Security experts are openly speculating that China may be behind the recent unauthorized network access events at several U.S. defense contractors, and that they may also be responsible for the RSA SecurID breach as well.
RSA, the security division of EMC, announced in mid-March they had suffered a breach stemming from an attack on their network systems that targeted proprietary information about the company's SecurID product.
SecurID is a product designed to prevent unauthorized access to enterprise network systems, and exposure of proprietary information about the product could in turn make RSA's clients more vulnerable to hacks themselves.
RSA's customers include government, military, financial, enterprise, healthcare and insurance companies.
Few details have ever been released about the scope of the breach, but analysts expected the unauthorized access to sensitive SecurID information would have a widespread impact.
In late May defense contractor Lockheed disabled their employees remote access privileges while the company reissued new SecurID tokens to all telecommuting workers, as well as requiring all employees with network access to change their passwords, after detecting unauthorized access attempts.
Shortly thereafter, defense contractor Northrop Grumman has also reportedly disabled remote access to company networks, and L-3 Communications reported the company has suffered a network breach stemming from cloned RSA SecurID tokens.
Compromised tokens alone are not enough to get an attacker in the door of a company using SecurID. Targeted spear-phishing operations need to be conducted against employees to elicit the corresponding passcodes needed to gain access to the company's networks.
"Having the key, or token, isn't enough to break into a system. Attackers also need to have the passcode that token holders use when they are logging in to a network. Phishing e-mails that trick recipients into revealing their log-ins and e-mails bearing malware that infects the recipient's computer are commonly used to get that information," wrote Cnet's Elinor Mills.
"Having done their homework, the attackers know to craft an official-looking e-mail coming from a person or organization the recipient would trust. Such sophisticated attacks on a specific target that are designed to steal credentials in order to get into the network to access critical data are known as Advanced Persistent Threats, or APT," Mills continued.
Such a sophisticated APT operation leads many security experts to believe that China is ultimately behind the attacks on U.S.defense contractors.
"APT is a euphemism for China. There is a massive espionage campaign being waged by a country. It's been going on for years, and it's going to continue," said Rich Mogull, chief executive of Securosis.
Other security experts agree. According to an article by
"China has made no secret that they see cyberspace as the domain that allows them to compete with the U.S. The reality is, part of the basis of U.S. hegemony... has been the ability to leverage command of signals intelligence to have perspective on the motivations and activities of others. Cyberspace has equalized that, so all of a sudden we're in a competitive intelligence environment," Rohozinski said.
While numerous nations are involved in varying levels of cyber aggression, what makes the Chinese threat so much more palpable is the systemic nature and comparatively large scale of the state-sponsored cyber-offensive operations, as evidenced by attacks like Operation Aurora, Ghostnet, and most recently Night Dragon.
"If it's any kind of military espionage, military adversaries are going to be high on the list. The question then is who in China--is it government agents or independent contractors selling to the Chinese government?" asked Veracode's Chris Wysopal.
