Incident: Hackers Target Defense Contractors Using Stolen SecurID Information

Published Date: 2011-05-31

Postmortem Analysis
Timeline 1. The software failure incident involving the hack targeting L-3 Communications and Lockheed Martin occurred in April 2011 as mentioned in the article [5661].
System 1. SecurID keyfob system [5661] 2. SecurID two-factor authentication products [5661]
Responsible Organization 1. Hackers targeted L-3 Communications and Lockheed Martin, causing the software failure incident [5661].
Impacted Organization 1. L-3 Communications [5661] 2. Lockheed Martin [5661] 3. Northrop Grumman [5661]
Software Causes 1. The software cause of the failure incident was a hack targeting the SecurID keyfob system, which was freshly stolen from an acknowledged breach at RSA Security [5661]. 2. The attackers gained access by cloning the SecurID keyfobs of Lockheed users, indicating a software vulnerability in the SecurID system [5661]. 3. The breach involved stealing information related to RSA's SecurID two-factor authentication products, highlighting a software vulnerability in the authentication system [5661].
Non-software Causes 1. Insider information on the SecurID keyfob system freshly stolen from an acknowledged breach at RSA Security [5661] 2. Cloning of SecurID keyfobs of Lockheed users [5661]
Impacts 1. The software failure incident led to hackers targeting defense contractors like L-3 Communications and Lockheed Martin, potentially compromising sensitive information and security systems [5661]. 2. The incident raised concerns about the security of the SecurID keyfob system, used by various federal agencies and Fortune 500 companies, indicating a potential risk to a large number of users [5661]. 3. Following the breach, companies like Northrop Grumman took immediate actions such as shutting down remote access and resetting passwords across the organization, highlighting the urgency and seriousness of the situation [5661].
Preventions 1. Implementing stronger cybersecurity measures such as multi-factor authentication beyond just SecurID tokens could have prevented the software failure incident [5661]. 2. Regularly updating and patching software vulnerabilities to prevent exploitation by hackers could have helped in preventing the breach [5661]. 3. Conducting thorough security audits and assessments to identify and address potential weaknesses in the network infrastructure could have prevented the intrusion [5661].
Fixes 1. Implementing stronger cybersecurity measures to prevent future hacking incidents, such as enhancing network security protocols and encryption methods [5661]. 2. Conducting a thorough review and potential redesign of the SecurID keyfob system to address any vulnerabilities that were exploited by hackers [5661]. 3. Enhancing employee training on cybersecurity best practices to prevent social engineering attacks and improve overall network security [5661].
References 1. Executive at L-3 Communications 2. L-3's Stratus Group 3. L-3 spokeswomen Jennifer Barton 4. Lockheed Martin 5. RSA Security 6. RSA spokeswoman Helen Stefen 7. Fox News 8. Northrop Grumman

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident related to the hack targeting the SecurID keyfob system has happened again at L-3 Communications, a defense contractor. The company was actively targeted with penetration attacks leveraging compromised information from the RSA breach [5661]. (b) The software failure incident related to the hack targeting the SecurID keyfob system has also happened at Lockheed Martin, another defense contractor. Attackers may have gained access by cloning the SecurID keyfobs of Lockheed users [5661]. Additionally, Northrop Grumman, the second largest U.S. defense contractor and a SecurID customer, experienced a similar incident where they abruptly shut down remote access to their network and instituted a domain name and password reset across the entire organization [5661].
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase can be seen in the incident where hackers targeted defense contractors like L-3 Communications and Lockheed Martin by leveraging compromised information from the SecurID keyfob system breach at RSA Security. This incident highlights a failure in the design of the SecurID system, which allowed hackers to potentially clone keyfobs and gain unauthorized access to sensitive information [5661]. (b) The software failure incident related to the operation phase is evident in the way attackers may have gained access to Lockheed Martin's network by cloning SecurID keyfobs of users. This indicates a failure in the operation or use of the SecurID system, where attackers exploited the system's vulnerabilities to carry out their intrusion [5661].
Boundary (Internal/External) within_system (a) within_system: The software failure incident reported in the articles is primarily due to contributing factors that originate from within the system. The incident involved hackers targeting companies like L-3 Communications and Lockheed Martin by leveraging compromised information from the SecurID keyfob system breach at RSA Security [5661]. The attackers potentially gained access by cloning the SecurID keyfobs of users, indicating a vulnerability within the system itself. Additionally, the use of SecurID for remote employee access to the unclassified corporate network at L-3 Communications further emphasizes the internal system reliance that was exploited by the hackers [5661].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident in this case was primarily due to non-human actions, specifically a hack targeting the SecurID keyfob system used by companies like L-3 Communications and Lockheed Martin. Hackers were able to leverage compromised information from a breach at RSA Security to target these defense contractors, potentially gaining access by cloning SecurID keyfobs of users. This non-human action of hacking led to the security breach and potential compromise of sensitive information [5661]. (b) Human actions also played a role in this software failure incident as employees at L-3 Communications were warned about the hacking attempts and the need to protect the network. Additionally, responses from company executives and spokespeople, such as declining to comment or emphasizing the priority of network protection, reflect human actions taken in response to the incident [5661].
Dimension (Hardware/Software) hardware, software (a) The software failure incident related to hardware: - The incident involved a breach at RSA Security where intruders succeeded in stealing information related to the company’s SecurID two-factor authentication products, which are hardware tokens [5661]. - The breach led to hackers targeting defense contractors like L-3 Communications and Lockheed Martin by leveraging compromised information, potentially including the encryption seeds for SecurID tokens used in hardware keyfobs [5661]. (b) The software failure incident related to software: - The software failure incident was primarily due to a breach in the software security of the SecurID two-factor authentication products by RSA Security, allowing intruders to steal crucial information [5661]. - The incident involved the use of social engineering and zero-day vulnerabilities to infiltrate the target network, indicating a software security flaw that was exploited by the attackers [5661].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident in this case is malicious. The incident involved hackers targeting defense contractors like L-3 Communications and Lockheed Martin using inside information on the SecurID keyfob system stolen from an acknowledged breach at RSA Security [5661]. The attackers may have gained access by cloning the SecurID keyfobs of Lockheed users, suggesting that the RSA intruders obtained crucial information for targeted intelligence-gathering missions against sensitive U.S. targets [5661]. The breach was characterized as an "advanced persistent threat" (APT), a sophisticated attack involving social engineering and zero-day vulnerabilities to infiltrate the target network [5661]. (b) The software failure incident is non-malicious. There is no information in the articles to suggest that the failure was due to contributing factors introduced without intent to harm the system.
Intent (Poor/Accidental Decisions) poor_decisions (a) The intent of the software failure incident: - The software failure incident involving the breach at RSA Security and subsequent targeting of defense contractors like L-3 Communications and Lockheed Martin was not due to accidental decisions but rather poor decisions made by hackers who successfully infiltrated the systems by leveraging compromised information from the RSA breach [5661]. (b) The intent of the software failure incident: - The incident was a result of poor decisions made by hackers who strategically targeted defense contractors like L-3 Communications and Lockheed Martin by exploiting vulnerabilities in the SecurID keyfob system, which was compromised in the RSA breach [5661].
Capability (Incompetence/Accidental) unknown (a) The articles do not provide information about the software failure incident occurring due to development incompetence. (b) The software failure incident reported in the articles was not accidental but rather a targeted attack by hackers who exploited vulnerabilities in the SecurID keyfob system, as seen in the breaches at companies like L-3 Communications and Lockheed Martin. The attackers were able to gain access to sensitive information and potentially clone SecurID keyfobs, indicating a deliberate and sophisticated cyberattack rather than an accidental failure [5661].
Duration permanent (a) The software failure incident described in the articles is more likely to be considered permanent rather than temporary. This is because the incident involved a sophisticated hack targeting the SecurID keyfob system, which was freshly stolen from an acknowledged breach at RSA Security. The attackers were able to gain crucial information, possibly including encryption seeds for SecurID tokens, which they used in targeted intelligence-gathering missions against sensitive U.S. targets. The breach was described as an "advanced persistent threat" (APT), indicating a highly sophisticated and ongoing attack [5661]. Additionally, the incident led to defense contractors like L-3 Communications and Lockheed Martin being actively targeted with penetration attacks leveraging the compromised information, suggesting a long-term impact on their security systems [5661].
Behaviour omission, other (a) crash: The articles do not specifically mention a software crash where the system loses state and does not perform any of its intended functions. (b) omission: The incident involves a failure related to the omission of performing intended functions. The article mentions that hackers targeted defense contractors like L-3 Communications and Lockheed Martin by leveraging compromised information from the RSA breach, potentially gaining access to sensitive information and systems [5661]. (c) timing: The articles do not indicate a timing-related failure where the system performs its intended functions but at incorrect times. (d) value: The incident does not directly involve a failure where the system performs its intended functions incorrectly. (e) byzantine: The incident does not exhibit a byzantine failure where the system behaves erroneously with inconsistent responses and interactions. (f) other: The behavior of the software failure incident in this case involves a security breach due to hackers targeting companies like L-3 Communications and Lockheed Martin by exploiting compromised information from the RSA breach, potentially leading to unauthorized access to sensitive systems and data [5661].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property, non-human, theoretical_consequence, other (a) death: People lost their lives due to the software failure - No information in the provided article suggests that people lost their lives due to the software failure incident. [5661] (b) harm: People were physically harmed due to the software failure - No information in the provided article suggests that people were physically harmed due to the software failure incident. [5661] (c) basic: People's access to food or shelter was impacted because of the software failure - No information in the provided article suggests that people's access to food or shelter was impacted due to the software failure incident. [5661] (d) property: People's material goods, money, or data was impacted due to the software failure - The software failure incident resulted in potential risks to sensitive information and security systems of defense contractors like L-3 Communications and Lockheed Martin. The breach of the SecurID keyfob system could have serious implications for data security and confidentiality. [5661] (e) delay: People had to postpone an activity due to the software failure - No information in the provided article suggests that people had to postpone an activity due to the software failure incident. [5661] (f) non-human: Non-human entities were impacted due to the software failure - The software failure incident impacted the security systems and networks of defense contractors like L-3 Communications and Lockheed Martin. Non-human entities such as security systems and networks were affected by the breach. [5661] (g) no_consequence: There were no real observed consequences of the software failure - The software failure incident had real observed consequences related to potential risks to data security and confidentiality of defense contractors. [5661] (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur - The article discusses potential consequences of the software failure incident, such as the ability of intruders to clone SecurID keyfobs and the broader implications of the breach for organizations using SecurID. These potential consequences were not confirmed to have occurred. [5661] (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? - The breach of the SecurID keyfob system due to the software failure incident could have led to unauthorized access to sensitive information and potentially compromised the security of government and defense contractor networks. This breach could have far-reaching consequences beyond what was immediately observable. [5661]
Domain government (a) The failed system was related to the defense industry, specifically affecting defense contractors like L-3 Communications and Lockheed Martin. The incident involved hackers targeting these companies using inside information on the SecurID keyfob system stolen from an acknowledged breach at RSA Security [5661]. The article mentions that L-3 Communications provides command-and-control, communications, intelligence, surveillance, and reconnaissance technology to the Pentagon and intelligence agencies [5661]. (l) The failed system was also related to the government sector as the defense contractors targeted in the attack provide services to the Pentagon and intelligence agencies [5661]. The article highlights that the Pentagon was in the final stages of formalizing a doctrine for military operations in cyberspace, indicating the significance of the defense industry in this incident [5661]. (m) The incident did not directly relate to any other industry mentioned in the options provided.

Sources

Back to List