supplier to Lockheed. They then began looking at Lockheed, trying to find a way in. With the RSA SecurID database in hand, the attackers were able to get on to Lockheed’s network as an authenticated user.

A nice trick if one can manage it.

The attackers’ next step was to begin looking for interesting data to pull out of the network. So they began removing data in various stages, trying to avoid detection, said Steve Adegbite, director of cyber security strategies at Lockheed Martin, speaking at the Kaspersky Lab Security Analyst Summit here Monday. Because the attackers had valid credentials for the Lockheed systems and looked like a legitimate user, the security team saw their activities and noticed that they were not acting the way a normal user should.

“We almost missed it because they looked like a normal user,” Adegbite said.

But instead of closing the door and shutting the attackers out, Lockheed’s team began monitoring their activities to see what they were doing, where they were going and what tactics they used.

Lockheed’s security team saw that the attackers were trying and failing to access various resources over and over, as the authenticated user, which raised some red flags. They were able to monitor the attackers and then shut the attack down, before the attackers removed any sensitive data. The lesson, Adegbite said, is that preventing attackers from getting anything useful off a network is far more important than trying to prevent every attacker from getting in.”The investment to stop people from coming in is too high,” he said.

Suggested articles

Discussion

  • Anonymous on

    To be successful you need more than just the RSA token seeds. You need to know which seed is assigned to which account on the customers side. That isnt something that RSA has. You also need the PIN that goes with the token / seed for the account. Again, nothing that RSA has. In short, you need to phish or social engineer a users account name and their token PIN to go along with the seeds. It's funny how many people think that all you need are the seed records and then you're in. Doesnt work that way. 

  • Anonymous on

    Yay!  You go there Lockheed.  Miss working with you guys!  You guys rule!! Funny how someone thinks all they need is an RSA Token to get through security.  Right....

  • Anonymous on

    Damnit Dennis, "A nice trick if one can manage it." is not a complete sentence, and is especially not something to be separated from its related context.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.