Lockheed Martin Says Attackers Went Quiet After Mandiant's APT1 Report Called Out Chinese Cyber Spies
Threat actors targeting Lockheed Martin immediately halted their cyberattacks against the defense contractor following the release of Mandiant’s APT1 report, Lockheed executives said Wednesday.
In February 2013, Mandiant released its bold, unprecedented report that made direct allegations and exposed a multi-year, massive cyber state-sponsored espionage campaign from a unit of China’s People’s Liberation Army (PLA).
The threat actor group, dubbed APT1 by FireEye-owned Mandiant, is alleged to be one of the most persistent of China's cyber threat actors, which the security firm claims has “systematically stolen hundreds of terabytes of data” from at least 141 organizations.
However, as Mandiant explained in a follow-up report released in May 2013, the threat actors immediately began curtailing their attacks after being called out and began to shift techniques, something that Lockheed witnessed in its own environment.
“Since the Mandiant report came out, we saw an immediate decrease in attacks,” Charles “Charlie” Croom, VP of Cyber Strategy and Government Relations at Lockheed Martin Information Systems & Global Solutions, told SecurityWeek. “I think all our strategic partners saw that,” he said.
Speaking to SecurityWeek at the company’s Global Vision Center in Arlington, Virginia, Croom said the adversary that Mandiant exposed was one that a number of companies, including Lockheed Martin, had been tracking for over a year. “We were familiar with this adversary, and were familiar with their tactics and procedures,” he said.
“Because of the characteristics of the attacks, and who they are attacking, we know who the team is,” Croom said.
While Mandiant’s report was met with criticism by some, particularly around the challenges of attribution, it’s clear that the report had a significant impact and triggered a reaction from the alleged state sponsored threat actors.
“We’re glad Mandiant stood up,” Croom said.
“[The report] was a trigger point”, Darrell Durst, VP of Cyber Solutions at Lockheed Martin, said during a panel discussion at the Lockheed Martin Defense and Intelligence Technology Media Summit on Wednesday. “Things were dying down even before the report came out, but you could clearly see a shift in actions.”
While not necessarily as a result of the APT1 report, Croom, who while in the U.S. Air Force served as Director of the Defense Information Systems Agency (DISA) and Commander of the Joint Task Force for Global Network Operations, said that Lockheed’s hardened IT security infrastructure is forcing some attackers to find other means to attack.
“The good news is that they are not attacking Lockheed Martin any more because we are too hard, so they are going to our suppliers,” he said.
“The threat over the last ten years has gotten extremely aggressive,” Durst said. “[Attackers] are actually being very strategic in where it is that they want to get the information and how they are going to go about doing that.”
“They will wait,” Durst said, adding that attackers will take their time in order to get in and achieve their objectives.
“They will go to a supplier who has the connection to Lockheed Martin from an IT perspective, or even in a sharing of documentation,” Durst said.
While Durst says the defense giant has been successful in thwarting a number of attackers, he said new adversaries with new techniques continue to emerge and campaigns continue to increase.
“We have seen a number of the adversaries gone quiet,” he said. “I think we have successfully been able to counter a number of adversaries relative to our networks."
While some attackers may have gone quiet, the company does not believe they have gone away for good, but have rather shifted tactics.
“Even if it were two years, that’s not necessarily an indication that they have gone away,” Durst said.
“We are assuming they are taking a different approach,” said Tim Reardon, Vice President and General Manager Lockheed’s Defense & Intelligence Solutions group.
While Lockheed did not specify the tactics used against them by the APT1 attackers, Mandiant’s report explained that the group used highly targeted spear-phishing techniques to infect a target, which included creating fake email accounts in the name of someone that the target would recognize.
When asked if they were able to trace the attacks back to China, Croom reiterated the company’s policy of non-attribution.
“We’re interested more in their attributes, and how their attributes can reveal them coming into our network so that we can spot them and kick them out.”