Connect with us

Hi, what are you looking for?


Management & Strategy

Lockheed: Attackers Went Quiet After APT1 Report Exposed Chinese Hackers

Lockheed Martin Defense & Intelligence Solutions Technology Media Summit

Lockheed Martin Says Attackers Went Quiet After Mandiant’s APT1 Report Called Out Chinese Cyber Spies

Lockheed Martin Defense & Intelligence Solutions Technology Media Summit

Lockheed Martin Says Attackers Went Quiet After Mandiant’s APT1 Report Called Out Chinese Cyber Spies

Threat actors targeting Lockheed Martin immediately halted their cyberattacks against the defense contractor following the release of Mandiant’s APT1 report, Lockheed executives said Wednesday.

In February 2013, Mandiant released its bold, unprecedented report that made direct allegations and exposed a multi-year, massive cyber state-sponsored espionage campaign from a unit of China’s People’s Liberation Army (PLA).

The threat actor group, dubbed APT1 by FireEye-owned Mandiant, is alleged to be one of the most persistent of China’s cyber threat actors, which the security firm claims has “systematically stolen hundreds of terabytes of data” from at least 141 organizations.

However, as Mandiant explained in a follow-up report released in May 2013, the threat actors immediately began curtailing their attacks after being called out and began to shift techniques, something that Lockheed witnessed in its own environment. 

“Since the Mandiant report came out, we saw an immediate decrease in attacks,” Charles “Charlie” Croom, VP of Cyber Strategy and Government Relations at Lockheed Martin Information Systems & Global Solutions, told SecurityWeek. “I think all our strategic partners saw that,” he said.

Speaking to SecurityWeek at the company’s Global Vision Center in Arlington, Virginia, Croom said the adversary that Mandiant exposed was one that a number of companies, including Lockheed Martin, had been tracking for over a year. “We were familiar with this adversary, and were familiar with their tactics and procedures,” he said.

“Because of the characteristics of the attacks, and who they are attacking, we know who the team is,” Croom said.

Advertisement. Scroll to continue reading.

While Mandiant’s report was met with criticism by some, particularly around the challenges of attribution, it’s clear that the report had a significant impact and triggered a reaction from the alleged state sponsored threat actors.

“We’re glad Mandiant stood up,” Croom said.

“[The report] was a trigger point”, Darrell Durst, VP of Cyber Solutions at Lockheed Martin, said during a panel discussion at the Lockheed Martin Defense and Intelligence Technology Media Summit on Wednesday. “Things were dying down even before the report came out, but you could clearly see a shift in actions.”

Targeting Suppliers

While not necessarily as a result of the APT1 report, Croom, who while in the U.S. Air Force served as Director of the Defense Information Systems Agency (DISA) and Commander of the Joint Task Force for Global Network Operations, said that Lockheed’s hardened IT security infrastructure is forcing some attackers to find other means to attack.

“The good news is that they are not attacking Lockheed Martin any more because we are too hard, so they are going to our suppliers,” he said.

“The threat over the last ten years has gotten extremely aggressive,” Durst said. “[Attackers] are actually being very strategic in where it is that they want to get the information and how they are going to go about doing that.”

“They will wait,” Durst said, adding that attackers will take their time in order to get in and achieve their objectives.

“They will go to a supplier who has the connection to Lockheed Martin from an IT perspective, or even in a sharing of documentation,” Durst said.

While Durst says the defense giant has been successful in thwarting a number of attackers, he said new adversaries with new techniques continue to emerge and campaigns continue to increase.

“We have seen a number of the adversaries gone quiet,” he said. “I think we have successfully been able to counter a number of adversaries relative to our networks.”

While some attackers may have gone quiet, the company does not believe they have gone away for good, but have rather shifted tactics.

“Even if it were two years, that’s not necessarily an indication that they have gone away,” Durst said.

“We are assuming they are taking a different approach,” said Tim Reardon, Vice President and General Manager Lockheed’s Defense & Intelligence Solutions group.

While Lockheed did not specify the tactics used against them by the APT1 attackers, Mandiant’s report explained that the group used highly targeted spear-phishing techniques to infect a target, which included creating fake email accounts in the name of someone that the target would recognize.

When asked if they were able to trace the attacks back to China, Croom reiterated the company’s policy of non-attribution.

“We’re interested more in their attributes, and how their attributes can reveal them coming into our network so that we can spot them and kick them out.”

Related ReadingCyber Espionage Campaign Targeting Supply Chain Through Precision ‘Hit and Run’ Attacks

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is founder and director of several leading cybersecurity industry conferences around the world.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.


Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.


People on the Move

SaaS security company AppOmni has hired Joel Wallenstrom as its General Manager.

FTI Consulting has appointed Brett Callow as Managing Director in its Cybersecurity & Data Privacy Communications practice.

Mobile security firm Zimperium has welcomed David Natker as its VP of Global Partners and Alliances.

More People On The Move

Expert Insights