Dozens of U.S. defense contractors, agencies hacked
Andy Greenberg, Forbes.com
Published Sunday, February 21, 2010 7:23AM EST
For anyone who has a security clearance and doesn't believe the U.S. faces a cyber-espionage crisis, Steven Shirley has 102 stories to share with you.
That's the number of cases in which Shirley's team of Pentagon researchers discovered cyberspies breaching the networks of government agencies, defense contractors and other organizations with ties to the U.S. Department of Defense, gaining administrator-level access with the aim of stealing military secrets.
The Pentagon's forensics-focused Cyber Crime Center, where Shirley is executive director, found that between August 2007 and August 2009, 71 government agencies, contractors, universities and think tanks with connections to the U.S. military had been penetrated by foreign hackers, in some cases multiple times. In total, Shirley told Forbes, the center performed 116 investigations following spying breaches and found that in all but 14 of those cases the intruders had gained complete administrator-level access to the victim's network.
"There are some significant defense contractors among that number," Shirley says. "We can say that any company that's involved in high-technology research and development is a target for these adversaries."
Shirley wouldn't reveal what information was stolen in any of the breaches, where the attackers seemed to be located or whether they appeared to be state-sponsored, saying only that the attacks were based "offshore."
He also declined to name any specific companies or organizations penetrated in the defense industry's hacking epidemic. But military contractors General Dynamics and Northrop Grumman have both been successfully breached by cyberspies in the last two years, according to sources familiar with the security situations of those companies. It's also likely that many other major defense contractors have recently had data stolen by hackers.
Northrop Grumman's chief information security officer Tim McKnight said the company is "always in the trenches" defending its network from cyberattacks but doesn't discuss internal security issues. "We don't talk about successful or unsuccessful intrusions," he says. A General Dynamics spokesperson declined to comment.
The defense-industrial complex's hemorrhaging of intellectual property to cyberspies is hardly new--in fact, it dates back much farther than the private sector hacking incidents revealed by Google's admission of a breach by hackers last month.
As early as 2003 Sandia National Laboratories and its managing company, Lockheed Martin, were penetrated by cyberspies, seemingly based in China, who pilfered plans for the Mars Reconnaissance Orbiter, a class of technology with potential military uses. In 2007 Forbes reported that cyberspies, again seemingly based in China, had breached the largest 10 military contractors, including Lockheed Martin, Northrop Grumman, Raytheon and Boeing.
But threats are increasing in both "sophistication and number," Shirley says, and many defense firms haven't kept up. "In some cases, there was a huge attack surface for an adversary," says Shirley. "The IT staffs in some companies were simply overwhelmed or inexperienced in their ability to contend with threats."
Almost every breach his agency investigated, Shirley says, began when an employee was sent a highly targeted and convincing phishing e-mail that spoofed a trusted sender. When the recipient opened a file attached to that message, it used a flaw in the target computer's software to invisibly plant malicious software on the machine and give it access to the user's network. (Finnish cybersecurity firm F-Secure recently found one such booby-trapped PDF intended to infect an Air Force computer using a vulnerability in Adobe Reader.)
But the large majority of those attacks, Shirley says, didn't use new, previously unknown software vulnerabilities. Instead, they exploited old software bugs that IT administrators had failed to patch, configuration errors and even poor password practices.
"We were surprised to see that even companies that we regarded as tech savvy in a lot of cases had significant vulnerabilities correlated with inattention to the basic blocking and tackling of information assurance," says Shirley. "The most popular password in the world is still 'password,' and we still see that from time to time even in these companies."
As top-tier contractors respond to attacks by improving their security, hackers are increasingly targeting a second tier of smaller defense firms with innovative military technology but little experience in protecting secrets. That's made defense contractors' acquisitions of small, insecure companies a prime avenue for introducing new vulnerabilties, says Shirley. "When you've just inherited a network, you also inherit all the ensuing impact on protection of intellectual property," he says.
But hacker exploits are also evolving to challenge the security of even long-established defense firms, says Kevin Mandia, a former Pentagon researcher whose firm, Mandiant, serves as a post-breach consultancy. In some cases, he says, intruders hide multiple hidden backdoors or steal documents from one computer that they later use to spoof an e-mail after an initial breach is thought to be contained. "The techniques imply that attackers have a great familiarity with the victim organizations, their people, their roles and responsibilities," says Mandia.
The spying software that hackers hide on victims' networks is also becoming harder to detect--particularly the code aimed at defense firms, he says. In a test in December 2009 of 1,400 malicious software or "malware" samples pulled from victims' machines, Mandia says only 24 per cent of the programs were found by antivirus programs. "We see malware hitting the contractors that hits everyone else six to nine months later," he says.
Even as cyberspies expand their targets to other sectors like law firms, oil companies and technology companies, that evolution of tactics means the defense industry's cyberstruggles are far from over. "As you do your judo to combat these guys, they escalate," says Mandia. "If you're Boeing, Lockheed or Raytheon, you simply have a threat that wakes up every day and tries to compromise you."