By Malyssa Woodward
The last few months have seen a string of high profile breaches targeting U.S. interests, and fingers are pointing at China as the culprit.
Last week, Google accused China of phishing the Gmail accounts of several U.S. government officials, Chinese political activists, military personnel, Asian officials and journalists. Google officials say they traced the attacks to the city of Jinan, China, which was also the source of a more widespread attack on Google in 2010.
The accusation prompted a swift and angry denial by the Chinese government, calling the implication that it was behind the attack “unacceptable” and a political ploy by the internet giant to further strain relations between China and the U.S. U.S. officials say they are taking Google’s claims seriously and will investigate.
The Google incident is the latest in a rash of assaults suspected by security experts to have Chinese ties. In recent months, the highly-secured networks of three U.S. defense contractors have been breached.
The breaches stem from an attack that occurred back in March, when U.S. encryption and security company RSA was infiltrated and information about their SecurID two-factor authentication tokens was stolen.
In an open letter to customers, Executive Chairman Art Coviello wrote:
“Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT). Our investigation also revealed that the attack resulted in certain information being extracted from RSA’s systems. Some of that information is specifically related to RSAs SecurID two-factor authentication products.”
A SecurID token acts like a key of sorts, randomly generating a six-digit passcode that is only valid for sixty seconds. This passcode must be entered in addition to a user’s network password or PIN number. The combination of the two factors, which RSA refers to as “something you know, and something you have,” makes it more difficult for unauthorized individuals to gain access to a network. Companies use the tokens to allow employees to access their networks while off-site. The tokens are also popular for use in financial transactions and within government organizations.
RSA is still not releasing exactly what information was stolen. In the initial letter to customers, Coviello stated “…we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.”
This confidence has since proven to be misguided. Following the RSA breach, a series of attacks against three U.S. defense contractors and possibly a related assault on the International Monetary Fund (IMF) were waged using data compromised in the RSA intrusion.
In late May, Lockheed Martin disabled employee remote access and replaced several SecurID tokens after detecting unauthorized access attempts. The infiltrators may have cloned the SecurID tokens of Lockheed users to gain access, though the company reports it was able to thwart an attack and no data was compromised.
Wired.com then reported that in April, defense contractor L-3 Communications had warned employees about attempts to access the secure network using cloned SecurID tokens. It was not made clear whether or not the attack was successful or how the company determined the SecurID token to be the source of the intrusion.
Not long after, Northrop Grumman was also reported to have abruptly shut down remote access to its network after possibly suffering a similar intrusion.
And just this week, the IMF admitted it was the victim of a large and sophisticated attack that took place earlier this year over the span of several months. It is still unclear if the attack was directly related to the RSA breach, however the method used implies that it could be.
According to sources, the IMF attacks were conducted via spear phishing, a tactic where specifically targeted employees are tricked via official-looking emails into providing their login credentials. Keyloggers or other information-harvesting malware is sometimes slipped onto the employee’s system as well. This tactic is also a necessary step in breaches like Lockheed and L-3, and is considered to be a sophisticated method of acquiring personal details.
Hackers need more than just the SecurID token by itself to get into a network. They must also have the accompanying login information and password that is used in conjunction with the token-generated passcode. The spear phishing emails mine this information from unsuspecting employees, and the hackers can then put the two factors together to breach the system.
Due to the sophistication and professional nature of these APT assaults – the intruders had to plan carefully and wait weeks between targeted attacks – along with the fact that the attacks were waged on companies in possession of key U.S. defense technology, leads many experts to openly speculate that China is behind the intrusions.
Rich Mogull, chief executive of Securosis, told CNET: “APT is a euphemism for China. There is a massive espionage campaign being waged by a country. It’s been going on for years, and it’s going to continue.”
And he’s not alone in his opinion. Canadian information security expert Rafal Rohozinski notes that "China has made no secret that they see cyberspace as the domain that allows them to compete with the U.S.” Rohozinski’s research on targeted attacks on Tibet and others with apparent roots in China can be found in a 2009 “GhostNet” report.
If the attacks can indeed be traced back to China, it is unclear whether they were state supported or carried out by independent contractors who sold the information to the Chinese government.
Somewhat ironically, all of this activity comes during a time when the Pentagon is busy constructing a formal cyber strategy to deal with computer sabotage coming from another country. Under the new plan, such infiltration can be deemed an act of war, which could allow the U.S. to respond with traditional military force.
According to a Wall Street Journal article on the subject, details including what would be considered triggers for retaliation and how much force is appropriate for different types of cyber attacks are still being sorted out. Unclassified sections of the document are expected to be made public this month.
While these intrusions and the threat of international cyber espionage may sound too far-removed from your own business security needs, the basic principles of protecting your network are the same. Be sure you have a solution in place that meets the security needs of your company. Ron is a network and information security specialist and will be happy to answer your questions – call him today and keep your systems protected.