Three US DOD contractors reported being ‘hacked’ through the use of cloned RSA SecureID access control vectors. The L3 and Northrup Grumman attacks were reported in early June 2011 and the Lockheed Martin attack reported in late May 2011.
(Illustration: McGruff, the anti-crime dog @ http://www.ncpc.org/)
The almost too easy conclusion to jump to is that US DOD contractors and other critical infrastructure targets were the motivation behind the March 2011 attack against RSA, the security division of EMC. The hack was reported on by a number of publications (e.g. Wired http://www.wired.com/threatlevel/2011/03/rsa-hacked/). For those among my readers who are interested in the cyber side here’s some additional background.
RSA’s Executive Chairman, Art Coviello posted an open letter (see http://www.rsa.com/node.aspx?id=3872). In his letter Mr. Coviello said: “Some of that information is specifically related to RSA's SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.”
While the attacker, no doubt was a well funded and disciplined nation state motivated by the information they would gather, From a cyber perspective this is a great example of combining Computer Network Exploitation (CNE) and Computer Network Attack (CNA).
However – I’d like to explore the psychological aspects of the attack which, if my theory about the attacker is correct, I’m sure is still smiling about the unseen and perhaps emotional impact felt by the victims.
I compare these cyber attacks to having your home burgled and person possessions stolen. There is an irrational and emotional sense of personal violation even though the crime itself is non-violent and material possessions can always be replaced.
No doubt the contractors placed their confidence in the RSA commercial product figuring that it would afford them a comfortable level of protection. They probably never anticipated that anyone would attack the vendor and then exploit them and so there is the same feeling as being robbed in spite of having a burglar alarm and a large dog.
While NSA and the Cyber Command are not likely to comment publicly even if they ‘know’ the source of the attack, DOD and the Contractors are now on notice that their bedrooms have been robbed and their jewelry is gone. This is powerful psychological stuff and should be recognized as such.
This latest episode is the clearest evidence yet of the need to combine PSYOP with cyber regardless of the command ‘rice bowl’ issues and the veil surrounding our cyber efforts. SWC needs to insure that PSYOP curriculums feature enough practical CNE, CNA and Command Network Defense (CND) so that our influence warriors can dominate the cyber information battlespace as well as our conventional domains.