Skip Links

Northrop Grumman constantly under attack by cyber-gangs

CISO says forensics reveals distinct groups going after sensitive data

By , Network World
June 21, 2011 03:00 PM ET

Network World - NATIONAL HARBOR, Md. -- About a dozen separate legions of organized hackers have been diligently attempting for years to break into aerospace and defense company Northrop Grumman to steal sensitive information, the company's chief information security officer (CISO) said at a Gartner security conference here.

"These advanced attacks have been going on for several years," said Timothy McKnight, vice president and CISO at Northrop Grumman, during a panel discussion on the topic of the "Advanced Persistent Threat," (APT) the term often used to describe attacks by hackers determined to break into companies and government agencies with the goal of stealing intellectual property or other sensitive information.

BACKGROUND: Lockheed Martin acknowledges 'significant' cyberattack

Northrop Grumman's monitoring, detection and prevention systems see so many traces of well-organized and determined hacker groups that the aerospace giant has actually managed to keep track of distinct profiles of about a dozen separate groups constantly trying their tricks to break in over the years.

The cyber-intelligence group at Northrop Grumman keeps a tally of forensics on attacks emanating from the groups that each work as a team "waking up each day to get into Northrop Grumman," McKnight said. "We can tell what their attack procedures are, how they write the malware."

The typical attack methods are attempts to compromise user machines through zero-day vulnerabilities. While about 300 zero-day attack attempts were recorded last year, the pace has ramped up enormously where it's not uncommon to see zero-day exploits coming in at 11-minute intervals.

Attackers will do as much background investigation on a company as they can to be able to pinpoint the intellectual property they want, and what employees are closest to it, McKnight said.

RSA, which organized the panel discussion, knows about the problem itself all too well.

In March, RSA acknowledged it was hit by an APT attack that resulted in the theft of undisclosed information about its SecurID product. The problems only seemed to grow. Lockheed Martin recently disclosed that it was hit by an attempted APT that in part made use of this stolen information related to RSA SecurID tokens. Lockheed does not believe that the attackers managed to steal sensitive information, however.

After the attack on Lockheed Martin linked in part to SecurID, RSA offered existing customers a free swap to new RSA SecurID tokens. Gartner analyst John Pescatore said his firm is advising clients to definitely take the swap-out if they use SecurID for authentication of any external, Web-facing purpose, though it's viewed as less imperative for internal use. Alternatively, they can move to a new token vendor, he said.

As for preventative measures, David Walter, senior director of products at RSA, said there's a need for companies to "get serious about user training" of employees to resist attack methods such as social engineering. RSA has divulged that the APT strike on it started with someone opening a malware-filled attachment.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News