by Michael Joseph Gross
Lying there in the junk-mail folder, in the spammy mess of mortgage offers and erectile-dysfunction drug ads, an e-mail from an associate with a subject line that looked legitimate caught the man’s eye. The subject line said “2011 Recruitment Plan.” It was late winter of 2011. The man clicked on the message, downloaded the attached Excel spreadsheet file, and unwittingly set in motion a chain of events allowing hackers to raid the computer networks of his employer, RSA. RSA is the security division of the high-tech company EMC. Its products protect computer networks at the White House, the Central Intelligence Agency, the National Security Agency, the Pentagon, the Department of Homeland Security, most top defense contractors, and a majority of Fortune 500 corporations.
The parent company disclosed the breach on March 17 in a filing with the Securities and Exchange Commission. The hack gravely undermined the reputation of RSA’s popular SecurID security service. As spring gave way to summer, bloggers and computer-security experts found evidence that the attack on RSA had come from China. They also linked the RSA attack to the penetration of computer networks at some of RSA’s most powerful defense-contractor clients—among them, Lockheed Martin, Northrop Grumman, and L-3 Communications. Few details of these episodes have been made public.
The RSA and defense-contractor hacks are among the latest battles in a decade-long spy war. Hackers from many countries have been exfiltrating—that is, stealing—intellectual property from American corporations and the U.S. government on a massive scale, and Chinese hackers are among the main culprits. Because virtual attacks can be routed through computer servers anywhere in the world, it is almost impossible to attribute any hack with total certainty. Dozens of nations have highly developed industrial cyber-espionage programs, including American allies such as France and Israel. And because the People’s Republic of China is such a massive entity, it is impossible to know how much Chinese hacking is done on explicit orders from the government. In some cases, the evidence suggests that government and military groups are executing the attacks themselves. In others, Chinese authorities are merely turning a blind eye to illegal activities that are good for China’s economy and bad for America’s. Last year Google became the first major company to blow the whistle on Chinese hacking when it admitted to a penetration known as Operation Aurora, which also hit Intel, Morgan Stanley, and several dozen other corporations. (The attack was given that name because the word “aurora” appears in the malware that victims downloaded.) Earlier this year, details concerning the most sweeping intrusion since Operation Aurora were discovered by the cyber-security firm McAfee. Dubbed “Operation Shady rat,” the attacks (of which more later) are being reported here for the first time. Most companies have preferred not to talk about or even acknowledge violations of their computer systems, for fear of panicking shareholders and exposing themselves to lawsuits—or for fear of offending the Chinese and jeopardizing their share of that country’s exploding markets. The U.S. government, for its part, has been fecklessly circumspect in calling out the Chinese.
A scattered alliance of government insiders and cyber-security experts are working to bring attention to the threat, but because of the topic’s extreme sensitivity, much of their consciousness-raising activity must be covert. The result in at least one case, according to documents obtained by Vanity Fair, has been a surreal new creation of American bureaucracy: government-directed “hacktivism,” in which an intelligence agency secretly provides information to a group of private-sector hackers so that truths too sensitive for the government to tell will nevertheless come out.
This unusual project began in March, when National Security Agency officials asked a private defense contractor to organize a cadre of elite non-government experts to study the RSA cyber-attacks. The experts constituted a SEAL Team Six of cyber-security and referred to their work as Operation Starlight. “This is the N.S.A. outsourcing the finger-pointing to the private sector,” says one person who was invited to join the group and has been privy to its e-mail logs. The N.S.A. provided Operation Starlight with the data it needed for its forensic analysis.
Operation Starlight’s secret “Working Draft Version 0.2” report, dated April 4, 2011, has a cover page that bears a galactic image resembling a meteor-pockmarked moon. The source who provided Vanity Fair with the document emphasized that the draft is just that—a draft—and said that Starlight’s provisional conclusions are subject to change. (The source also says that Operation Starlight’s analysis will continue for a matter of months, and possibly as long as a year.) As of April, however, the draft report argued that the RSA hacks represent an “organized, concerted campaign on behalf of China.” It also suggested that RSA had been under attack, perhaps by different groups, for months prior to the attack that the company acknowledged in March. In July, in the lengthiest interview that RSA officials have given since their troubles began, executive chairman Art Coviello and EMC chief security officer Dave Martin resisted those suggestions. Coviello admitted that the SecurID hack was preceded in March by “pretty heavy-duty reconnaissance.” He refused to say specifically when the attack began or ended, but described the duration as “a matter of days, not weeks.” He agreed that the evidence suggested that the SecurID attack had come from a nation-state, but declined to accuse a specific country.
“The Adversary”
If you were designing a new jetfighter for Lockheed Martin, sooner or later you would have to travel to an air-force base to talk to military personnel about what they want the new jetfighter to do. Meetings over, you’d go back to your hotel room, fire up your laptop, and log on to Lockheed’s remote network to get some work done. In order to log on, you’d have to glance down at an inch-long red-white-blue-and-gray plastic key-chain fob, shaped vaguely like a key, on which a little L.E.D. screen displays strings of six to eight digits that change every minute or so. Adding those numbers to the basic password that you’d memorized, you would type the whole hybrid string of characters into the Lockheed-network log-in box—and then you would be in. That key fob, called a SecurID token, is RSA’s best-known product. The strings of numbers on its screen are generated by a microchip using the SecurID algorithm and a unique cryptographic seed.
Each numeric string is called a “one-time password,” and, when entered in combination with your own chosen password, it bumps up your network’s security by means of “two-factor authentication.” As of March 2011, RSA commanded 70 percent of the market for this form of security. More than 25 million of these tokens are in circulation, and for years they have been used by most U.S. intelligence and military officers, defense contractors, White House officials, and Fortune 500 executives.
So it was of great concern to many of the world’s most powerful people when, on the same day the company alerted the S.E.C., executive chairman Coviello posted an open letter to customers on RSA’s Web site, announcing that the company’s security system had identified “an extremely sophisticated cyber attack in progress,” an attack that “resulted in certain information being exported from RSA’s systems,” some of which was “specifically related to RSA’s SecurID two-factor authentication products.”
The letter was so vague and judiciously bland that many readers assumed what the later Lockheed hack seemed to suggest: that SecurID’s seed-key algorithm and some, if not all, of its seed-key database may have been stolen. RSA executives have consistently refused to say precisely what the company lost. Coviello did say in an interview that “the information taken, in and of itself, would not allow a direct attack.” An attacker, he went on, “would have had to get other information that only the customer had in their possession.” To weaponize the stolen SecurID information would require a strategy of coordinated intrusions, involving attacks not just on RSA but also preliminary attacks on every other target company—something that seemed so complicated as to be almost impossible. Yet within two months, the impossible had come to pass. Attackers, whom security experts often refer to in the satanic singular as “the Adversary,” had broken into Lockheed Martin’s network using SecurID information stolen from RSA.
Hackers have attacked America’s defense establishment, as well as companies from Google to Morgan Stanley to security giant RSA, and fingers point to China as the culprit. The author gets an exclusive look at the raging cyber-war—Operation Aurora! Operation Shady rat!—and learns why Washington has been slow to fight back.
Lying there in the junk-mail folder, in the spammy mess of mortgage offers and erectile-dysfunction drug ads, an e-mail from an associate with a subject line that looked legitimate caught the man’s eye. The subject line said “2011 Recruitment Plan.” It was late winter of 2011. The man clicked on the message, downloaded the attached Excel spreadsheet file, and unwittingly set in motion a chain of events allowing hackers to raid the computer networks of his employer, RSA. RSA is the security division of the high-tech company EMC. Its products protect computer networks at the White House, the Central Intelligence Agency, the National Security Agency, the Pentagon, the Department of Homeland Security, most top defense contractors, and a majority of Fortune 500 corporations. The parent company disclosed the breach on March 17 in a filing with the Securities and Exchange Commission. The hack gravely undermined the reputation of RSA’s popular SecurID security service. As spring gave way to summer, bloggers and computer-security experts found evidence that the attack on RSA had come from China. They also linked the RSA attack to the penetration of computer networks at some of RSA’s most powerful defense-contractor clients—among them, Lockheed Martin, Northrop Grumman, and L-3 Communications. Few details of these episodes have been made public.
The RSA and defense-contractor hacks are among the latest battles in a decade-long spy war. Hackers from many countries have been exfiltrating—that is, stealing—intellectual property from American corporations and the U.S. government on a massive scale, and Chinese hackers are among the main culprits. Because virtual attacks can be routed through computer servers anywhere in the world, it is almost impossible to attribute any hack with total certainty. Dozens of nations have highly developed industrial cyber-espionage programs, including American allies such as France and Israel. And because the People’s Republic of China is such a massive entity, it is impossible to know how much Chinese hacking is done on explicit orders from the government. In some cases, the evidence suggests that government and military groups are executing the attacks themselves. In others, Chinese authorities are merely turning a blind eye to illegal activities that are good for China’s economy and bad for America’s. Last year Google became the first major company to blow the whistle on Chinese hacking when it admitted to a penetration known as Operation Aurora, which also hit Intel, Morgan Stanley, and several dozen other corporations. (The attack was given that name because the word “aurora” appears in the malware that victims downloaded.) Earlier this year, details concerning the most sweeping intrusion since Operation Aurora were discovered by the cyber-security firm McAfee. Dubbed “Operation Shady rat,” the attacks (of which more later) are being reported here for the first time. Most companies have preferred not to talk about or even acknowledge violations of their computer systems, for fear of panicking shareholders and exposing themselves to lawsuits—or for fear of offending the Chinese and jeopardizing their share of that country’s exploding markets. The U.S. government, for its part, has been fecklessly circumspect in calling out the Chinese.
A scattered alliance of government insiders and cyber-security experts are working to bring attention to the threat, but because of the topic’s extreme sensitivity, much of their consciousness-raising activity must be covert. The result in at least one case, according to documents obtained by Vanity Fair, has been a surreal new creation of American bureaucracy: government-directed “hacktivism,” in which an intelligence agency secretly provides information to a group of private-sector hackers so that truths too sensitive for the government to tell will nevertheless come out.
This unusual project began in March, when National Security Agency officials asked a private defense contractor to organize a cadre of elite non-government experts to study the RSA cyber-attacks. The experts constituted a SEAL Team Six of cyber-security and referred to their work as Operation Starlight. “This is the N.S.A. outsourcing the finger-pointing to the private sector,” says one person who was invited to join the group and has been privy to its e-mail logs. The N.S.A. provided Operation Starlight with the data it needed for its forensic analysis.
Operation Starlight’s secret “Working Draft Version 0.2” report, dated April 4, 2011, has a cover page that bears a galactic image resembling a meteor-pockmarked moon. The source who provided Vanity Fair with the document emphasized that the draft is just that—a draft—and said that Starlight’s provisional conclusions are subject to change. (The source also says that Operation Starlight’s analysis will continue for a matter of months, and possibly as long as a year.) As of April, however, the draft report argued that the RSA hacks represent an “organized, concerted campaign on behalf of China.” It also suggested that RSA had been under attack, perhaps by different groups, for months prior to the attack that the company acknowledged in March. In July, in the lengthiest interview that RSA officials have given since their troubles began, executive chairman Art Coviello and EMC chief security officer Dave Martin resisted those suggestions. Coviello admitted that the SecurID hack was preceded in March by “pretty heavy-duty reconnaissance.” He refused to say specifically when the attack began or ended, but described the duration as “a matter of days, not weeks.” He agreed that the evidence suggested that the SecurID attack had come from a nation-state, but declined to accuse a specific country.
“The Adversary”
If you were designing a new jetfighter for Lockheed Martin, sooner or later you would have to travel to an air-force base to talk to military personnel about what they want the new jetfighter to do. Meetings over, you’d go back to your hotel room, fire up your laptop, and log on to Lockheed’s remote network to get some work done. In order to log on, you’d have to glance down at an inch-long red-white-blue-and-gray plastic key-chain fob, shaped vaguely like a key, on which a little L.E.D. screen displays strings of six to eight digits that change every minute or so. Adding those numbers to the basic password that you’d memorized, you would type the whole hybrid string of characters into the Lockheed-network log-in box—and then you would be in. That key fob, called a SecurID token, is RSA’s best-known product. The strings of numbers on its screen are generated by a microchip using the SecurID algorithm and a unique cryptographic seed.
Each numeric string is called a “one-time password,” and, when entered in combination with your own chosen password, it bumps up your network’s security by means of “two-factor authentication.” As of March 2011, RSA commanded 70 percent of the market for this form of security. More than 25 million of these tokens are in circulation, and for years they have been used by most U.S. intelligence and military officers, defense contractors, White House officials, and Fortune 500 executives.
So it was of great concern to many of the world’s most powerful people when, on the same day the company alerted the S.E.C., executive chairman Coviello posted an open letter to customers on RSA’s Web site, announcing that the company’s security system had identified “an extremely sophisticated cyber attack in progress,” an attack that “resulted in certain information being exported from RSA’s systems,” some of which was “specifically related to RSA’s SecurID two-factor authentication products.”
The letter was so vague and judiciously bland that many readers assumed what the later Lockheed hack seemed to suggest: that SecurID’s seed-key algorithm and some, if not all, of its seed-key database may have been stolen. RSA executives have consistently refused to say precisely what the company lost. Coviello did say in an interview that “the information taken, in and of itself, would not allow a direct attack.” An attacker, he went on, “would have had to get other information that only the customer had in their possession.” To weaponize the stolen SecurID information would require a strategy of coordinated intrusions, involving attacks not just on RSA but also preliminary attacks on every other target company—something that seemed so complicated as to be almost impossible. Yet within two months, the impossible had come to pass. Attackers, whom security experts often refer to in the satanic singular as “the Adversary,” had broken into Lockheed Martin’s network using SecurID information stolen from RSA.
