Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

Lockheed: Attackers Went Quiet After APT1 Report Exposed Chinese Hackers

Lockheed Martin Defense & Intelligence Solutions Technology Media Summit

Lockheed Martin Says Attackers Went Quiet After Mandiant’s APT1 Report Called Out Chinese Cyber Spies

Lockheed Martin Defense & Intelligence Solutions Technology Media Summit

Lockheed Martin Says Attackers Went Quiet After Mandiant’s APT1 Report Called Out Chinese Cyber Spies

Threat actors targeting Lockheed Martin immediately halted their cyberattacks against the defense contractor following the release of Mandiant’s APT1 report, Lockheed executives said Wednesday.

In February 2013, Mandiant released its bold, unprecedented report that made direct allegations and exposed a multi-year, massive cyber state-sponsored espionage campaign from a unit of China’s People’s Liberation Army (PLA).

The threat actor group, dubbed APT1 by FireEye-owned Mandiant, is alleged to be one of the most persistent of China’s cyber threat actors, which the security firm claims has “systematically stolen hundreds of terabytes of data” from at least 141 organizations.

However, as Mandiant explained in a follow-up report released in May 2013, the threat actors immediately began curtailing their attacks after being called out and began to shift techniques, something that Lockheed witnessed in its own environment. 

“Since the Mandiant report came out, we saw an immediate decrease in attacks,” Charles “Charlie” Croom, VP of Cyber Strategy and Government Relations at Lockheed Martin Information Systems & Global Solutions, told SecurityWeek. “I think all our strategic partners saw that,” he said.

Speaking to SecurityWeek at the company’s Global Vision Center in Arlington, Virginia, Croom said the adversary that Mandiant exposed was one that a number of companies, including Lockheed Martin, had been tracking for over a year. “We were familiar with this adversary, and were familiar with their tactics and procedures,” he said.

“Because of the characteristics of the attacks, and who they are attacking, we know who the team is,” Croom said.

While Mandiant’s report was met with criticism by some, particularly around the challenges of attribution, it’s clear that the report had a significant impact and triggered a reaction from the alleged state sponsored threat actors.

“We’re glad Mandiant stood up,” Croom said.

“[The report] was a trigger point”, Darrell Durst, VP of Cyber Solutions at Lockheed Martin, said during a panel discussion at the Lockheed Martin Defense and Intelligence Technology Media Summit on Wednesday. “Things were dying down even before the report came out, but you could clearly see a shift in actions.”

Targeting Suppliers

While not necessarily as a result of the APT1 report, Croom, who while in the U.S. Air Force served as Director of the Defense Information Systems Agency (DISA) and Commander of the Joint Task Force for Global Network Operations, said that Lockheed’s hardened IT security infrastructure is forcing some attackers to find other means to attack.

“The good news is that they are not attacking Lockheed Martin any more because we are too hard, so they are going to our suppliers,” he said.

“The threat over the last ten years has gotten extremely aggressive,” Durst said. “[Attackers] are actually being very strategic in where it is that they want to get the information and how they are going to go about doing that.”

“They will wait,” Durst said, adding that attackers will take their time in order to get in and achieve their objectives.

“They will go to a supplier who has the connection to Lockheed Martin from an IT perspective, or even in a sharing of documentation,” Durst said.

While Durst says the defense giant has been successful in thwarting a number of attackers, he said new adversaries with new techniques continue to emerge and campaigns continue to increase.

“We have seen a number of the adversaries gone quiet,” he said. “I think we have successfully been able to counter a number of adversaries relative to our networks.”

While some attackers may have gone quiet, the company does not believe they have gone away for good, but have rather shifted tactics.

“Even if it were two years, that’s not necessarily an indication that they have gone away,” Durst said.

“We are assuming they are taking a different approach,” said Tim Reardon, Vice President and General Manager Lockheed’s Defense & Intelligence Solutions group.

While Lockheed did not specify the tactics used against them by the APT1 attackers, Mandiant’s report explained that the group used highly targeted spear-phishing techniques to infect a target, which included creating fake email accounts in the name of someone that the target would recognize.

When asked if they were able to trace the attacks back to China, Croom reiterated the company’s policy of non-attribution.

“We’re interested more in their attributes, and how their attributes can reveal them coming into our network so that we can spot them and kick them out.”

Related ReadingCyber Espionage Campaign Targeting Supply Chain Through Precision ‘Hit and Run’ Attacks

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

CISO Conversations

SecurityWeek speaks with two leading CISOs in the aviation industry – Mitch Cyrus of Honda Aircraft, and Mark Ferguson of Bombardier.