ROME, N.Y. — One Monday last June, 16 workers logged into their computers at the defense contractor Exelis and found emails from a financial consultant who was advising them on a subsidiary’s planned spinoff. The message, sent the day before, offered updates on how the deal would affect their stock options. A spreadsheet was attached, and anyone who clicked on it got a pop-up window with the company logo asking for their user name and password.
They’d all gotten prior emails from the consultant, and password-protected spreadsheets were not unheard of at the Virginia-based company, which develops satellite, radar, and “electronic warfare” systems for the military and aerospace industries. A few of the workers typed in their credentials. Nothing seemed amiss.
Four days later, more than a dozen senior Exelis executives received the same email. They weren't sure why, but most didn't question it. “It seemed completely legitimate,” said Jill Wolf, a communications manager. “It just seemed like it was sent to me accidentally.” Finally, one of them grew suspicious and alerted the Exelis’ Cyber Incident Response Center, stationed 400 miles away from headquarters, on a former Air Force base near Syracuse, New York.
Within an hour, a CIRC analyst had placed a copy of the suspect spreadsheet into a digital quarantine and dissembled it. The process revealed that the pop-up was a trap, designed to deliver the workers’ credentials to an Internet domain outside the company’s network. In short, they were under attack.
The CIRC’s eight members are among a growing number of corporate security crews assigned to protect their employers’ crown jewels from hackers. Trained in a myriad of disciplines, from computer forensics to malware reverse engineering, the best of these teams know better than to think they can keep criminals out of their networks. Instead, they use intelligence-gathering techniques to foil the enemy on their home turf. This is a new front in the battle to keep the Internet safe.
"Nobody is impervious to this."
They interviewed the consultant, who denied sending the original email. He'd likely been the victim of a "social engineering” campaign that duped him into giving access to his account, perhaps with a fraudulent email. Posing as the consultant, the attacker sent the spreadsheet as a way to sneak into Exelis’ network via workers’ login credentials and get access to an array of corporate secrets, from internal financial reports to blueprints of defense-technology products.
The technique, known as “spear phishing,” has become one of the most common, and potent, hacking tools, part of a creative wave of cybercrime that is less automated and more personal, capable of turning even the most tech-savvy into prey. Hackers used similar methods against Target last year, using an email embedded with malware to steal network credentials from a subcontractor, which allowed them to access the credit card data of 40 million customers. Researchers estimate that workers’ email addresses and passwords have been stolen from nearly half of America’s biggest companies, leaving them vulnerable to similar attacks. “We’re all just human. It’s going to happen,” said Josh Bartolomie, Exelis’ director of security architecture, who built the CIRC. “Nobody is impervious to this.”
On that day last June, his team deduced that their unknown enemy was likely at a keyboard somewhere, managing the attack in real time. It wouldn’t be long before the hacker would be able to download data and install viruses that could cripple the company, undermine its projects and make it a potential launching pad for attacks on other companies and government agencies.
There was a time, not long ago, when Internet security consisted mainly of anti-virus programs and network firewalls: update your software and patch your holes, the thinking went, and you’d be fine. But with a blossoming in the number of people and gadgets that connect to the Internet, the rapid sophistication of computer criminals and a series of record-setting data breaches, the Alamo-style defense has been proved futile. The Internet’s worst enemy is no longer strings of malevolent code scattered across the digital underworld, programmed to burrow inside poorly-protected networks. It is, rather, a highly-skilled hacker who chooses a target, researches its weaknesses, and tailors an attack for maximum damage. “Today, people pick out who they are going after, like a killer who picks out his prey,” said Lucas Zaichowsky, enterprise defense architect for Resolution1 Security.
These bandits increasingly are members of state-sponsored espionage groups looking to steal secrets from the American government, financial institutions and military contractors, researchers say. This past summer, JPMorgan Chase acknowledged that hackers with suspected ties to Russia had penetrated deep into their digital security vaults, exposing 83 million customers’ accounts. Months earlier, the U.S. government indicted five members of the Chinese military for stealing data from American companies. Senate investigators have also found evidence that hackers linked to the Chinese government have targeted private companies working for the U.S. military. “This is something that must be addressed because our competitiveness as a country is diminishing,” said Dmitri Alperovitch, chief technology officer of Crowdstrike, a security research firm that has outed foreign state-sponsored hacking groups, including a Chinese army unit.
China and other countries suspected of cyber espionage deny involvement, and counter that the U.S. has conducted its own campaigns, as exposed in documents leaked by former National Security Agency worker Edward Snowden.
It isn’t easy to accurately estimate the economic cost of hacking on American companies. Researchers estimate it to be in the billions every year. The Ponemon Institute put the average cost of data breaches alone at $3.5 million per attack.
With each hack, the once-obscure world of cybercrime feels more immediate, the stakes more urgent. “From the public consciousness’ perspective, it probably seems as though we went from ‘my computer has a virus’ to ‘my identity is stolen’ to ‘national security is at risk’ without any seeming warning,” said Mike Cloppert, chief research analyst for the computer incident response team at Lockheed Martin and one of the field’s top thinkers. “People who aren’t in on this on a daily basis are probably like, ‘What just happened?’”
Clopper co-wrote a paper that is widely seen as a blueprint for the new paradigm of Internet defense, known as “threat intelligence,” that targets well-financed adversaries who spend years planning and carrying out attacks. Rather than obsessing over keeping these “advanced persistent threats” from entering a network, Cloppert’s “kill chain” model emphasizes the importance of counter-intelligence: studying an enemy’s behavior, and using that information to keep it from doing any damage. This approach allows defenders to avoid an endless game of Whac-A-Mole and focus resources on the most dangerous threats.
A growing number of America’s largest companies, led by members of the defense and financial industries, have embraced the challenge. Some are obligated by government or industry rules. Others have fallen victim and are trying to learn from their mistakes. The most forward-thinking have hired teams of crack security analysts and tapped a flood of third-party services that use threat data to predict attacks. The point, Bartolomie said, “is to make it harder for the attacker. The longer it takes them, the more time you have to detect them.”
“All of us have this feeling that no matter how much we do, it’s never going to be enough.”
The CIRC—one of dozens of Exelis outposts spread across the globe—is housed in a modular lime-green and beige building on the grounds of the decommissioned Griffiss Air Force Base. The complex overlooks a Cold War-era landing strip and B-52 hangars, a juxtaposition that lends itself to all kinds of military analogies. The squad is overseen by David Fastabend, a retired Army major general who sees many similarities between digital and traditional warfare, with one big difference: on the virtual battlefield, space and time play little part. “You could be on the front edge of cyber warfare in Rome, New York, or in Omaha or in Panama City or the study of your house,” Fastabend said. “The physics of it don’t matter.”
The CIRC itself doesn’t look like much, at least not at first. The décor is straight out of Office Depot, down to the bowls of Starlight mints, Coffee-mate dispensers, and aquatic-themed wall art. Young men and women stare into banks of monitors under the glare of florescent lights. But beneath the soporific appearance runs a nervous energy fueled by the knowledge that the next intrusion is a matter of when, not if.
Torrents of data wash across the analysts’ screens, a real-time scan of traffic hammering the network at a rate of 1,000 “events” a second. Vulnerabilities are discovered and patched, fishy emails bounced, rudimentary attacks repelled. The most sophisticated attacks require more attention. The team investigates anywhere from 1,000 to 1,500 attempted intrusions a year, or about two to four per day, half of which are phishing attacks. “All of us have this feeling that no matter how much we do, it’s never going to be enough,” said Greg Toussaint, a threat-intelligence specialist. “Because we all realize that attackers are always a step ahead.”
Many of the CIRC’s investigations begin as a diagram on a whiteboard. For a month last summer, one of the boards was taken up by Toussaint’s crude, multi-colored rendering of the team’s analysis of a piece of virus found in the Exelis network. At the outer ring were the names of countries where they’d tracked those who might use it: China, Iran, Iraq.
The Exelis team doesn’t necessarily care to identify their adversaries, as Crowdstrike does. That takes precious time and effort that could be spent thwarting other attacks. Instead, they focus on the hackers’ “tactics, techniques and procedures”—a digital shadow that might help block them. “We try to prioritize to focus on the right things at the right time, rather than everything all of the time,” Bartolomie said.
"It’s going to be a constant escalation."
There was no time to diagram the stock-options hack. The Exelis team worked methodically, tracing the attack to its origins. They determined who in the company got the malware-laced email and who gave up their credentials, and reset those employees’ passwords. They examined traffic to the domain linked to the infected spreadsheet, and blocked traffic coming from it. They scoured the network for signs of an intrusion.
The team discovered that the consultant’s email credentials had been used from points that appeared to be overseas. But the locations were impossible to verify, because the Internet addresses associated with those computers had been used by a deep-web network called Tor that masks a user’s origin. One of the CIRC analysts found a list of addresses connected to Tor, and built an alert that would flag traffic from them. The team also found evidence of people doing what appeared to be pre-attack reconnaissance on the board of directors, senior management and key projects.
A few days later, federal authorities seized the server, which turned out to be owned by a small non-profit that had nothing to do with the attack. The hackers had taken control of it remotely, and, authorities discovered, wiped evidence of their presence. The small company didn’t appear to have a security team, and didn’t maintain network logs. The trail went cold.
So far, the team hasn’t detected anything stolen from their network, or anything planted inside. But it’s hard not to dwell on what could have been lost had that original email not been flagged: strategies for bidding on government contracts, analyses from senior military officials, examinations of the company’s vulnerabilities and strengths. The CIRC team is conducting an audit of how the attack unfolded, and if there were additional tools they could use to detect similar ones. They’re also redoubling efforts to educate workers on avoiding email phishing campaigns.
And this was just one attack. The hammering of the network continues unabated. Hackers’ tactics keep changing.
There is a growing emphasis among industry security teams to share what they see, which helps. “Now, as we collectively all start making things harder for them, it’s going to be a constant escalation,” Bartolomie said. “But I do think that the work we do, the information that we’re sharing and the partnerships we’ve built and the technology we create does have a role in making the problem better—or, I should say, reducing the problem.”